Analysis
-
max time kernel
140s -
max time network
158s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
12-02-2022 04:37
Static task
static1
Behavioral task
behavioral1
Sample
1506b557906835a9d319d79554c8b4c8416e1e50ca71aee4f89bc903b9abcafd.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
1506b557906835a9d319d79554c8b4c8416e1e50ca71aee4f89bc903b9abcafd.exe
Resource
win10v2004-en-20220113
General
-
Target
1506b557906835a9d319d79554c8b4c8416e1e50ca71aee4f89bc903b9abcafd.exe
-
Size
216KB
-
MD5
385ad9d8f92d0e129b7756a7c10c3585
-
SHA1
c61da48b4e7635f471893c77600501e91060bbf9
-
SHA256
1506b557906835a9d319d79554c8b4c8416e1e50ca71aee4f89bc903b9abcafd
-
SHA512
7e53ef8af41c384f1f1f8a3a5c9d06f38262631c4b66d3600f30e2d67f2a442ca9c479ba6dda52017468fee9ec8bb0ca70ecf1aa25d4c09d66d866c2805c44d3
Malware Config
Signatures
-
Sakula Payload 4 IoCs
Processes:
resource yara_rule \Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula behavioral1/memory/1608-59-0x0000000000400000-0x0000000000420000-memory.dmp family_sakula behavioral1/memory/1744-60-0x0000000000400000-0x0000000000420000-memory.dmp family_sakula -
suricata: ET MALWARE SUSPICIOUS UA (iexplore)
suricata: ET MALWARE SUSPICIOUS UA (iexplore)
-
suricata: ET MALWARE Sakula/Mivast RAT CnC Beacon 1
suricata: ET MALWARE Sakula/Mivast RAT CnC Beacon 1
-
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 1744 MediaCenter.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 1252 cmd.exe -
Loads dropped DLL 1 IoCs
Processes:
1506b557906835a9d319d79554c8b4c8416e1e50ca71aee4f89bc903b9abcafd.exepid process 1608 1506b557906835a9d319d79554c8b4c8416e1e50ca71aee4f89bc903b9abcafd.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
1506b557906835a9d319d79554c8b4c8416e1e50ca71aee4f89bc903b9abcafd.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 1506b557906835a9d319d79554c8b4c8416e1e50ca71aee4f89bc903b9abcafd.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
1506b557906835a9d319d79554c8b4c8416e1e50ca71aee4f89bc903b9abcafd.exedescription pid process Token: SeIncBasePriorityPrivilege 1608 1506b557906835a9d319d79554c8b4c8416e1e50ca71aee4f89bc903b9abcafd.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
1506b557906835a9d319d79554c8b4c8416e1e50ca71aee4f89bc903b9abcafd.execmd.exedescription pid process target process PID 1608 wrote to memory of 1744 1608 1506b557906835a9d319d79554c8b4c8416e1e50ca71aee4f89bc903b9abcafd.exe MediaCenter.exe PID 1608 wrote to memory of 1744 1608 1506b557906835a9d319d79554c8b4c8416e1e50ca71aee4f89bc903b9abcafd.exe MediaCenter.exe PID 1608 wrote to memory of 1744 1608 1506b557906835a9d319d79554c8b4c8416e1e50ca71aee4f89bc903b9abcafd.exe MediaCenter.exe PID 1608 wrote to memory of 1744 1608 1506b557906835a9d319d79554c8b4c8416e1e50ca71aee4f89bc903b9abcafd.exe MediaCenter.exe PID 1608 wrote to memory of 1252 1608 1506b557906835a9d319d79554c8b4c8416e1e50ca71aee4f89bc903b9abcafd.exe cmd.exe PID 1608 wrote to memory of 1252 1608 1506b557906835a9d319d79554c8b4c8416e1e50ca71aee4f89bc903b9abcafd.exe cmd.exe PID 1608 wrote to memory of 1252 1608 1506b557906835a9d319d79554c8b4c8416e1e50ca71aee4f89bc903b9abcafd.exe cmd.exe PID 1608 wrote to memory of 1252 1608 1506b557906835a9d319d79554c8b4c8416e1e50ca71aee4f89bc903b9abcafd.exe cmd.exe PID 1252 wrote to memory of 1484 1252 cmd.exe PING.EXE PID 1252 wrote to memory of 1484 1252 cmd.exe PING.EXE PID 1252 wrote to memory of 1484 1252 cmd.exe PING.EXE PID 1252 wrote to memory of 1484 1252 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\1506b557906835a9d319d79554c8b4c8416e1e50ca71aee4f89bc903b9abcafd.exe"C:\Users\Admin\AppData\Local\Temp\1506b557906835a9d319d79554c8b4c8416e1e50ca71aee4f89bc903b9abcafd.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1608 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:1744 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\1506b557906835a9d319d79554c8b4c8416e1e50ca71aee4f89bc903b9abcafd.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:1252 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:1484
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
d18eef236d3b57686545e7226470a348
SHA16bb17d97204d44c69481db855065dcb4bbd16d6b
SHA256f15dca448ea17cb9667ee9faacb17c3457846f908f86ecc8a95640694e78256b
SHA512631e892b2a7067f01bb94786177b32d54ce6833e559eeabdf269f80f67489645648c7a8f21a1bcf91f1a70dd8b8e1ece3fe6ce8f66b76fad37af5c6165c5fc79
-
MD5
d18eef236d3b57686545e7226470a348
SHA16bb17d97204d44c69481db855065dcb4bbd16d6b
SHA256f15dca448ea17cb9667ee9faacb17c3457846f908f86ecc8a95640694e78256b
SHA512631e892b2a7067f01bb94786177b32d54ce6833e559eeabdf269f80f67489645648c7a8f21a1bcf91f1a70dd8b8e1ece3fe6ce8f66b76fad37af5c6165c5fc79