Analysis
-
max time kernel
138s -
max time network
145s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
12-02-2022 03:57
Static task
static1
Behavioral task
behavioral1
Sample
1660bea2de1af110a1ba6f6395898ebe064f4b60ec29e3e270a4e3b670030488.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
1660bea2de1af110a1ba6f6395898ebe064f4b60ec29e3e270a4e3b670030488.exe
Resource
win10v2004-en-20220113
General
-
Target
1660bea2de1af110a1ba6f6395898ebe064f4b60ec29e3e270a4e3b670030488.exe
-
Size
150KB
-
MD5
f1f2a6978d92f487b1874510809a611a
-
SHA1
2101e377ae08855f2916e1d873b87563c96908e8
-
SHA256
1660bea2de1af110a1ba6f6395898ebe064f4b60ec29e3e270a4e3b670030488
-
SHA512
b1f01b9e9485478c7441bb0838aa9e61c25db29c9c2c0247009a48dc99588728d9cd23d1d7969ac9454fc0fdf694617b919d4041d7d0eea1d658c1115e06235b
Malware Config
Signatures
-
Sakula Payload 2 IoCs
Processes:
resource yara_rule \Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula -
suricata: ET MALWARE SUSPICIOUS UA (iexplore)
suricata: ET MALWARE SUSPICIOUS UA (iexplore)
-
suricata: ET MALWARE Sakula/Mivast RAT CnC Beacon 1
suricata: ET MALWARE Sakula/Mivast RAT CnC Beacon 1
-
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 1888 MediaCenter.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 1544 cmd.exe -
Loads dropped DLL 1 IoCs
Processes:
1660bea2de1af110a1ba6f6395898ebe064f4b60ec29e3e270a4e3b670030488.exepid process 1416 1660bea2de1af110a1ba6f6395898ebe064f4b60ec29e3e270a4e3b670030488.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
1660bea2de1af110a1ba6f6395898ebe064f4b60ec29e3e270a4e3b670030488.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 1660bea2de1af110a1ba6f6395898ebe064f4b60ec29e3e270a4e3b670030488.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
1660bea2de1af110a1ba6f6395898ebe064f4b60ec29e3e270a4e3b670030488.exedescription pid process Token: SeIncBasePriorityPrivilege 1416 1660bea2de1af110a1ba6f6395898ebe064f4b60ec29e3e270a4e3b670030488.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
1660bea2de1af110a1ba6f6395898ebe064f4b60ec29e3e270a4e3b670030488.execmd.exedescription pid process target process PID 1416 wrote to memory of 1888 1416 1660bea2de1af110a1ba6f6395898ebe064f4b60ec29e3e270a4e3b670030488.exe MediaCenter.exe PID 1416 wrote to memory of 1888 1416 1660bea2de1af110a1ba6f6395898ebe064f4b60ec29e3e270a4e3b670030488.exe MediaCenter.exe PID 1416 wrote to memory of 1888 1416 1660bea2de1af110a1ba6f6395898ebe064f4b60ec29e3e270a4e3b670030488.exe MediaCenter.exe PID 1416 wrote to memory of 1888 1416 1660bea2de1af110a1ba6f6395898ebe064f4b60ec29e3e270a4e3b670030488.exe MediaCenter.exe PID 1416 wrote to memory of 1544 1416 1660bea2de1af110a1ba6f6395898ebe064f4b60ec29e3e270a4e3b670030488.exe cmd.exe PID 1416 wrote to memory of 1544 1416 1660bea2de1af110a1ba6f6395898ebe064f4b60ec29e3e270a4e3b670030488.exe cmd.exe PID 1416 wrote to memory of 1544 1416 1660bea2de1af110a1ba6f6395898ebe064f4b60ec29e3e270a4e3b670030488.exe cmd.exe PID 1416 wrote to memory of 1544 1416 1660bea2de1af110a1ba6f6395898ebe064f4b60ec29e3e270a4e3b670030488.exe cmd.exe PID 1544 wrote to memory of 1104 1544 cmd.exe PING.EXE PID 1544 wrote to memory of 1104 1544 cmd.exe PING.EXE PID 1544 wrote to memory of 1104 1544 cmd.exe PING.EXE PID 1544 wrote to memory of 1104 1544 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\1660bea2de1af110a1ba6f6395898ebe064f4b60ec29e3e270a4e3b670030488.exe"C:\Users\Admin\AppData\Local\Temp\1660bea2de1af110a1ba6f6395898ebe064f4b60ec29e3e270a4e3b670030488.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1416 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:1888 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\1660bea2de1af110a1ba6f6395898ebe064f4b60ec29e3e270a4e3b670030488.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:1544 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:1104
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
d517937c442c79459398e6af668ae9e1
SHA18ceafacdf38e114e2433f4a152bb7044600f438d
SHA256fb7416076cccdcbc1270f343c008f79d21ff52a0d98da08a119211f99eac171f
SHA5122efffaeba751b516045ec936db46923db59bac105540c40556bd7288c07c593690bae739513d866b7d8bc9814de3dd384e4f0f47c68effaa6ea7a2c172d980b7
-
MD5
d517937c442c79459398e6af668ae9e1
SHA18ceafacdf38e114e2433f4a152bb7044600f438d
SHA256fb7416076cccdcbc1270f343c008f79d21ff52a0d98da08a119211f99eac171f
SHA5122efffaeba751b516045ec936db46923db59bac105540c40556bd7288c07c593690bae739513d866b7d8bc9814de3dd384e4f0f47c68effaa6ea7a2c172d980b7