Analysis
-
max time kernel
144s -
max time network
161s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
12-02-2022 04:25
Static task
static1
Behavioral task
behavioral1
Sample
1558d5cb36ce5a1e9e80a107fbc07e9cec42d16174e7f7ab36c801aa85871f77.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
1558d5cb36ce5a1e9e80a107fbc07e9cec42d16174e7f7ab36c801aa85871f77.exe
Resource
win10v2004-en-20220113
General
-
Target
1558d5cb36ce5a1e9e80a107fbc07e9cec42d16174e7f7ab36c801aa85871f77.exe
-
Size
216KB
-
MD5
66e52db9dbc3b6f0716470a19527c060
-
SHA1
2f604b37908d235d920e730b47c6ccc9876d4826
-
SHA256
1558d5cb36ce5a1e9e80a107fbc07e9cec42d16174e7f7ab36c801aa85871f77
-
SHA512
bd8699e30b676e3ba74e757b16b835b6cdb0ebca44d271797b4d3ec32d3f420e69d923d49e8a160482649f1055a963f606342a8b95adfa5aa60be53ec5ee0a51
Malware Config
Signatures
-
Sakula Payload 4 IoCs
Processes:
resource yara_rule \Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula behavioral1/memory/624-59-0x0000000000400000-0x0000000000420000-memory.dmp family_sakula behavioral1/memory/1540-60-0x0000000000400000-0x0000000000420000-memory.dmp family_sakula -
suricata: ET MALWARE SUSPICIOUS UA (iexplore)
suricata: ET MALWARE SUSPICIOUS UA (iexplore)
-
suricata: ET MALWARE Sakula/Mivast RAT CnC Beacon 1
suricata: ET MALWARE Sakula/Mivast RAT CnC Beacon 1
-
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 1540 MediaCenter.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 1980 cmd.exe -
Loads dropped DLL 1 IoCs
Processes:
1558d5cb36ce5a1e9e80a107fbc07e9cec42d16174e7f7ab36c801aa85871f77.exepid process 624 1558d5cb36ce5a1e9e80a107fbc07e9cec42d16174e7f7ab36c801aa85871f77.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
1558d5cb36ce5a1e9e80a107fbc07e9cec42d16174e7f7ab36c801aa85871f77.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 1558d5cb36ce5a1e9e80a107fbc07e9cec42d16174e7f7ab36c801aa85871f77.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
1558d5cb36ce5a1e9e80a107fbc07e9cec42d16174e7f7ab36c801aa85871f77.exedescription pid process Token: SeIncBasePriorityPrivilege 624 1558d5cb36ce5a1e9e80a107fbc07e9cec42d16174e7f7ab36c801aa85871f77.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
1558d5cb36ce5a1e9e80a107fbc07e9cec42d16174e7f7ab36c801aa85871f77.execmd.exedescription pid process target process PID 624 wrote to memory of 1540 624 1558d5cb36ce5a1e9e80a107fbc07e9cec42d16174e7f7ab36c801aa85871f77.exe MediaCenter.exe PID 624 wrote to memory of 1540 624 1558d5cb36ce5a1e9e80a107fbc07e9cec42d16174e7f7ab36c801aa85871f77.exe MediaCenter.exe PID 624 wrote to memory of 1540 624 1558d5cb36ce5a1e9e80a107fbc07e9cec42d16174e7f7ab36c801aa85871f77.exe MediaCenter.exe PID 624 wrote to memory of 1540 624 1558d5cb36ce5a1e9e80a107fbc07e9cec42d16174e7f7ab36c801aa85871f77.exe MediaCenter.exe PID 624 wrote to memory of 1980 624 1558d5cb36ce5a1e9e80a107fbc07e9cec42d16174e7f7ab36c801aa85871f77.exe cmd.exe PID 624 wrote to memory of 1980 624 1558d5cb36ce5a1e9e80a107fbc07e9cec42d16174e7f7ab36c801aa85871f77.exe cmd.exe PID 624 wrote to memory of 1980 624 1558d5cb36ce5a1e9e80a107fbc07e9cec42d16174e7f7ab36c801aa85871f77.exe cmd.exe PID 624 wrote to memory of 1980 624 1558d5cb36ce5a1e9e80a107fbc07e9cec42d16174e7f7ab36c801aa85871f77.exe cmd.exe PID 1980 wrote to memory of 2036 1980 cmd.exe PING.EXE PID 1980 wrote to memory of 2036 1980 cmd.exe PING.EXE PID 1980 wrote to memory of 2036 1980 cmd.exe PING.EXE PID 1980 wrote to memory of 2036 1980 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\1558d5cb36ce5a1e9e80a107fbc07e9cec42d16174e7f7ab36c801aa85871f77.exe"C:\Users\Admin\AppData\Local\Temp\1558d5cb36ce5a1e9e80a107fbc07e9cec42d16174e7f7ab36c801aa85871f77.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:624 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:1540 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\1558d5cb36ce5a1e9e80a107fbc07e9cec42d16174e7f7ab36c801aa85871f77.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:1980 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:2036
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
cd5159fe77395d36421db6159b0e24ee
SHA1c0a8d1f734619d87bcb44853a63a7bcf125414a8
SHA256f4dea15e47e1fe6a140496b3d4db5bf9dbfb0dabe8ba5c277831c802773bde11
SHA51286ece12192c38a9bc43890e76b68e94f6dd73e1060c8797b3e287744b84d2ca449e241e4e08fb9ece183e7133557f4c57bb79af953b6d1776480fe6754954d8e
-
MD5
cd5159fe77395d36421db6159b0e24ee
SHA1c0a8d1f734619d87bcb44853a63a7bcf125414a8
SHA256f4dea15e47e1fe6a140496b3d4db5bf9dbfb0dabe8ba5c277831c802773bde11
SHA51286ece12192c38a9bc43890e76b68e94f6dd73e1060c8797b3e287744b84d2ca449e241e4e08fb9ece183e7133557f4c57bb79af953b6d1776480fe6754954d8e