Analysis
-
max time kernel
142s -
max time network
157s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
12-02-2022 03:20
Static task
static1
Behavioral task
behavioral1
Sample
17e11cdb703cf6762477379cac01d886957c8a9e38c922fc1acae71e7565309e.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
17e11cdb703cf6762477379cac01d886957c8a9e38c922fc1acae71e7565309e.exe
Resource
win10v2004-en-20220113
General
-
Target
17e11cdb703cf6762477379cac01d886957c8a9e38c922fc1acae71e7565309e.exe
-
Size
216KB
-
MD5
dbb415fd23d323906c5bc2c3e5c33f3f
-
SHA1
5fa56df3cad9fc28d214814697f82461560558e6
-
SHA256
17e11cdb703cf6762477379cac01d886957c8a9e38c922fc1acae71e7565309e
-
SHA512
b71a74c76225f98352354133b4ee7d60c4f662ed30130154fed152a1bf618727fbf1914418cf3c3aa48e25e068bb5bdd1713427e1d2c92f85c6b0f064d0cc8bd
Malware Config
Signatures
-
Sakula Payload 4 IoCs
Processes:
resource yara_rule \Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula behavioral1/memory/1508-58-0x0000000000400000-0x0000000000420000-memory.dmp family_sakula behavioral1/memory/1520-59-0x0000000000400000-0x0000000000420000-memory.dmp family_sakula -
suricata: ET MALWARE SUSPICIOUS UA (iexplore)
suricata: ET MALWARE SUSPICIOUS UA (iexplore)
-
suricata: ET MALWARE Sakula/Mivast RAT CnC Beacon 1
suricata: ET MALWARE Sakula/Mivast RAT CnC Beacon 1
-
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 1520 MediaCenter.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 1536 cmd.exe -
Loads dropped DLL 1 IoCs
Processes:
17e11cdb703cf6762477379cac01d886957c8a9e38c922fc1acae71e7565309e.exepid process 1508 17e11cdb703cf6762477379cac01d886957c8a9e38c922fc1acae71e7565309e.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
17e11cdb703cf6762477379cac01d886957c8a9e38c922fc1acae71e7565309e.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 17e11cdb703cf6762477379cac01d886957c8a9e38c922fc1acae71e7565309e.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
17e11cdb703cf6762477379cac01d886957c8a9e38c922fc1acae71e7565309e.exedescription pid process Token: SeIncBasePriorityPrivilege 1508 17e11cdb703cf6762477379cac01d886957c8a9e38c922fc1acae71e7565309e.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
17e11cdb703cf6762477379cac01d886957c8a9e38c922fc1acae71e7565309e.execmd.exedescription pid process target process PID 1508 wrote to memory of 1520 1508 17e11cdb703cf6762477379cac01d886957c8a9e38c922fc1acae71e7565309e.exe MediaCenter.exe PID 1508 wrote to memory of 1520 1508 17e11cdb703cf6762477379cac01d886957c8a9e38c922fc1acae71e7565309e.exe MediaCenter.exe PID 1508 wrote to memory of 1520 1508 17e11cdb703cf6762477379cac01d886957c8a9e38c922fc1acae71e7565309e.exe MediaCenter.exe PID 1508 wrote to memory of 1520 1508 17e11cdb703cf6762477379cac01d886957c8a9e38c922fc1acae71e7565309e.exe MediaCenter.exe PID 1508 wrote to memory of 1536 1508 17e11cdb703cf6762477379cac01d886957c8a9e38c922fc1acae71e7565309e.exe cmd.exe PID 1508 wrote to memory of 1536 1508 17e11cdb703cf6762477379cac01d886957c8a9e38c922fc1acae71e7565309e.exe cmd.exe PID 1508 wrote to memory of 1536 1508 17e11cdb703cf6762477379cac01d886957c8a9e38c922fc1acae71e7565309e.exe cmd.exe PID 1508 wrote to memory of 1536 1508 17e11cdb703cf6762477379cac01d886957c8a9e38c922fc1acae71e7565309e.exe cmd.exe PID 1536 wrote to memory of 428 1536 cmd.exe PING.EXE PID 1536 wrote to memory of 428 1536 cmd.exe PING.EXE PID 1536 wrote to memory of 428 1536 cmd.exe PING.EXE PID 1536 wrote to memory of 428 1536 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\17e11cdb703cf6762477379cac01d886957c8a9e38c922fc1acae71e7565309e.exe"C:\Users\Admin\AppData\Local\Temp\17e11cdb703cf6762477379cac01d886957c8a9e38c922fc1acae71e7565309e.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1508 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:1520 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\17e11cdb703cf6762477379cac01d886957c8a9e38c922fc1acae71e7565309e.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:1536 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:428
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
133565e8a257d85c48d6a91cc6214927
SHA1fbc8ef2faa5e704809915bb3ea4ad0e2ac460792
SHA25644e64f9ce319b637171732c498dc4120940d24d3e8584a9e7d3283ad61b631cc
SHA5124b4374fd9f6c19a89a51b3bfabe4a94e47595cd053a663f0f04a39692ecde002ddbd3f4f9786f884972a675a28c07441accb0c6703f033f04a81c62f13b6aad3
-
MD5
133565e8a257d85c48d6a91cc6214927
SHA1fbc8ef2faa5e704809915bb3ea4ad0e2ac460792
SHA25644e64f9ce319b637171732c498dc4120940d24d3e8584a9e7d3283ad61b631cc
SHA5124b4374fd9f6c19a89a51b3bfabe4a94e47595cd053a663f0f04a39692ecde002ddbd3f4f9786f884972a675a28c07441accb0c6703f033f04a81c62f13b6aad3