Analysis
-
max time kernel
147s -
max time network
157s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
12-02-2022 04:07
Static task
static1
Behavioral task
behavioral1
Sample
1605017c4931cabc4054ea7aae9f40f3ee0f2b6b152eb10ce6a71ebdc19ed52b.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
1605017c4931cabc4054ea7aae9f40f3ee0f2b6b152eb10ce6a71ebdc19ed52b.exe
Resource
win10v2004-en-20220113
General
-
Target
1605017c4931cabc4054ea7aae9f40f3ee0f2b6b152eb10ce6a71ebdc19ed52b.exe
-
Size
150KB
-
MD5
bb6b456b245b3667f2bae856f2041e57
-
SHA1
90d6377e0ab1ab05c163794e110efb889bf2f56a
-
SHA256
1605017c4931cabc4054ea7aae9f40f3ee0f2b6b152eb10ce6a71ebdc19ed52b
-
SHA512
a3a0e207e5ca7753bf70e4749c134b7a0b1a73f881c99aaabf27aece6babb42066cdf3af97ef0b7279acef9871ec4cfc5db27f8d1eaf5fad2620c34fb8b0d5e0
Malware Config
Signatures
-
Sakula Payload 2 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula \Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula -
suricata: ET MALWARE SUSPICIOUS UA (iexplore)
suricata: ET MALWARE SUSPICIOUS UA (iexplore)
-
suricata: ET MALWARE Sakula/Mivast RAT CnC Beacon 1
suricata: ET MALWARE Sakula/Mivast RAT CnC Beacon 1
-
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 288 MediaCenter.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 1988 cmd.exe -
Loads dropped DLL 1 IoCs
Processes:
1605017c4931cabc4054ea7aae9f40f3ee0f2b6b152eb10ce6a71ebdc19ed52b.exepid process 744 1605017c4931cabc4054ea7aae9f40f3ee0f2b6b152eb10ce6a71ebdc19ed52b.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
1605017c4931cabc4054ea7aae9f40f3ee0f2b6b152eb10ce6a71ebdc19ed52b.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 1605017c4931cabc4054ea7aae9f40f3ee0f2b6b152eb10ce6a71ebdc19ed52b.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
1605017c4931cabc4054ea7aae9f40f3ee0f2b6b152eb10ce6a71ebdc19ed52b.exedescription pid process Token: SeIncBasePriorityPrivilege 744 1605017c4931cabc4054ea7aae9f40f3ee0f2b6b152eb10ce6a71ebdc19ed52b.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
1605017c4931cabc4054ea7aae9f40f3ee0f2b6b152eb10ce6a71ebdc19ed52b.execmd.exedescription pid process target process PID 744 wrote to memory of 288 744 1605017c4931cabc4054ea7aae9f40f3ee0f2b6b152eb10ce6a71ebdc19ed52b.exe MediaCenter.exe PID 744 wrote to memory of 288 744 1605017c4931cabc4054ea7aae9f40f3ee0f2b6b152eb10ce6a71ebdc19ed52b.exe MediaCenter.exe PID 744 wrote to memory of 288 744 1605017c4931cabc4054ea7aae9f40f3ee0f2b6b152eb10ce6a71ebdc19ed52b.exe MediaCenter.exe PID 744 wrote to memory of 288 744 1605017c4931cabc4054ea7aae9f40f3ee0f2b6b152eb10ce6a71ebdc19ed52b.exe MediaCenter.exe PID 744 wrote to memory of 1988 744 1605017c4931cabc4054ea7aae9f40f3ee0f2b6b152eb10ce6a71ebdc19ed52b.exe cmd.exe PID 744 wrote to memory of 1988 744 1605017c4931cabc4054ea7aae9f40f3ee0f2b6b152eb10ce6a71ebdc19ed52b.exe cmd.exe PID 744 wrote to memory of 1988 744 1605017c4931cabc4054ea7aae9f40f3ee0f2b6b152eb10ce6a71ebdc19ed52b.exe cmd.exe PID 744 wrote to memory of 1988 744 1605017c4931cabc4054ea7aae9f40f3ee0f2b6b152eb10ce6a71ebdc19ed52b.exe cmd.exe PID 1988 wrote to memory of 1980 1988 cmd.exe PING.EXE PID 1988 wrote to memory of 1980 1988 cmd.exe PING.EXE PID 1988 wrote to memory of 1980 1988 cmd.exe PING.EXE PID 1988 wrote to memory of 1980 1988 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\1605017c4931cabc4054ea7aae9f40f3ee0f2b6b152eb10ce6a71ebdc19ed52b.exe"C:\Users\Admin\AppData\Local\Temp\1605017c4931cabc4054ea7aae9f40f3ee0f2b6b152eb10ce6a71ebdc19ed52b.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:744 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:288 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\1605017c4931cabc4054ea7aae9f40f3ee0f2b6b152eb10ce6a71ebdc19ed52b.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:1988 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:1980
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
3fe56d764ba7ae5cb3a8281a85ac469c
SHA10a24e2b49b56ecb1c98127a0310269ce4f00bf3f
SHA25625fae506460efa8c2c1dcbd1a6207e1a12ac101123326cf4f695bc7a894c7bc2
SHA512792275bf92ec5e5a9607c328017be88cdaae6ba21d0b36ff2ce7492c56a343e1bfa35f6a72fd4b75c99d7d3942f548e219710a932c96fa77691aeaa8bb7060a3
-
MD5
3fe56d764ba7ae5cb3a8281a85ac469c
SHA10a24e2b49b56ecb1c98127a0310269ce4f00bf3f
SHA25625fae506460efa8c2c1dcbd1a6207e1a12ac101123326cf4f695bc7a894c7bc2
SHA512792275bf92ec5e5a9607c328017be88cdaae6ba21d0b36ff2ce7492c56a343e1bfa35f6a72fd4b75c99d7d3942f548e219710a932c96fa77691aeaa8bb7060a3