Analysis
-
max time kernel
138s -
max time network
153s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
12-02-2022 04:03
Static task
static1
Behavioral task
behavioral1
Sample
161db2cade91d70701d145cb855cb652725ca2790d88aedaf892d77e1db7b244.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
161db2cade91d70701d145cb855cb652725ca2790d88aedaf892d77e1db7b244.exe
Resource
win10v2004-en-20220113
General
-
Target
161db2cade91d70701d145cb855cb652725ca2790d88aedaf892d77e1db7b244.exe
-
Size
152KB
-
MD5
37fa5714549c20bb6a15d8b8f18da221
-
SHA1
ae2ec4f4cfde57ed26a01e3eefe695922e22f922
-
SHA256
161db2cade91d70701d145cb855cb652725ca2790d88aedaf892d77e1db7b244
-
SHA512
b7dd52707994500a8d978627f8d06551b3c944e3d20770ea9ea46957ec805bed64e7fe4a3f57ca26bdfc053dd2062f39ed93ad66a5f6af3388b4e39d5498ab89
Malware Config
Signatures
-
Sakula Payload 2 IoCs
Processes:
resource yara_rule \Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula -
suricata: ET MALWARE SUSPICIOUS UA (iexplore)
suricata: ET MALWARE SUSPICIOUS UA (iexplore)
-
suricata: ET MALWARE Sakula/Mivast RAT CnC Beacon 1
suricata: ET MALWARE Sakula/Mivast RAT CnC Beacon 1
-
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 672 MediaCenter.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 1864 cmd.exe -
Loads dropped DLL 1 IoCs
Processes:
161db2cade91d70701d145cb855cb652725ca2790d88aedaf892d77e1db7b244.exepid process 560 161db2cade91d70701d145cb855cb652725ca2790d88aedaf892d77e1db7b244.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
161db2cade91d70701d145cb855cb652725ca2790d88aedaf892d77e1db7b244.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 161db2cade91d70701d145cb855cb652725ca2790d88aedaf892d77e1db7b244.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
161db2cade91d70701d145cb855cb652725ca2790d88aedaf892d77e1db7b244.exedescription pid process Token: SeIncBasePriorityPrivilege 560 161db2cade91d70701d145cb855cb652725ca2790d88aedaf892d77e1db7b244.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
161db2cade91d70701d145cb855cb652725ca2790d88aedaf892d77e1db7b244.execmd.exedescription pid process target process PID 560 wrote to memory of 672 560 161db2cade91d70701d145cb855cb652725ca2790d88aedaf892d77e1db7b244.exe MediaCenter.exe PID 560 wrote to memory of 672 560 161db2cade91d70701d145cb855cb652725ca2790d88aedaf892d77e1db7b244.exe MediaCenter.exe PID 560 wrote to memory of 672 560 161db2cade91d70701d145cb855cb652725ca2790d88aedaf892d77e1db7b244.exe MediaCenter.exe PID 560 wrote to memory of 672 560 161db2cade91d70701d145cb855cb652725ca2790d88aedaf892d77e1db7b244.exe MediaCenter.exe PID 560 wrote to memory of 1864 560 161db2cade91d70701d145cb855cb652725ca2790d88aedaf892d77e1db7b244.exe cmd.exe PID 560 wrote to memory of 1864 560 161db2cade91d70701d145cb855cb652725ca2790d88aedaf892d77e1db7b244.exe cmd.exe PID 560 wrote to memory of 1864 560 161db2cade91d70701d145cb855cb652725ca2790d88aedaf892d77e1db7b244.exe cmd.exe PID 560 wrote to memory of 1864 560 161db2cade91d70701d145cb855cb652725ca2790d88aedaf892d77e1db7b244.exe cmd.exe PID 1864 wrote to memory of 968 1864 cmd.exe PING.EXE PID 1864 wrote to memory of 968 1864 cmd.exe PING.EXE PID 1864 wrote to memory of 968 1864 cmd.exe PING.EXE PID 1864 wrote to memory of 968 1864 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\161db2cade91d70701d145cb855cb652725ca2790d88aedaf892d77e1db7b244.exe"C:\Users\Admin\AppData\Local\Temp\161db2cade91d70701d145cb855cb652725ca2790d88aedaf892d77e1db7b244.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:560 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:672 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\161db2cade91d70701d145cb855cb652725ca2790d88aedaf892d77e1db7b244.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:1864 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:968
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
a5516df158d92aa954f9ca25d02bde4c
SHA1028055e0f52b2a726691368e500fb0a582ae962a
SHA2562d3a2c23a52181dadcb677fe065cd3ae3fe5a4225f1d573b7cbdc2c2ad9cb2ee
SHA512af6d9d396b14c0901224abf4d008b5cafedb7c6365503f321ce04993986666a870910bbf8e8150eaa3a78650d75618e947b5fec584a9d20c30ce0f4145ef96b3
-
MD5
a5516df158d92aa954f9ca25d02bde4c
SHA1028055e0f52b2a726691368e500fb0a582ae962a
SHA2562d3a2c23a52181dadcb677fe065cd3ae3fe5a4225f1d573b7cbdc2c2ad9cb2ee
SHA512af6d9d396b14c0901224abf4d008b5cafedb7c6365503f321ce04993986666a870910bbf8e8150eaa3a78650d75618e947b5fec584a9d20c30ce0f4145ef96b3