Analysis
-
max time kernel
141s -
max time network
153s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
12-02-2022 04:07
Static task
static1
Behavioral task
behavioral1
Sample
15fb09a9cadddfc028c70839debb471da479a5447a3a4d6cbc666409af4cb231.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
15fb09a9cadddfc028c70839debb471da479a5447a3a4d6cbc666409af4cb231.exe
Resource
win10v2004-en-20220112
General
-
Target
15fb09a9cadddfc028c70839debb471da479a5447a3a4d6cbc666409af4cb231.exe
-
Size
216KB
-
MD5
c6b11e0d645368c929e3bc529eef83bd
-
SHA1
f1b90a33b89dc1721a7fc1ed635f7d71927729ea
-
SHA256
15fb09a9cadddfc028c70839debb471da479a5447a3a4d6cbc666409af4cb231
-
SHA512
0d5e532139946b5c94737164d1a2075ccf44d896e00ae3d4d42260f54ac14902cf68b1d3ec6c5a1fadc3147472a4a51d4d497ff2a6adfca72fb84beb9ad84e6a
Malware Config
Signatures
-
Sakula Payload 4 IoCs
Processes:
resource yara_rule \Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula behavioral1/memory/288-58-0x0000000000400000-0x0000000000420000-memory.dmp family_sakula behavioral1/memory/1664-59-0x0000000000400000-0x0000000000420000-memory.dmp family_sakula -
suricata: ET MALWARE SUSPICIOUS UA (iexplore)
suricata: ET MALWARE SUSPICIOUS UA (iexplore)
-
suricata: ET MALWARE Sakula/Mivast RAT CnC Beacon 1
suricata: ET MALWARE Sakula/Mivast RAT CnC Beacon 1
-
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 1664 MediaCenter.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 432 cmd.exe -
Loads dropped DLL 1 IoCs
Processes:
15fb09a9cadddfc028c70839debb471da479a5447a3a4d6cbc666409af4cb231.exepid process 288 15fb09a9cadddfc028c70839debb471da479a5447a3a4d6cbc666409af4cb231.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
15fb09a9cadddfc028c70839debb471da479a5447a3a4d6cbc666409af4cb231.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 15fb09a9cadddfc028c70839debb471da479a5447a3a4d6cbc666409af4cb231.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
15fb09a9cadddfc028c70839debb471da479a5447a3a4d6cbc666409af4cb231.exedescription pid process Token: SeIncBasePriorityPrivilege 288 15fb09a9cadddfc028c70839debb471da479a5447a3a4d6cbc666409af4cb231.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
15fb09a9cadddfc028c70839debb471da479a5447a3a4d6cbc666409af4cb231.execmd.exedescription pid process target process PID 288 wrote to memory of 1664 288 15fb09a9cadddfc028c70839debb471da479a5447a3a4d6cbc666409af4cb231.exe MediaCenter.exe PID 288 wrote to memory of 1664 288 15fb09a9cadddfc028c70839debb471da479a5447a3a4d6cbc666409af4cb231.exe MediaCenter.exe PID 288 wrote to memory of 1664 288 15fb09a9cadddfc028c70839debb471da479a5447a3a4d6cbc666409af4cb231.exe MediaCenter.exe PID 288 wrote to memory of 1664 288 15fb09a9cadddfc028c70839debb471da479a5447a3a4d6cbc666409af4cb231.exe MediaCenter.exe PID 288 wrote to memory of 432 288 15fb09a9cadddfc028c70839debb471da479a5447a3a4d6cbc666409af4cb231.exe cmd.exe PID 288 wrote to memory of 432 288 15fb09a9cadddfc028c70839debb471da479a5447a3a4d6cbc666409af4cb231.exe cmd.exe PID 288 wrote to memory of 432 288 15fb09a9cadddfc028c70839debb471da479a5447a3a4d6cbc666409af4cb231.exe cmd.exe PID 288 wrote to memory of 432 288 15fb09a9cadddfc028c70839debb471da479a5447a3a4d6cbc666409af4cb231.exe cmd.exe PID 432 wrote to memory of 1996 432 cmd.exe PING.EXE PID 432 wrote to memory of 1996 432 cmd.exe PING.EXE PID 432 wrote to memory of 1996 432 cmd.exe PING.EXE PID 432 wrote to memory of 1996 432 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\15fb09a9cadddfc028c70839debb471da479a5447a3a4d6cbc666409af4cb231.exe"C:\Users\Admin\AppData\Local\Temp\15fb09a9cadddfc028c70839debb471da479a5447a3a4d6cbc666409af4cb231.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:288 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:1664 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\15fb09a9cadddfc028c70839debb471da479a5447a3a4d6cbc666409af4cb231.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:432 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:1996
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
bf89b989fdd4a0fd7d8d4f8a536cdc5c
SHA114de79d11245f02a02deb5ae2e3a8fc9d6a0c1c2
SHA256d38cbb51295f9e7d1a5183fc7ce3717b63d580bcf054113fd803583886272307
SHA512e8820c697aa1584392b66844acb628a4b86ae359b288662ac75c37ff0f86338d7d02681be14ede111555bd537e20b64028cc9ff37e7ba915e05f0a4d67c4b943
-
MD5
bf89b989fdd4a0fd7d8d4f8a536cdc5c
SHA114de79d11245f02a02deb5ae2e3a8fc9d6a0c1c2
SHA256d38cbb51295f9e7d1a5183fc7ce3717b63d580bcf054113fd803583886272307
SHA512e8820c697aa1584392b66844acb628a4b86ae359b288662ac75c37ff0f86338d7d02681be14ede111555bd537e20b64028cc9ff37e7ba915e05f0a4d67c4b943