Analysis
-
max time kernel
154s -
max time network
163s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
12-02-2022 03:55
Static task
static1
Behavioral task
behavioral1
Sample
1671a4f7b8ac2d46a4477cfd5521899373c10998566871cde055b875f8507a21.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
1671a4f7b8ac2d46a4477cfd5521899373c10998566871cde055b875f8507a21.exe
Resource
win10v2004-en-20220113
General
-
Target
1671a4f7b8ac2d46a4477cfd5521899373c10998566871cde055b875f8507a21.exe
-
Size
176KB
-
MD5
0408b18c8a06aa389ed0cd78a38d5972
-
SHA1
77e6945f041475da1cc66a43c66ef15900c01181
-
SHA256
1671a4f7b8ac2d46a4477cfd5521899373c10998566871cde055b875f8507a21
-
SHA512
defab5ff5c32b8a193d3c24cedfdfd409c122fe1af5d29097b738c0bc78249d1b360b315e5cd6584dca951b7912dca3d9e9e1e14a13419926fdc406954b9711a
Malware Config
Signatures
-
Sakula Payload 4 IoCs
Processes:
resource yara_rule \Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula behavioral1/memory/1624-58-0x0000000000400000-0x0000000000420000-memory.dmp family_sakula behavioral1/memory/628-59-0x0000000000400000-0x0000000000420000-memory.dmp family_sakula -
suricata: ET MALWARE SUSPICIOUS UA (iexplore)
suricata: ET MALWARE SUSPICIOUS UA (iexplore)
-
suricata: ET MALWARE Sakula/Mivast RAT CnC Beacon 1
suricata: ET MALWARE Sakula/Mivast RAT CnC Beacon 1
-
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 628 MediaCenter.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 300 cmd.exe -
Loads dropped DLL 1 IoCs
Processes:
1671a4f7b8ac2d46a4477cfd5521899373c10998566871cde055b875f8507a21.exepid process 1624 1671a4f7b8ac2d46a4477cfd5521899373c10998566871cde055b875f8507a21.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
1671a4f7b8ac2d46a4477cfd5521899373c10998566871cde055b875f8507a21.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 1671a4f7b8ac2d46a4477cfd5521899373c10998566871cde055b875f8507a21.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
1671a4f7b8ac2d46a4477cfd5521899373c10998566871cde055b875f8507a21.exedescription pid process Token: SeIncBasePriorityPrivilege 1624 1671a4f7b8ac2d46a4477cfd5521899373c10998566871cde055b875f8507a21.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
1671a4f7b8ac2d46a4477cfd5521899373c10998566871cde055b875f8507a21.execmd.exedescription pid process target process PID 1624 wrote to memory of 628 1624 1671a4f7b8ac2d46a4477cfd5521899373c10998566871cde055b875f8507a21.exe MediaCenter.exe PID 1624 wrote to memory of 628 1624 1671a4f7b8ac2d46a4477cfd5521899373c10998566871cde055b875f8507a21.exe MediaCenter.exe PID 1624 wrote to memory of 628 1624 1671a4f7b8ac2d46a4477cfd5521899373c10998566871cde055b875f8507a21.exe MediaCenter.exe PID 1624 wrote to memory of 628 1624 1671a4f7b8ac2d46a4477cfd5521899373c10998566871cde055b875f8507a21.exe MediaCenter.exe PID 1624 wrote to memory of 300 1624 1671a4f7b8ac2d46a4477cfd5521899373c10998566871cde055b875f8507a21.exe cmd.exe PID 1624 wrote to memory of 300 1624 1671a4f7b8ac2d46a4477cfd5521899373c10998566871cde055b875f8507a21.exe cmd.exe PID 1624 wrote to memory of 300 1624 1671a4f7b8ac2d46a4477cfd5521899373c10998566871cde055b875f8507a21.exe cmd.exe PID 1624 wrote to memory of 300 1624 1671a4f7b8ac2d46a4477cfd5521899373c10998566871cde055b875f8507a21.exe cmd.exe PID 300 wrote to memory of 1032 300 cmd.exe PING.EXE PID 300 wrote to memory of 1032 300 cmd.exe PING.EXE PID 300 wrote to memory of 1032 300 cmd.exe PING.EXE PID 300 wrote to memory of 1032 300 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\1671a4f7b8ac2d46a4477cfd5521899373c10998566871cde055b875f8507a21.exe"C:\Users\Admin\AppData\Local\Temp\1671a4f7b8ac2d46a4477cfd5521899373c10998566871cde055b875f8507a21.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1624 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:628 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\1671a4f7b8ac2d46a4477cfd5521899373c10998566871cde055b875f8507a21.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:300 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:1032
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
34144ee44207cabfc154e264128e9866
SHA14ffb6addf0cbcc5b063e515302c823561fe05e8e
SHA25680ff48497c2da5ef609e31661f1447c3997cc37e65cb88869f9f657bee8fe1ed
SHA5121818dc03f62e4b16c7a1413a4151633a7c8d628dd52afa45dc8730a8dac840597990a084615f453f7ce8ea2c83d7af05ce2fc72b790fde23b53d674d2dc7c77c
-
MD5
34144ee44207cabfc154e264128e9866
SHA14ffb6addf0cbcc5b063e515302c823561fe05e8e
SHA25680ff48497c2da5ef609e31661f1447c3997cc37e65cb88869f9f657bee8fe1ed
SHA5121818dc03f62e4b16c7a1413a4151633a7c8d628dd52afa45dc8730a8dac840597990a084615f453f7ce8ea2c83d7af05ce2fc72b790fde23b53d674d2dc7c77c