Analysis
-
max time kernel
156s -
max time network
176s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
12-02-2022 03:07
Static task
static1
Behavioral task
behavioral1
Sample
1881e0b6c9a12bc1332cbbc2f8a2c9d06fa40979041d3a3332dc9c094f674a2e.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
1881e0b6c9a12bc1332cbbc2f8a2c9d06fa40979041d3a3332dc9c094f674a2e.exe
Resource
win10v2004-en-20220113
General
-
Target
1881e0b6c9a12bc1332cbbc2f8a2c9d06fa40979041d3a3332dc9c094f674a2e.exe
-
Size
89KB
-
MD5
aacbb0e1a98179693cc5d461f5d6f834
-
SHA1
fec7446c577900f5f6fcf322e4538b553d515f0f
-
SHA256
1881e0b6c9a12bc1332cbbc2f8a2c9d06fa40979041d3a3332dc9c094f674a2e
-
SHA512
6348cfc854206276aeb1066134935d854a7b462d671cf4534b8cf766b2ed3c28a876080b08f36becfaa3d7dc10fda5eb931f182ded7e5e92e1c99b969b3581bf
Malware Config
Signatures
-
Sakula Payload 2 IoCs
Processes:
resource yara_rule \Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula -
suricata: ET MALWARE SUSPICIOUS UA (iexplore)
suricata: ET MALWARE SUSPICIOUS UA (iexplore)
-
suricata: ET MALWARE Sakula/Mivast RAT CnC Beacon 1
suricata: ET MALWARE Sakula/Mivast RAT CnC Beacon 1
-
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 1796 MediaCenter.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 1260 cmd.exe -
Loads dropped DLL 1 IoCs
Processes:
1881e0b6c9a12bc1332cbbc2f8a2c9d06fa40979041d3a3332dc9c094f674a2e.exepid process 1184 1881e0b6c9a12bc1332cbbc2f8a2c9d06fa40979041d3a3332dc9c094f674a2e.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
1881e0b6c9a12bc1332cbbc2f8a2c9d06fa40979041d3a3332dc9c094f674a2e.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 1881e0b6c9a12bc1332cbbc2f8a2c9d06fa40979041d3a3332dc9c094f674a2e.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
1881e0b6c9a12bc1332cbbc2f8a2c9d06fa40979041d3a3332dc9c094f674a2e.exedescription pid process Token: SeIncBasePriorityPrivilege 1184 1881e0b6c9a12bc1332cbbc2f8a2c9d06fa40979041d3a3332dc9c094f674a2e.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
1881e0b6c9a12bc1332cbbc2f8a2c9d06fa40979041d3a3332dc9c094f674a2e.execmd.exedescription pid process target process PID 1184 wrote to memory of 1796 1184 1881e0b6c9a12bc1332cbbc2f8a2c9d06fa40979041d3a3332dc9c094f674a2e.exe MediaCenter.exe PID 1184 wrote to memory of 1796 1184 1881e0b6c9a12bc1332cbbc2f8a2c9d06fa40979041d3a3332dc9c094f674a2e.exe MediaCenter.exe PID 1184 wrote to memory of 1796 1184 1881e0b6c9a12bc1332cbbc2f8a2c9d06fa40979041d3a3332dc9c094f674a2e.exe MediaCenter.exe PID 1184 wrote to memory of 1796 1184 1881e0b6c9a12bc1332cbbc2f8a2c9d06fa40979041d3a3332dc9c094f674a2e.exe MediaCenter.exe PID 1184 wrote to memory of 1260 1184 1881e0b6c9a12bc1332cbbc2f8a2c9d06fa40979041d3a3332dc9c094f674a2e.exe cmd.exe PID 1184 wrote to memory of 1260 1184 1881e0b6c9a12bc1332cbbc2f8a2c9d06fa40979041d3a3332dc9c094f674a2e.exe cmd.exe PID 1184 wrote to memory of 1260 1184 1881e0b6c9a12bc1332cbbc2f8a2c9d06fa40979041d3a3332dc9c094f674a2e.exe cmd.exe PID 1184 wrote to memory of 1260 1184 1881e0b6c9a12bc1332cbbc2f8a2c9d06fa40979041d3a3332dc9c094f674a2e.exe cmd.exe PID 1260 wrote to memory of 392 1260 cmd.exe PING.EXE PID 1260 wrote to memory of 392 1260 cmd.exe PING.EXE PID 1260 wrote to memory of 392 1260 cmd.exe PING.EXE PID 1260 wrote to memory of 392 1260 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\1881e0b6c9a12bc1332cbbc2f8a2c9d06fa40979041d3a3332dc9c094f674a2e.exe"C:\Users\Admin\AppData\Local\Temp\1881e0b6c9a12bc1332cbbc2f8a2c9d06fa40979041d3a3332dc9c094f674a2e.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1184 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:1796 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\1881e0b6c9a12bc1332cbbc2f8a2c9d06fa40979041d3a3332dc9c094f674a2e.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:1260 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:392
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
72c47e0486e3043a0e9da1e1a39e8397
SHA170a62ad25a7960ef460563a375f4fa90c89d23ac
SHA256b5f438f70c19535791e6abca008cb0d4a21cb92038eee224d883ea2bc03f9656
SHA512522adc8ee6c7c968d4929b3a4fa7b7ec47f7bdcc2630a00cedae8a860c2f68290762ec82fefd59746539f09aaa975f2c02a674d0458771bd4a8da5ea922ea0fa
-
MD5
72c47e0486e3043a0e9da1e1a39e8397
SHA170a62ad25a7960ef460563a375f4fa90c89d23ac
SHA256b5f438f70c19535791e6abca008cb0d4a21cb92038eee224d883ea2bc03f9656
SHA512522adc8ee6c7c968d4929b3a4fa7b7ec47f7bdcc2630a00cedae8a860c2f68290762ec82fefd59746539f09aaa975f2c02a674d0458771bd4a8da5ea922ea0fa