Analysis
-
max time kernel
134s -
max time network
142s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
12-02-2022 04:23
Static task
static1
Behavioral task
behavioral1
Sample
15609cfa17186f68a3ce473773b17fe3ed3566cc0dc13d46e4f7462f4a96ff4c.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
15609cfa17186f68a3ce473773b17fe3ed3566cc0dc13d46e4f7462f4a96ff4c.exe
Resource
win10v2004-en-20220112
General
-
Target
15609cfa17186f68a3ce473773b17fe3ed3566cc0dc13d46e4f7462f4a96ff4c.exe
-
Size
150KB
-
MD5
a706745f4a4c31203ef98a8aee70baca
-
SHA1
3658bc73deb9a265fcb987d30fc4ce9b6a380922
-
SHA256
15609cfa17186f68a3ce473773b17fe3ed3566cc0dc13d46e4f7462f4a96ff4c
-
SHA512
120a1f2776e79453f897b07492b3271fbbd3c66e7ad7097e0bdfe8e35eb637ebfb85a38e96b394b01917a72ffa50ab18222ce843a31b2da1ccb3df378e6faf76
Malware Config
Signatures
-
Sakula Payload 2 IoCs
Processes:
resource yara_rule \Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula -
suricata: ET MALWARE SUSPICIOUS UA (iexplore)
suricata: ET MALWARE SUSPICIOUS UA (iexplore)
-
suricata: ET MALWARE Sakula/Mivast RAT CnC Beacon 1
suricata: ET MALWARE Sakula/Mivast RAT CnC Beacon 1
-
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 1608 MediaCenter.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 916 cmd.exe -
Loads dropped DLL 1 IoCs
Processes:
15609cfa17186f68a3ce473773b17fe3ed3566cc0dc13d46e4f7462f4a96ff4c.exepid process 1740 15609cfa17186f68a3ce473773b17fe3ed3566cc0dc13d46e4f7462f4a96ff4c.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
15609cfa17186f68a3ce473773b17fe3ed3566cc0dc13d46e4f7462f4a96ff4c.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 15609cfa17186f68a3ce473773b17fe3ed3566cc0dc13d46e4f7462f4a96ff4c.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
15609cfa17186f68a3ce473773b17fe3ed3566cc0dc13d46e4f7462f4a96ff4c.exedescription pid process Token: SeIncBasePriorityPrivilege 1740 15609cfa17186f68a3ce473773b17fe3ed3566cc0dc13d46e4f7462f4a96ff4c.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
15609cfa17186f68a3ce473773b17fe3ed3566cc0dc13d46e4f7462f4a96ff4c.execmd.exedescription pid process target process PID 1740 wrote to memory of 1608 1740 15609cfa17186f68a3ce473773b17fe3ed3566cc0dc13d46e4f7462f4a96ff4c.exe MediaCenter.exe PID 1740 wrote to memory of 1608 1740 15609cfa17186f68a3ce473773b17fe3ed3566cc0dc13d46e4f7462f4a96ff4c.exe MediaCenter.exe PID 1740 wrote to memory of 1608 1740 15609cfa17186f68a3ce473773b17fe3ed3566cc0dc13d46e4f7462f4a96ff4c.exe MediaCenter.exe PID 1740 wrote to memory of 1608 1740 15609cfa17186f68a3ce473773b17fe3ed3566cc0dc13d46e4f7462f4a96ff4c.exe MediaCenter.exe PID 1740 wrote to memory of 916 1740 15609cfa17186f68a3ce473773b17fe3ed3566cc0dc13d46e4f7462f4a96ff4c.exe cmd.exe PID 1740 wrote to memory of 916 1740 15609cfa17186f68a3ce473773b17fe3ed3566cc0dc13d46e4f7462f4a96ff4c.exe cmd.exe PID 1740 wrote to memory of 916 1740 15609cfa17186f68a3ce473773b17fe3ed3566cc0dc13d46e4f7462f4a96ff4c.exe cmd.exe PID 1740 wrote to memory of 916 1740 15609cfa17186f68a3ce473773b17fe3ed3566cc0dc13d46e4f7462f4a96ff4c.exe cmd.exe PID 916 wrote to memory of 1984 916 cmd.exe PING.EXE PID 916 wrote to memory of 1984 916 cmd.exe PING.EXE PID 916 wrote to memory of 1984 916 cmd.exe PING.EXE PID 916 wrote to memory of 1984 916 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\15609cfa17186f68a3ce473773b17fe3ed3566cc0dc13d46e4f7462f4a96ff4c.exe"C:\Users\Admin\AppData\Local\Temp\15609cfa17186f68a3ce473773b17fe3ed3566cc0dc13d46e4f7462f4a96ff4c.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1740 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:1608 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\15609cfa17186f68a3ce473773b17fe3ed3566cc0dc13d46e4f7462f4a96ff4c.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:916 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:1984
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
bac0b3abbcd40fb8d20077020c17b179
SHA1425206d3b2cfc505cf9a9b2a2e5f8123a01a850d
SHA256214a7681a66dd63ced4e791d31a3605cabbf3aa6c2bf5039c06b5ba5696217bf
SHA5120531c98b7ba1a3ed160e7404d211aac1ea705958cc476aad2ff87ecd0f6f8b718cb57063195a2127d8f923c3fa0913b7b75601c00ca243c55140aa8825aa1be6
-
MD5
bac0b3abbcd40fb8d20077020c17b179
SHA1425206d3b2cfc505cf9a9b2a2e5f8123a01a850d
SHA256214a7681a66dd63ced4e791d31a3605cabbf3aa6c2bf5039c06b5ba5696217bf
SHA5120531c98b7ba1a3ed160e7404d211aac1ea705958cc476aad2ff87ecd0f6f8b718cb57063195a2127d8f923c3fa0913b7b75601c00ca243c55140aa8825aa1be6