Analysis
-
max time kernel
139s -
max time network
154s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
12-02-2022 04:38
Static task
static1
Behavioral task
behavioral1
Sample
14fb8fcd4656d2e2ba9444a0eb952264a13d47a67f4e6c65dc064ff4bee39c92.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
14fb8fcd4656d2e2ba9444a0eb952264a13d47a67f4e6c65dc064ff4bee39c92.exe
Resource
win10v2004-en-20220113
General
-
Target
14fb8fcd4656d2e2ba9444a0eb952264a13d47a67f4e6c65dc064ff4bee39c92.exe
-
Size
216KB
-
MD5
2bd8662c5f410bb778aefa14ba7f1242
-
SHA1
2f923171086d16751ec97de2e3820ac04af62353
-
SHA256
14fb8fcd4656d2e2ba9444a0eb952264a13d47a67f4e6c65dc064ff4bee39c92
-
SHA512
3efdaf9ed6ac1a885bb289d48f1d9dea3b8fdfa678fd9a31ee5a0a274f3c7c3f6ba2c4c7de8355cf273a5ab8aa2e7ea8c3d1def20f428fa78984c1b72c7dd613
Malware Config
Signatures
-
Sakula Payload 4 IoCs
Processes:
resource yara_rule \Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula behavioral1/memory/948-59-0x0000000000400000-0x0000000000420000-memory.dmp family_sakula behavioral1/memory/1332-60-0x0000000000400000-0x0000000000420000-memory.dmp family_sakula -
suricata: ET MALWARE SUSPICIOUS UA (iexplore)
suricata: ET MALWARE SUSPICIOUS UA (iexplore)
-
suricata: ET MALWARE Sakula/Mivast RAT CnC Beacon 1
suricata: ET MALWARE Sakula/Mivast RAT CnC Beacon 1
-
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 1332 MediaCenter.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 1860 cmd.exe -
Loads dropped DLL 1 IoCs
Processes:
14fb8fcd4656d2e2ba9444a0eb952264a13d47a67f4e6c65dc064ff4bee39c92.exepid process 948 14fb8fcd4656d2e2ba9444a0eb952264a13d47a67f4e6c65dc064ff4bee39c92.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
14fb8fcd4656d2e2ba9444a0eb952264a13d47a67f4e6c65dc064ff4bee39c92.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 14fb8fcd4656d2e2ba9444a0eb952264a13d47a67f4e6c65dc064ff4bee39c92.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
14fb8fcd4656d2e2ba9444a0eb952264a13d47a67f4e6c65dc064ff4bee39c92.exedescription pid process Token: SeIncBasePriorityPrivilege 948 14fb8fcd4656d2e2ba9444a0eb952264a13d47a67f4e6c65dc064ff4bee39c92.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
14fb8fcd4656d2e2ba9444a0eb952264a13d47a67f4e6c65dc064ff4bee39c92.execmd.exedescription pid process target process PID 948 wrote to memory of 1332 948 14fb8fcd4656d2e2ba9444a0eb952264a13d47a67f4e6c65dc064ff4bee39c92.exe MediaCenter.exe PID 948 wrote to memory of 1332 948 14fb8fcd4656d2e2ba9444a0eb952264a13d47a67f4e6c65dc064ff4bee39c92.exe MediaCenter.exe PID 948 wrote to memory of 1332 948 14fb8fcd4656d2e2ba9444a0eb952264a13d47a67f4e6c65dc064ff4bee39c92.exe MediaCenter.exe PID 948 wrote to memory of 1332 948 14fb8fcd4656d2e2ba9444a0eb952264a13d47a67f4e6c65dc064ff4bee39c92.exe MediaCenter.exe PID 948 wrote to memory of 1860 948 14fb8fcd4656d2e2ba9444a0eb952264a13d47a67f4e6c65dc064ff4bee39c92.exe cmd.exe PID 948 wrote to memory of 1860 948 14fb8fcd4656d2e2ba9444a0eb952264a13d47a67f4e6c65dc064ff4bee39c92.exe cmd.exe PID 948 wrote to memory of 1860 948 14fb8fcd4656d2e2ba9444a0eb952264a13d47a67f4e6c65dc064ff4bee39c92.exe cmd.exe PID 948 wrote to memory of 1860 948 14fb8fcd4656d2e2ba9444a0eb952264a13d47a67f4e6c65dc064ff4bee39c92.exe cmd.exe PID 1860 wrote to memory of 1872 1860 cmd.exe PING.EXE PID 1860 wrote to memory of 1872 1860 cmd.exe PING.EXE PID 1860 wrote to memory of 1872 1860 cmd.exe PING.EXE PID 1860 wrote to memory of 1872 1860 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\14fb8fcd4656d2e2ba9444a0eb952264a13d47a67f4e6c65dc064ff4bee39c92.exe"C:\Users\Admin\AppData\Local\Temp\14fb8fcd4656d2e2ba9444a0eb952264a13d47a67f4e6c65dc064ff4bee39c92.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:948 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:1332 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\14fb8fcd4656d2e2ba9444a0eb952264a13d47a67f4e6c65dc064ff4bee39c92.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:1860 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:1872
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
de461a19b8bd198b3b90ed3976e723ae
SHA12e9e9ea84d846b78f415c48d45b08a99f6f505a2
SHA256bf76173661e0972d8c891664c4a6f2564d1aa186bcedc8d85907c11f25936659
SHA512c7d72422b4fa93d92ec7992596cd2e62e57ae8dab3656a7c2f3dd9dfa48254b0aa7e28aec2cc74ac8f7eb73844e07e79cbeefa78eed35df75c4d67dbefc5457e
-
MD5
de461a19b8bd198b3b90ed3976e723ae
SHA12e9e9ea84d846b78f415c48d45b08a99f6f505a2
SHA256bf76173661e0972d8c891664c4a6f2564d1aa186bcedc8d85907c11f25936659
SHA512c7d72422b4fa93d92ec7992596cd2e62e57ae8dab3656a7c2f3dd9dfa48254b0aa7e28aec2cc74ac8f7eb73844e07e79cbeefa78eed35df75c4d67dbefc5457e