Analysis
-
max time kernel
138s -
max time network
144s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
12-02-2022 03:26
Static task
static1
Behavioral task
behavioral1
Sample
17a572c8caf38cca3853c9d54ca288d6ce9489d2d6280df72425940aeffc513e.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
17a572c8caf38cca3853c9d54ca288d6ce9489d2d6280df72425940aeffc513e.exe
Resource
win10v2004-en-20220113
General
-
Target
17a572c8caf38cca3853c9d54ca288d6ce9489d2d6280df72425940aeffc513e.exe
-
Size
92KB
-
MD5
7af0d7ab6ccd1a7f2afada96f07238eb
-
SHA1
b9586e491f3e83d4c449d8398c3503bab571ec1a
-
SHA256
17a572c8caf38cca3853c9d54ca288d6ce9489d2d6280df72425940aeffc513e
-
SHA512
2a6dcc3992626ef43b0bcd4dee59f66a906790ce1a19f194961cb36227bb2391f66d03b6ff07a42c65d526e74a2dfb09ff2a352df12f7664d6fce5c78b3ae534
Malware Config
Signatures
-
Sakula Payload 2 IoCs
Processes:
resource yara_rule \Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula -
suricata: ET MALWARE SUSPICIOUS UA (iexplore)
suricata: ET MALWARE SUSPICIOUS UA (iexplore)
-
suricata: ET MALWARE Sakula/Mivast RAT CnC Beacon 1
suricata: ET MALWARE Sakula/Mivast RAT CnC Beacon 1
-
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 1600 MediaCenter.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 392 cmd.exe -
Loads dropped DLL 1 IoCs
Processes:
17a572c8caf38cca3853c9d54ca288d6ce9489d2d6280df72425940aeffc513e.exepid process 1204 17a572c8caf38cca3853c9d54ca288d6ce9489d2d6280df72425940aeffc513e.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
17a572c8caf38cca3853c9d54ca288d6ce9489d2d6280df72425940aeffc513e.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 17a572c8caf38cca3853c9d54ca288d6ce9489d2d6280df72425940aeffc513e.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
17a572c8caf38cca3853c9d54ca288d6ce9489d2d6280df72425940aeffc513e.exedescription pid process Token: SeIncBasePriorityPrivilege 1204 17a572c8caf38cca3853c9d54ca288d6ce9489d2d6280df72425940aeffc513e.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
17a572c8caf38cca3853c9d54ca288d6ce9489d2d6280df72425940aeffc513e.execmd.exedescription pid process target process PID 1204 wrote to memory of 1600 1204 17a572c8caf38cca3853c9d54ca288d6ce9489d2d6280df72425940aeffc513e.exe MediaCenter.exe PID 1204 wrote to memory of 1600 1204 17a572c8caf38cca3853c9d54ca288d6ce9489d2d6280df72425940aeffc513e.exe MediaCenter.exe PID 1204 wrote to memory of 1600 1204 17a572c8caf38cca3853c9d54ca288d6ce9489d2d6280df72425940aeffc513e.exe MediaCenter.exe PID 1204 wrote to memory of 1600 1204 17a572c8caf38cca3853c9d54ca288d6ce9489d2d6280df72425940aeffc513e.exe MediaCenter.exe PID 1204 wrote to memory of 392 1204 17a572c8caf38cca3853c9d54ca288d6ce9489d2d6280df72425940aeffc513e.exe cmd.exe PID 1204 wrote to memory of 392 1204 17a572c8caf38cca3853c9d54ca288d6ce9489d2d6280df72425940aeffc513e.exe cmd.exe PID 1204 wrote to memory of 392 1204 17a572c8caf38cca3853c9d54ca288d6ce9489d2d6280df72425940aeffc513e.exe cmd.exe PID 1204 wrote to memory of 392 1204 17a572c8caf38cca3853c9d54ca288d6ce9489d2d6280df72425940aeffc513e.exe cmd.exe PID 392 wrote to memory of 784 392 cmd.exe PING.EXE PID 392 wrote to memory of 784 392 cmd.exe PING.EXE PID 392 wrote to memory of 784 392 cmd.exe PING.EXE PID 392 wrote to memory of 784 392 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\17a572c8caf38cca3853c9d54ca288d6ce9489d2d6280df72425940aeffc513e.exe"C:\Users\Admin\AppData\Local\Temp\17a572c8caf38cca3853c9d54ca288d6ce9489d2d6280df72425940aeffc513e.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1204 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:1600 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\17a572c8caf38cca3853c9d54ca288d6ce9489d2d6280df72425940aeffc513e.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:392 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:784
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
2be7d85a29ad6178f428cbcc85a8dd1c
SHA1a03c48b2ed502b184e180b56e187728d393c1d53
SHA2566dc8cddb27bcd308a1f21d040d1f86811f5c53dfb1ad0b89bc081d4ee279d72d
SHA512ed2f1c08616a50bcfcfba57dadba76a0389b12be3b4245a57a881373b515b63fb66755fcad13d17d654fbd0bf428c032c96d499fe745dc4e8c4b9db9b2cc51ec
-
MD5
2be7d85a29ad6178f428cbcc85a8dd1c
SHA1a03c48b2ed502b184e180b56e187728d393c1d53
SHA2566dc8cddb27bcd308a1f21d040d1f86811f5c53dfb1ad0b89bc081d4ee279d72d
SHA512ed2f1c08616a50bcfcfba57dadba76a0389b12be3b4245a57a881373b515b63fb66755fcad13d17d654fbd0bf428c032c96d499fe745dc4e8c4b9db9b2cc51ec