Analysis
-
max time kernel
127s -
max time network
135s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
12-02-2022 03:26
Static task
static1
Behavioral task
behavioral1
Sample
179beb597103c85349cacf564c07c6842c505ddfee975418036e010309e3e0dc.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
179beb597103c85349cacf564c07c6842c505ddfee975418036e010309e3e0dc.exe
Resource
win10v2004-en-20220112
General
-
Target
179beb597103c85349cacf564c07c6842c505ddfee975418036e010309e3e0dc.exe
-
Size
216KB
-
MD5
af0a4ee2434f9d0d849ddc9efb2b582b
-
SHA1
2e221e723df16221e690161c7c029216df426545
-
SHA256
179beb597103c85349cacf564c07c6842c505ddfee975418036e010309e3e0dc
-
SHA512
c73c9700ad3f88554da23873c6cd339d334b26eef30d29913b360a7bbd0850b45dc784fe4e9246501a5f29955f5709d3b77b643e4b79a58620d4859e58b41573
Malware Config
Signatures
-
Sakula Payload 4 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula \Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula behavioral1/memory/1412-58-0x0000000000400000-0x0000000000420000-memory.dmp family_sakula behavioral1/memory/1756-59-0x0000000000400000-0x0000000000420000-memory.dmp family_sakula -
suricata: ET MALWARE SUSPICIOUS UA (iexplore)
suricata: ET MALWARE SUSPICIOUS UA (iexplore)
-
suricata: ET MALWARE Sakula/Mivast RAT CnC Beacon 1
suricata: ET MALWARE Sakula/Mivast RAT CnC Beacon 1
-
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 1756 MediaCenter.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 684 cmd.exe -
Loads dropped DLL 1 IoCs
Processes:
179beb597103c85349cacf564c07c6842c505ddfee975418036e010309e3e0dc.exepid process 1412 179beb597103c85349cacf564c07c6842c505ddfee975418036e010309e3e0dc.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
179beb597103c85349cacf564c07c6842c505ddfee975418036e010309e3e0dc.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 179beb597103c85349cacf564c07c6842c505ddfee975418036e010309e3e0dc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
179beb597103c85349cacf564c07c6842c505ddfee975418036e010309e3e0dc.exedescription pid process Token: SeIncBasePriorityPrivilege 1412 179beb597103c85349cacf564c07c6842c505ddfee975418036e010309e3e0dc.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
179beb597103c85349cacf564c07c6842c505ddfee975418036e010309e3e0dc.execmd.exedescription pid process target process PID 1412 wrote to memory of 1756 1412 179beb597103c85349cacf564c07c6842c505ddfee975418036e010309e3e0dc.exe MediaCenter.exe PID 1412 wrote to memory of 1756 1412 179beb597103c85349cacf564c07c6842c505ddfee975418036e010309e3e0dc.exe MediaCenter.exe PID 1412 wrote to memory of 1756 1412 179beb597103c85349cacf564c07c6842c505ddfee975418036e010309e3e0dc.exe MediaCenter.exe PID 1412 wrote to memory of 1756 1412 179beb597103c85349cacf564c07c6842c505ddfee975418036e010309e3e0dc.exe MediaCenter.exe PID 1412 wrote to memory of 684 1412 179beb597103c85349cacf564c07c6842c505ddfee975418036e010309e3e0dc.exe cmd.exe PID 1412 wrote to memory of 684 1412 179beb597103c85349cacf564c07c6842c505ddfee975418036e010309e3e0dc.exe cmd.exe PID 1412 wrote to memory of 684 1412 179beb597103c85349cacf564c07c6842c505ddfee975418036e010309e3e0dc.exe cmd.exe PID 1412 wrote to memory of 684 1412 179beb597103c85349cacf564c07c6842c505ddfee975418036e010309e3e0dc.exe cmd.exe PID 684 wrote to memory of 1800 684 cmd.exe PING.EXE PID 684 wrote to memory of 1800 684 cmd.exe PING.EXE PID 684 wrote to memory of 1800 684 cmd.exe PING.EXE PID 684 wrote to memory of 1800 684 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\179beb597103c85349cacf564c07c6842c505ddfee975418036e010309e3e0dc.exe"C:\Users\Admin\AppData\Local\Temp\179beb597103c85349cacf564c07c6842c505ddfee975418036e010309e3e0dc.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1412 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:1756 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\179beb597103c85349cacf564c07c6842c505ddfee975418036e010309e3e0dc.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:684 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:1800
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
1795a1b0fa5f71e88d916babfbd9fdde
SHA1aca1836d46f220a8526891a0badaf7d2bfbe13cc
SHA2561aff140612936f022323c81667814c583e1060ef167ec88229f91827c8a6c814
SHA512171446019ea62a682e3074909b695a36ed2c8119b7e6ed4925aadfe2a9367d41fc13352906aebfcd978f31a3ec70df2478fd25089c278af300d44fcb57c887bd
-
MD5
1795a1b0fa5f71e88d916babfbd9fdde
SHA1aca1836d46f220a8526891a0badaf7d2bfbe13cc
SHA2561aff140612936f022323c81667814c583e1060ef167ec88229f91827c8a6c814
SHA512171446019ea62a682e3074909b695a36ed2c8119b7e6ed4925aadfe2a9367d41fc13352906aebfcd978f31a3ec70df2478fd25089c278af300d44fcb57c887bd