Analysis
-
max time kernel
152s -
max time network
171s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
12-02-2022 03:54
Static task
static1
Behavioral task
behavioral1
Sample
1687bc0738560d9d615f5715ca377841fd87f86d6304201c66767a87670d3d95.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
1687bc0738560d9d615f5715ca377841fd87f86d6304201c66767a87670d3d95.exe
Resource
win10v2004-en-20220113
General
-
Target
1687bc0738560d9d615f5715ca377841fd87f86d6304201c66767a87670d3d95.exe
-
Size
150KB
-
MD5
9aa9cf034deaf46ad4714d3ddab92f9e
-
SHA1
ed1ac2d3a7c099245c3b4756a50833bae6941e0b
-
SHA256
1687bc0738560d9d615f5715ca377841fd87f86d6304201c66767a87670d3d95
-
SHA512
e802caa7da6014ba7062a14504b96947a4bed82c046c222fee57931e76e74171d0edeae1a8e3efabf1b345936a4cc7371e343437ecd08a2a1009e20e662a6e85
Malware Config
Signatures
-
Sakula Payload 2 IoCs
Processes:
resource yara_rule \Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula -
suricata: ET MALWARE SUSPICIOUS UA (iexplore)
suricata: ET MALWARE SUSPICIOUS UA (iexplore)
-
suricata: ET MALWARE Sakula/Mivast RAT CnC Beacon 1
suricata: ET MALWARE Sakula/Mivast RAT CnC Beacon 1
-
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 1288 MediaCenter.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 1960 cmd.exe -
Loads dropped DLL 1 IoCs
Processes:
1687bc0738560d9d615f5715ca377841fd87f86d6304201c66767a87670d3d95.exepid process 1464 1687bc0738560d9d615f5715ca377841fd87f86d6304201c66767a87670d3d95.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
1687bc0738560d9d615f5715ca377841fd87f86d6304201c66767a87670d3d95.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 1687bc0738560d9d615f5715ca377841fd87f86d6304201c66767a87670d3d95.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
1687bc0738560d9d615f5715ca377841fd87f86d6304201c66767a87670d3d95.exedescription pid process Token: SeIncBasePriorityPrivilege 1464 1687bc0738560d9d615f5715ca377841fd87f86d6304201c66767a87670d3d95.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
1687bc0738560d9d615f5715ca377841fd87f86d6304201c66767a87670d3d95.execmd.exedescription pid process target process PID 1464 wrote to memory of 1288 1464 1687bc0738560d9d615f5715ca377841fd87f86d6304201c66767a87670d3d95.exe MediaCenter.exe PID 1464 wrote to memory of 1288 1464 1687bc0738560d9d615f5715ca377841fd87f86d6304201c66767a87670d3d95.exe MediaCenter.exe PID 1464 wrote to memory of 1288 1464 1687bc0738560d9d615f5715ca377841fd87f86d6304201c66767a87670d3d95.exe MediaCenter.exe PID 1464 wrote to memory of 1288 1464 1687bc0738560d9d615f5715ca377841fd87f86d6304201c66767a87670d3d95.exe MediaCenter.exe PID 1464 wrote to memory of 1960 1464 1687bc0738560d9d615f5715ca377841fd87f86d6304201c66767a87670d3d95.exe cmd.exe PID 1464 wrote to memory of 1960 1464 1687bc0738560d9d615f5715ca377841fd87f86d6304201c66767a87670d3d95.exe cmd.exe PID 1464 wrote to memory of 1960 1464 1687bc0738560d9d615f5715ca377841fd87f86d6304201c66767a87670d3d95.exe cmd.exe PID 1464 wrote to memory of 1960 1464 1687bc0738560d9d615f5715ca377841fd87f86d6304201c66767a87670d3d95.exe cmd.exe PID 1960 wrote to memory of 968 1960 cmd.exe PING.EXE PID 1960 wrote to memory of 968 1960 cmd.exe PING.EXE PID 1960 wrote to memory of 968 1960 cmd.exe PING.EXE PID 1960 wrote to memory of 968 1960 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\1687bc0738560d9d615f5715ca377841fd87f86d6304201c66767a87670d3d95.exe"C:\Users\Admin\AppData\Local\Temp\1687bc0738560d9d615f5715ca377841fd87f86d6304201c66767a87670d3d95.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1464 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:1288 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\1687bc0738560d9d615f5715ca377841fd87f86d6304201c66767a87670d3d95.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:1960 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:968
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
2906d002584b2fb6490b7f6088fdd265
SHA1272d13666206dad4fceb5493d72c2093b3102e1d
SHA256c394dfb93bf26f3a92daa6efaf941b43a0bfc7ab885d4bbd45c1f07ff86a1127
SHA512a9cfbfdd7b90bf22ae6ce9f5305584e7419cc830d44b21bf385af20fb181265850b60aef33c430cce96f044e7b0a506435ac3c2d9c121c4b41322e0ac4f7dbe4
-
MD5
2906d002584b2fb6490b7f6088fdd265
SHA1272d13666206dad4fceb5493d72c2093b3102e1d
SHA256c394dfb93bf26f3a92daa6efaf941b43a0bfc7ab885d4bbd45c1f07ff86a1127
SHA512a9cfbfdd7b90bf22ae6ce9f5305584e7419cc830d44b21bf385af20fb181265850b60aef33c430cce96f044e7b0a506435ac3c2d9c121c4b41322e0ac4f7dbe4