Analysis
-
max time kernel
161s -
max time network
172s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
12-02-2022 03:52
Static task
static1
Behavioral task
behavioral1
Sample
169ae80aef6265c217d753ef68cdea954721fd82ce0ec1447e90b312723e7a5b.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
169ae80aef6265c217d753ef68cdea954721fd82ce0ec1447e90b312723e7a5b.exe
Resource
win10v2004-en-20220112
General
-
Target
169ae80aef6265c217d753ef68cdea954721fd82ce0ec1447e90b312723e7a5b.exe
-
Size
176KB
-
MD5
422d367bd99852ad5c97ddb76e2c6a95
-
SHA1
afb30736b214a7b8369b1e74a49b6e29a567d4da
-
SHA256
169ae80aef6265c217d753ef68cdea954721fd82ce0ec1447e90b312723e7a5b
-
SHA512
157d65691d95a0534c2984b56f5a3df9c0a3325d886e1ef134e36d2f34e07ebd8be380402ae467a90ddd42ed4608c76811f02290c6491aa454e3fe5ff69f43fb
Malware Config
Signatures
-
Sakula Payload 4 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula \Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula behavioral1/memory/1212-58-0x0000000000400000-0x0000000000420000-memory.dmp family_sakula behavioral1/memory/648-59-0x0000000000400000-0x0000000000420000-memory.dmp family_sakula -
suricata: ET MALWARE SUSPICIOUS UA (iexplore)
suricata: ET MALWARE SUSPICIOUS UA (iexplore)
-
suricata: ET MALWARE Sakula/Mivast RAT CnC Beacon 1
suricata: ET MALWARE Sakula/Mivast RAT CnC Beacon 1
-
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 648 MediaCenter.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 1188 cmd.exe -
Loads dropped DLL 1 IoCs
Processes:
169ae80aef6265c217d753ef68cdea954721fd82ce0ec1447e90b312723e7a5b.exepid process 1212 169ae80aef6265c217d753ef68cdea954721fd82ce0ec1447e90b312723e7a5b.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
169ae80aef6265c217d753ef68cdea954721fd82ce0ec1447e90b312723e7a5b.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 169ae80aef6265c217d753ef68cdea954721fd82ce0ec1447e90b312723e7a5b.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
169ae80aef6265c217d753ef68cdea954721fd82ce0ec1447e90b312723e7a5b.exedescription pid process Token: SeIncBasePriorityPrivilege 1212 169ae80aef6265c217d753ef68cdea954721fd82ce0ec1447e90b312723e7a5b.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
169ae80aef6265c217d753ef68cdea954721fd82ce0ec1447e90b312723e7a5b.execmd.exedescription pid process target process PID 1212 wrote to memory of 648 1212 169ae80aef6265c217d753ef68cdea954721fd82ce0ec1447e90b312723e7a5b.exe MediaCenter.exe PID 1212 wrote to memory of 648 1212 169ae80aef6265c217d753ef68cdea954721fd82ce0ec1447e90b312723e7a5b.exe MediaCenter.exe PID 1212 wrote to memory of 648 1212 169ae80aef6265c217d753ef68cdea954721fd82ce0ec1447e90b312723e7a5b.exe MediaCenter.exe PID 1212 wrote to memory of 648 1212 169ae80aef6265c217d753ef68cdea954721fd82ce0ec1447e90b312723e7a5b.exe MediaCenter.exe PID 1212 wrote to memory of 1188 1212 169ae80aef6265c217d753ef68cdea954721fd82ce0ec1447e90b312723e7a5b.exe cmd.exe PID 1212 wrote to memory of 1188 1212 169ae80aef6265c217d753ef68cdea954721fd82ce0ec1447e90b312723e7a5b.exe cmd.exe PID 1212 wrote to memory of 1188 1212 169ae80aef6265c217d753ef68cdea954721fd82ce0ec1447e90b312723e7a5b.exe cmd.exe PID 1212 wrote to memory of 1188 1212 169ae80aef6265c217d753ef68cdea954721fd82ce0ec1447e90b312723e7a5b.exe cmd.exe PID 1188 wrote to memory of 1200 1188 cmd.exe PING.EXE PID 1188 wrote to memory of 1200 1188 cmd.exe PING.EXE PID 1188 wrote to memory of 1200 1188 cmd.exe PING.EXE PID 1188 wrote to memory of 1200 1188 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\169ae80aef6265c217d753ef68cdea954721fd82ce0ec1447e90b312723e7a5b.exe"C:\Users\Admin\AppData\Local\Temp\169ae80aef6265c217d753ef68cdea954721fd82ce0ec1447e90b312723e7a5b.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1212 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:648 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\169ae80aef6265c217d753ef68cdea954721fd82ce0ec1447e90b312723e7a5b.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:1188 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:1200
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
fcce0413ff9cfa1d17e32bd19e171cf4
SHA1fef86134e354921c6e4bb910c462ce85431cfcae
SHA2566aa3926a09466fafa73940b937c0c0f77f4d594af72050109c0fffa8d748635a
SHA512c01df78b4356249e4aefe806e33b5e577d57e058d392d05ad7b996552a7c5011b51e2491cdaa3d9faeff82f9835d17655a854ecf3e4f51975ca49aa5c7f5a396
-
MD5
fcce0413ff9cfa1d17e32bd19e171cf4
SHA1fef86134e354921c6e4bb910c462ce85431cfcae
SHA2566aa3926a09466fafa73940b937c0c0f77f4d594af72050109c0fffa8d748635a
SHA512c01df78b4356249e4aefe806e33b5e577d57e058d392d05ad7b996552a7c5011b51e2491cdaa3d9faeff82f9835d17655a854ecf3e4f51975ca49aa5c7f5a396