Analysis
-
max time kernel
143s -
max time network
153s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
12-02-2022 03:09
Static task
static1
Behavioral task
behavioral1
Sample
18749ccf8ecf553f6ec19a134ee0cd08a37acc1d9fcce965039b2c474be2d18c.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
18749ccf8ecf553f6ec19a134ee0cd08a37acc1d9fcce965039b2c474be2d18c.exe
Resource
win10v2004-en-20220112
General
-
Target
18749ccf8ecf553f6ec19a134ee0cd08a37acc1d9fcce965039b2c474be2d18c.exe
-
Size
150KB
-
MD5
05d607627a4e3fc8319cca5f701f7845
-
SHA1
e2045bce86efb57eb6c7918d15765ef5d653b671
-
SHA256
18749ccf8ecf553f6ec19a134ee0cd08a37acc1d9fcce965039b2c474be2d18c
-
SHA512
cc392aadbc88217c8af15449bfc1803cf58ec6e2ee9b5b6c22a38ad88a64c5af3a7fcfecbea410c31a243ec2dd9a91cb7a7f476747bc2d0216222e600b1a09d3
Malware Config
Signatures
-
Sakula Payload 2 IoCs
Processes:
resource yara_rule \Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula -
suricata: ET MALWARE SUSPICIOUS UA (iexplore)
suricata: ET MALWARE SUSPICIOUS UA (iexplore)
-
suricata: ET MALWARE Sakula/Mivast RAT CnC Beacon 1
suricata: ET MALWARE Sakula/Mivast RAT CnC Beacon 1
-
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 1864 MediaCenter.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 2012 cmd.exe -
Loads dropped DLL 1 IoCs
Processes:
18749ccf8ecf553f6ec19a134ee0cd08a37acc1d9fcce965039b2c474be2d18c.exepid process 952 18749ccf8ecf553f6ec19a134ee0cd08a37acc1d9fcce965039b2c474be2d18c.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
18749ccf8ecf553f6ec19a134ee0cd08a37acc1d9fcce965039b2c474be2d18c.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 18749ccf8ecf553f6ec19a134ee0cd08a37acc1d9fcce965039b2c474be2d18c.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
18749ccf8ecf553f6ec19a134ee0cd08a37acc1d9fcce965039b2c474be2d18c.exedescription pid process Token: SeIncBasePriorityPrivilege 952 18749ccf8ecf553f6ec19a134ee0cd08a37acc1d9fcce965039b2c474be2d18c.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
18749ccf8ecf553f6ec19a134ee0cd08a37acc1d9fcce965039b2c474be2d18c.execmd.exedescription pid process target process PID 952 wrote to memory of 1864 952 18749ccf8ecf553f6ec19a134ee0cd08a37acc1d9fcce965039b2c474be2d18c.exe MediaCenter.exe PID 952 wrote to memory of 1864 952 18749ccf8ecf553f6ec19a134ee0cd08a37acc1d9fcce965039b2c474be2d18c.exe MediaCenter.exe PID 952 wrote to memory of 1864 952 18749ccf8ecf553f6ec19a134ee0cd08a37acc1d9fcce965039b2c474be2d18c.exe MediaCenter.exe PID 952 wrote to memory of 1864 952 18749ccf8ecf553f6ec19a134ee0cd08a37acc1d9fcce965039b2c474be2d18c.exe MediaCenter.exe PID 952 wrote to memory of 2012 952 18749ccf8ecf553f6ec19a134ee0cd08a37acc1d9fcce965039b2c474be2d18c.exe cmd.exe PID 952 wrote to memory of 2012 952 18749ccf8ecf553f6ec19a134ee0cd08a37acc1d9fcce965039b2c474be2d18c.exe cmd.exe PID 952 wrote to memory of 2012 952 18749ccf8ecf553f6ec19a134ee0cd08a37acc1d9fcce965039b2c474be2d18c.exe cmd.exe PID 952 wrote to memory of 2012 952 18749ccf8ecf553f6ec19a134ee0cd08a37acc1d9fcce965039b2c474be2d18c.exe cmd.exe PID 2012 wrote to memory of 1140 2012 cmd.exe PING.EXE PID 2012 wrote to memory of 1140 2012 cmd.exe PING.EXE PID 2012 wrote to memory of 1140 2012 cmd.exe PING.EXE PID 2012 wrote to memory of 1140 2012 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\18749ccf8ecf553f6ec19a134ee0cd08a37acc1d9fcce965039b2c474be2d18c.exe"C:\Users\Admin\AppData\Local\Temp\18749ccf8ecf553f6ec19a134ee0cd08a37acc1d9fcce965039b2c474be2d18c.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:952 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:1864 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\18749ccf8ecf553f6ec19a134ee0cd08a37acc1d9fcce965039b2c474be2d18c.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:2012 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:1140
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
c888a2b5014d34fe2f11b0028034e66c
SHA147736c4944ca0f51f90b16b2b7a957ecd6b1c8b3
SHA256f4a3da42d2d6b06ddf83424e1353dfdf251e4d38ee67975331f8c1818ba36061
SHA512d41c461ae92e06c8c9b499ef4e65b1fa2acf26460ae5b51f45ace5fa69a0f0c6e71b6d330c534ae448c81ebc65fb3e963d45f7874cb20df703e41a9014b112cc
-
MD5
c888a2b5014d34fe2f11b0028034e66c
SHA147736c4944ca0f51f90b16b2b7a957ecd6b1c8b3
SHA256f4a3da42d2d6b06ddf83424e1353dfdf251e4d38ee67975331f8c1818ba36061
SHA512d41c461ae92e06c8c9b499ef4e65b1fa2acf26460ae5b51f45ace5fa69a0f0c6e71b6d330c534ae448c81ebc65fb3e963d45f7874cb20df703e41a9014b112cc