Analysis
-
max time kernel
132s -
max time network
145s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
12-02-2022 04:24
Static task
static1
Behavioral task
behavioral1
Sample
155a6678c4527a5d29acb6acbe3136601f002d7b89d264ff40c5652ea8c58271.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
155a6678c4527a5d29acb6acbe3136601f002d7b89d264ff40c5652ea8c58271.exe
Resource
win10v2004-en-20220113
General
-
Target
155a6678c4527a5d29acb6acbe3136601f002d7b89d264ff40c5652ea8c58271.exe
-
Size
92KB
-
MD5
d3e9c51845245631be7750878f3756b9
-
SHA1
167db640ab76dec6b59be62edd432127e0023533
-
SHA256
155a6678c4527a5d29acb6acbe3136601f002d7b89d264ff40c5652ea8c58271
-
SHA512
2476bc7d3740e3067ed35989b753e0da969ec2a8fc3fc0d3078141e31179266ed18869ce237d8c3155c040347026182ae2ca79b4fbc08689813ca0474ff204ae
Malware Config
Signatures
-
Sakula Payload 2 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula \Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula -
suricata: ET MALWARE SUSPICIOUS UA (iexplore)
suricata: ET MALWARE SUSPICIOUS UA (iexplore)
-
suricata: ET MALWARE Sakula/Mivast RAT CnC Beacon 1
suricata: ET MALWARE Sakula/Mivast RAT CnC Beacon 1
-
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 1212 MediaCenter.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 624 cmd.exe -
Loads dropped DLL 1 IoCs
Processes:
155a6678c4527a5d29acb6acbe3136601f002d7b89d264ff40c5652ea8c58271.exepid process 856 155a6678c4527a5d29acb6acbe3136601f002d7b89d264ff40c5652ea8c58271.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
155a6678c4527a5d29acb6acbe3136601f002d7b89d264ff40c5652ea8c58271.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 155a6678c4527a5d29acb6acbe3136601f002d7b89d264ff40c5652ea8c58271.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
155a6678c4527a5d29acb6acbe3136601f002d7b89d264ff40c5652ea8c58271.exedescription pid process Token: SeIncBasePriorityPrivilege 856 155a6678c4527a5d29acb6acbe3136601f002d7b89d264ff40c5652ea8c58271.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
155a6678c4527a5d29acb6acbe3136601f002d7b89d264ff40c5652ea8c58271.execmd.exedescription pid process target process PID 856 wrote to memory of 1212 856 155a6678c4527a5d29acb6acbe3136601f002d7b89d264ff40c5652ea8c58271.exe MediaCenter.exe PID 856 wrote to memory of 1212 856 155a6678c4527a5d29acb6acbe3136601f002d7b89d264ff40c5652ea8c58271.exe MediaCenter.exe PID 856 wrote to memory of 1212 856 155a6678c4527a5d29acb6acbe3136601f002d7b89d264ff40c5652ea8c58271.exe MediaCenter.exe PID 856 wrote to memory of 1212 856 155a6678c4527a5d29acb6acbe3136601f002d7b89d264ff40c5652ea8c58271.exe MediaCenter.exe PID 856 wrote to memory of 624 856 155a6678c4527a5d29acb6acbe3136601f002d7b89d264ff40c5652ea8c58271.exe cmd.exe PID 856 wrote to memory of 624 856 155a6678c4527a5d29acb6acbe3136601f002d7b89d264ff40c5652ea8c58271.exe cmd.exe PID 856 wrote to memory of 624 856 155a6678c4527a5d29acb6acbe3136601f002d7b89d264ff40c5652ea8c58271.exe cmd.exe PID 856 wrote to memory of 624 856 155a6678c4527a5d29acb6acbe3136601f002d7b89d264ff40c5652ea8c58271.exe cmd.exe PID 624 wrote to memory of 2016 624 cmd.exe PING.EXE PID 624 wrote to memory of 2016 624 cmd.exe PING.EXE PID 624 wrote to memory of 2016 624 cmd.exe PING.EXE PID 624 wrote to memory of 2016 624 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\155a6678c4527a5d29acb6acbe3136601f002d7b89d264ff40c5652ea8c58271.exe"C:\Users\Admin\AppData\Local\Temp\155a6678c4527a5d29acb6acbe3136601f002d7b89d264ff40c5652ea8c58271.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:856 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:1212 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\155a6678c4527a5d29acb6acbe3136601f002d7b89d264ff40c5652ea8c58271.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:624 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:2016
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
059e5de404e211a46068089ef0c4ff74
SHA1c6ce9d0a8f707717bd61fc1421f7b6834ed721df
SHA256586f19ee198817ede91af7d1249a0b8f6cec3bf472b38ad46f01f059681ab209
SHA5124eae531336d8964270396c0c784cabf79aa36f600aa52aab9e4cc67304b76598ae417b88c3aaf04384661838adb3f06cdada4bcae08eab816e03f122feec8c91
-
MD5
059e5de404e211a46068089ef0c4ff74
SHA1c6ce9d0a8f707717bd61fc1421f7b6834ed721df
SHA256586f19ee198817ede91af7d1249a0b8f6cec3bf472b38ad46f01f059681ab209
SHA5124eae531336d8964270396c0c784cabf79aa36f600aa52aab9e4cc67304b76598ae417b88c3aaf04384661838adb3f06cdada4bcae08eab816e03f122feec8c91