Analysis
-
max time kernel
136s -
max time network
152s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
12-02-2022 04:09
Static task
static1
Behavioral task
behavioral1
Sample
15e8ddf53c9f5a9372ce59117b0f8d4190b1690cffb6b1c749bc2b218d6b3aa5.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
15e8ddf53c9f5a9372ce59117b0f8d4190b1690cffb6b1c749bc2b218d6b3aa5.exe
Resource
win10v2004-en-20220113
General
-
Target
15e8ddf53c9f5a9372ce59117b0f8d4190b1690cffb6b1c749bc2b218d6b3aa5.exe
-
Size
216KB
-
MD5
3e1c6a43877a9546e7d99f29049d5661
-
SHA1
72bd6ab6071f6e85386c28f1a488de144131d2b6
-
SHA256
15e8ddf53c9f5a9372ce59117b0f8d4190b1690cffb6b1c749bc2b218d6b3aa5
-
SHA512
511df732bfcb6806b257647b0ed255b400707f38f4ce77af268e9a1c8e348d3742f9836796c1636f0d0e46d124b363345edbf5f09390cd53ccff999fb1f91d3e
Malware Config
Signatures
-
Sakula Payload 4 IoCs
Processes:
resource yara_rule \Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula behavioral1/memory/1616-59-0x0000000000400000-0x0000000000420000-memory.dmp family_sakula behavioral1/memory/288-60-0x0000000000400000-0x0000000000420000-memory.dmp family_sakula -
suricata: ET MALWARE SUSPICIOUS UA (iexplore)
suricata: ET MALWARE SUSPICIOUS UA (iexplore)
-
suricata: ET MALWARE Sakula/Mivast RAT CnC Beacon 1
suricata: ET MALWARE Sakula/Mivast RAT CnC Beacon 1
-
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 288 MediaCenter.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 1604 cmd.exe -
Loads dropped DLL 1 IoCs
Processes:
15e8ddf53c9f5a9372ce59117b0f8d4190b1690cffb6b1c749bc2b218d6b3aa5.exepid process 1616 15e8ddf53c9f5a9372ce59117b0f8d4190b1690cffb6b1c749bc2b218d6b3aa5.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
15e8ddf53c9f5a9372ce59117b0f8d4190b1690cffb6b1c749bc2b218d6b3aa5.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 15e8ddf53c9f5a9372ce59117b0f8d4190b1690cffb6b1c749bc2b218d6b3aa5.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
15e8ddf53c9f5a9372ce59117b0f8d4190b1690cffb6b1c749bc2b218d6b3aa5.exedescription pid process Token: SeIncBasePriorityPrivilege 1616 15e8ddf53c9f5a9372ce59117b0f8d4190b1690cffb6b1c749bc2b218d6b3aa5.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
15e8ddf53c9f5a9372ce59117b0f8d4190b1690cffb6b1c749bc2b218d6b3aa5.execmd.exedescription pid process target process PID 1616 wrote to memory of 288 1616 15e8ddf53c9f5a9372ce59117b0f8d4190b1690cffb6b1c749bc2b218d6b3aa5.exe MediaCenter.exe PID 1616 wrote to memory of 288 1616 15e8ddf53c9f5a9372ce59117b0f8d4190b1690cffb6b1c749bc2b218d6b3aa5.exe MediaCenter.exe PID 1616 wrote to memory of 288 1616 15e8ddf53c9f5a9372ce59117b0f8d4190b1690cffb6b1c749bc2b218d6b3aa5.exe MediaCenter.exe PID 1616 wrote to memory of 288 1616 15e8ddf53c9f5a9372ce59117b0f8d4190b1690cffb6b1c749bc2b218d6b3aa5.exe MediaCenter.exe PID 1616 wrote to memory of 1604 1616 15e8ddf53c9f5a9372ce59117b0f8d4190b1690cffb6b1c749bc2b218d6b3aa5.exe cmd.exe PID 1616 wrote to memory of 1604 1616 15e8ddf53c9f5a9372ce59117b0f8d4190b1690cffb6b1c749bc2b218d6b3aa5.exe cmd.exe PID 1616 wrote to memory of 1604 1616 15e8ddf53c9f5a9372ce59117b0f8d4190b1690cffb6b1c749bc2b218d6b3aa5.exe cmd.exe PID 1616 wrote to memory of 1604 1616 15e8ddf53c9f5a9372ce59117b0f8d4190b1690cffb6b1c749bc2b218d6b3aa5.exe cmd.exe PID 1604 wrote to memory of 1140 1604 cmd.exe PING.EXE PID 1604 wrote to memory of 1140 1604 cmd.exe PING.EXE PID 1604 wrote to memory of 1140 1604 cmd.exe PING.EXE PID 1604 wrote to memory of 1140 1604 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\15e8ddf53c9f5a9372ce59117b0f8d4190b1690cffb6b1c749bc2b218d6b3aa5.exe"C:\Users\Admin\AppData\Local\Temp\15e8ddf53c9f5a9372ce59117b0f8d4190b1690cffb6b1c749bc2b218d6b3aa5.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1616 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:288 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\15e8ddf53c9f5a9372ce59117b0f8d4190b1690cffb6b1c749bc2b218d6b3aa5.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:1604 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:1140
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
6feb5a9a84d18a2d842a73bb0b9aa932
SHA10137d4bf8018c5c94d4b31f131b8f672ce686820
SHA25661264b58f5aa1d31284b170aac52eec156679b341b45b8256e653a60ca030c10
SHA5127a25dd91c20041d47fee4301ccab9c8e84f330f41cbdf2f1b5a74d7f37f614802c2479b393a413b612cb1b858d031adcfb5a1aaf60502ea02d16b7838c8d3490
-
MD5
6feb5a9a84d18a2d842a73bb0b9aa932
SHA10137d4bf8018c5c94d4b31f131b8f672ce686820
SHA25661264b58f5aa1d31284b170aac52eec156679b341b45b8256e653a60ca030c10
SHA5127a25dd91c20041d47fee4301ccab9c8e84f330f41cbdf2f1b5a74d7f37f614802c2479b393a413b612cb1b858d031adcfb5a1aaf60502ea02d16b7838c8d3490