Analysis
-
max time kernel
148s -
max time network
157s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
12-02-2022 04:35
Static task
static1
Behavioral task
behavioral1
Sample
1514a81c2bfb48089b44c395addad629a73756ecc00fe01ae4af078d18044ff9.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
1514a81c2bfb48089b44c395addad629a73756ecc00fe01ae4af078d18044ff9.exe
Resource
win10v2004-en-20220112
General
-
Target
1514a81c2bfb48089b44c395addad629a73756ecc00fe01ae4af078d18044ff9.exe
-
Size
150KB
-
MD5
00e9fcdb6930e32f956221b629c4a1ba
-
SHA1
31739624b0f87d4fca8d79a761cbb0d59d6370c2
-
SHA256
1514a81c2bfb48089b44c395addad629a73756ecc00fe01ae4af078d18044ff9
-
SHA512
0efab9d141ddeac5b9aa7a688c2580b6918a08d18e7cd8b3203a18ebb9e1d0bac7e530f4fc7a63195863cfbdc138c09e1e8f94ab2c6440dded57054b87e7834a
Malware Config
Signatures
-
Sakula Payload 2 IoCs
Processes:
resource yara_rule \Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula -
suricata: ET MALWARE SUSPICIOUS UA (iexplore)
suricata: ET MALWARE SUSPICIOUS UA (iexplore)
-
suricata: ET MALWARE Sakula/Mivast RAT CnC Beacon 1
suricata: ET MALWARE Sakula/Mivast RAT CnC Beacon 1
-
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 808 MediaCenter.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 292 cmd.exe -
Loads dropped DLL 1 IoCs
Processes:
1514a81c2bfb48089b44c395addad629a73756ecc00fe01ae4af078d18044ff9.exepid process 1580 1514a81c2bfb48089b44c395addad629a73756ecc00fe01ae4af078d18044ff9.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
1514a81c2bfb48089b44c395addad629a73756ecc00fe01ae4af078d18044ff9.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 1514a81c2bfb48089b44c395addad629a73756ecc00fe01ae4af078d18044ff9.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
1514a81c2bfb48089b44c395addad629a73756ecc00fe01ae4af078d18044ff9.exedescription pid process Token: SeIncBasePriorityPrivilege 1580 1514a81c2bfb48089b44c395addad629a73756ecc00fe01ae4af078d18044ff9.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
1514a81c2bfb48089b44c395addad629a73756ecc00fe01ae4af078d18044ff9.execmd.exedescription pid process target process PID 1580 wrote to memory of 808 1580 1514a81c2bfb48089b44c395addad629a73756ecc00fe01ae4af078d18044ff9.exe MediaCenter.exe PID 1580 wrote to memory of 808 1580 1514a81c2bfb48089b44c395addad629a73756ecc00fe01ae4af078d18044ff9.exe MediaCenter.exe PID 1580 wrote to memory of 808 1580 1514a81c2bfb48089b44c395addad629a73756ecc00fe01ae4af078d18044ff9.exe MediaCenter.exe PID 1580 wrote to memory of 808 1580 1514a81c2bfb48089b44c395addad629a73756ecc00fe01ae4af078d18044ff9.exe MediaCenter.exe PID 1580 wrote to memory of 292 1580 1514a81c2bfb48089b44c395addad629a73756ecc00fe01ae4af078d18044ff9.exe cmd.exe PID 1580 wrote to memory of 292 1580 1514a81c2bfb48089b44c395addad629a73756ecc00fe01ae4af078d18044ff9.exe cmd.exe PID 1580 wrote to memory of 292 1580 1514a81c2bfb48089b44c395addad629a73756ecc00fe01ae4af078d18044ff9.exe cmd.exe PID 1580 wrote to memory of 292 1580 1514a81c2bfb48089b44c395addad629a73756ecc00fe01ae4af078d18044ff9.exe cmd.exe PID 292 wrote to memory of 1620 292 cmd.exe PING.EXE PID 292 wrote to memory of 1620 292 cmd.exe PING.EXE PID 292 wrote to memory of 1620 292 cmd.exe PING.EXE PID 292 wrote to memory of 1620 292 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\1514a81c2bfb48089b44c395addad629a73756ecc00fe01ae4af078d18044ff9.exe"C:\Users\Admin\AppData\Local\Temp\1514a81c2bfb48089b44c395addad629a73756ecc00fe01ae4af078d18044ff9.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1580 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:808 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\1514a81c2bfb48089b44c395addad629a73756ecc00fe01ae4af078d18044ff9.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:292 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:1620
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
67ee607bc808ceb63b8a54b5822d5ea4
SHA12bbecdc34de8fa5eb9657d97962af781c27b7233
SHA256318a717e17dd48d4b1620f4e81358797db4a1d136667d4395097f64d7d355103
SHA51283d0763edc54a7f813f15812f8710dc3a0504d35a7081375718221c996c734bb16b7d196fad18be3e4a43c952b2f018a8b541660a4aae3a8b3b7ed55ab4012ef
-
MD5
67ee607bc808ceb63b8a54b5822d5ea4
SHA12bbecdc34de8fa5eb9657d97962af781c27b7233
SHA256318a717e17dd48d4b1620f4e81358797db4a1d136667d4395097f64d7d355103
SHA51283d0763edc54a7f813f15812f8710dc3a0504d35a7081375718221c996c734bb16b7d196fad18be3e4a43c952b2f018a8b541660a4aae3a8b3b7ed55ab4012ef