Analysis
-
max time kernel
158s -
max time network
174s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
12-02-2022 04:39
Static task
static1
Behavioral task
behavioral1
Sample
14e24de9a3ccde5efe7020d1622a74c8deadf83464c09e9148ad7819686d5601.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
14e24de9a3ccde5efe7020d1622a74c8deadf83464c09e9148ad7819686d5601.exe
Resource
win10v2004-en-20220112
General
-
Target
14e24de9a3ccde5efe7020d1622a74c8deadf83464c09e9148ad7819686d5601.exe
-
Size
168KB
-
MD5
b7e8f41e681092c884506d73ab6f0648
-
SHA1
3795dd2a7bc8635018a0e65394641ebf6005d1d1
-
SHA256
14e24de9a3ccde5efe7020d1622a74c8deadf83464c09e9148ad7819686d5601
-
SHA512
309c30ccc92c33da1b4bd728a544db173fea0c61ef660de8d66ca96ec6e3ac5de50c56b135d3f9bd821c3416879e30f36b8259a6cd97f5ee6ab3178b0daf8aba
Malware Config
Signatures
-
Sakula Payload 4 IoCs
Processes:
resource yara_rule \Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula behavioral1/memory/1608-58-0x0000000000400000-0x0000000000420000-memory.dmp family_sakula behavioral1/memory/1588-59-0x0000000000400000-0x0000000000420000-memory.dmp family_sakula -
suricata: ET MALWARE SUSPICIOUS UA (iexplore)
suricata: ET MALWARE SUSPICIOUS UA (iexplore)
-
suricata: ET MALWARE Sakula/Mivast RAT CnC Beacon 1
suricata: ET MALWARE Sakula/Mivast RAT CnC Beacon 1
-
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 1588 MediaCenter.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 812 cmd.exe -
Loads dropped DLL 1 IoCs
Processes:
14e24de9a3ccde5efe7020d1622a74c8deadf83464c09e9148ad7819686d5601.exepid process 1608 14e24de9a3ccde5efe7020d1622a74c8deadf83464c09e9148ad7819686d5601.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
14e24de9a3ccde5efe7020d1622a74c8deadf83464c09e9148ad7819686d5601.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 14e24de9a3ccde5efe7020d1622a74c8deadf83464c09e9148ad7819686d5601.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
14e24de9a3ccde5efe7020d1622a74c8deadf83464c09e9148ad7819686d5601.exedescription pid process Token: SeIncBasePriorityPrivilege 1608 14e24de9a3ccde5efe7020d1622a74c8deadf83464c09e9148ad7819686d5601.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
14e24de9a3ccde5efe7020d1622a74c8deadf83464c09e9148ad7819686d5601.execmd.exedescription pid process target process PID 1608 wrote to memory of 1588 1608 14e24de9a3ccde5efe7020d1622a74c8deadf83464c09e9148ad7819686d5601.exe MediaCenter.exe PID 1608 wrote to memory of 1588 1608 14e24de9a3ccde5efe7020d1622a74c8deadf83464c09e9148ad7819686d5601.exe MediaCenter.exe PID 1608 wrote to memory of 1588 1608 14e24de9a3ccde5efe7020d1622a74c8deadf83464c09e9148ad7819686d5601.exe MediaCenter.exe PID 1608 wrote to memory of 1588 1608 14e24de9a3ccde5efe7020d1622a74c8deadf83464c09e9148ad7819686d5601.exe MediaCenter.exe PID 1608 wrote to memory of 812 1608 14e24de9a3ccde5efe7020d1622a74c8deadf83464c09e9148ad7819686d5601.exe cmd.exe PID 1608 wrote to memory of 812 1608 14e24de9a3ccde5efe7020d1622a74c8deadf83464c09e9148ad7819686d5601.exe cmd.exe PID 1608 wrote to memory of 812 1608 14e24de9a3ccde5efe7020d1622a74c8deadf83464c09e9148ad7819686d5601.exe cmd.exe PID 1608 wrote to memory of 812 1608 14e24de9a3ccde5efe7020d1622a74c8deadf83464c09e9148ad7819686d5601.exe cmd.exe PID 812 wrote to memory of 1356 812 cmd.exe PING.EXE PID 812 wrote to memory of 1356 812 cmd.exe PING.EXE PID 812 wrote to memory of 1356 812 cmd.exe PING.EXE PID 812 wrote to memory of 1356 812 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\14e24de9a3ccde5efe7020d1622a74c8deadf83464c09e9148ad7819686d5601.exe"C:\Users\Admin\AppData\Local\Temp\14e24de9a3ccde5efe7020d1622a74c8deadf83464c09e9148ad7819686d5601.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1608 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:1588 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\14e24de9a3ccde5efe7020d1622a74c8deadf83464c09e9148ad7819686d5601.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:812 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:1356
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
9bd29b8f641399cec7540039e5e7dafc
SHA191e61d6aa2366dad0e255290b512efc1afc8deb1
SHA2562fe20d69ed4c56a21caf3fec417c74e3c3b34294a792ee11f4425af7908c8516
SHA512bc2c21b397e44d9914be2e28c4f19b37ea8382bb9d9eeafc3e104e93dc915b3cbb89f1810c6b133f1d98bd5149ce5e01c48d285c334628191b10ae9f8b50367e
-
MD5
9bd29b8f641399cec7540039e5e7dafc
SHA191e61d6aa2366dad0e255290b512efc1afc8deb1
SHA2562fe20d69ed4c56a21caf3fec417c74e3c3b34294a792ee11f4425af7908c8516
SHA512bc2c21b397e44d9914be2e28c4f19b37ea8382bb9d9eeafc3e104e93dc915b3cbb89f1810c6b133f1d98bd5149ce5e01c48d285c334628191b10ae9f8b50367e