Analysis
-
max time kernel
144s -
max time network
164s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
12-02-2022 04:13
Static task
static1
Behavioral task
behavioral1
Sample
15c86572a632f85dc3f3ffac959a06437d083e8370d473111741ebea6cffe429.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
15c86572a632f85dc3f3ffac959a06437d083e8370d473111741ebea6cffe429.exe
Resource
win10v2004-en-20220113
General
-
Target
15c86572a632f85dc3f3ffac959a06437d083e8370d473111741ebea6cffe429.exe
-
Size
176KB
-
MD5
78e0d62e1c30a3735dc646a462494cc6
-
SHA1
f7051f36540169f9b2fae2a117816f9d748eff22
-
SHA256
15c86572a632f85dc3f3ffac959a06437d083e8370d473111741ebea6cffe429
-
SHA512
624030db838742b66c01bafca65c09ea7e344ef023e14531f7cb57332dd21506d8e85b7bc65cdda834596ade11c7399700034afb28803a706041543ffdf9c655
Malware Config
Signatures
-
Sakula Payload 4 IoCs
Processes:
resource yara_rule \Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula behavioral1/memory/808-59-0x0000000000400000-0x0000000000420000-memory.dmp family_sakula behavioral1/memory/520-60-0x0000000000400000-0x0000000000420000-memory.dmp family_sakula -
suricata: ET MALWARE SUSPICIOUS UA (iexplore)
suricata: ET MALWARE SUSPICIOUS UA (iexplore)
-
suricata: ET MALWARE Sakula/Mivast RAT CnC Beacon 1
suricata: ET MALWARE Sakula/Mivast RAT CnC Beacon 1
-
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 520 MediaCenter.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 1088 cmd.exe -
Loads dropped DLL 1 IoCs
Processes:
15c86572a632f85dc3f3ffac959a06437d083e8370d473111741ebea6cffe429.exepid process 808 15c86572a632f85dc3f3ffac959a06437d083e8370d473111741ebea6cffe429.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
15c86572a632f85dc3f3ffac959a06437d083e8370d473111741ebea6cffe429.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 15c86572a632f85dc3f3ffac959a06437d083e8370d473111741ebea6cffe429.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
15c86572a632f85dc3f3ffac959a06437d083e8370d473111741ebea6cffe429.exedescription pid process Token: SeIncBasePriorityPrivilege 808 15c86572a632f85dc3f3ffac959a06437d083e8370d473111741ebea6cffe429.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
15c86572a632f85dc3f3ffac959a06437d083e8370d473111741ebea6cffe429.execmd.exedescription pid process target process PID 808 wrote to memory of 520 808 15c86572a632f85dc3f3ffac959a06437d083e8370d473111741ebea6cffe429.exe MediaCenter.exe PID 808 wrote to memory of 520 808 15c86572a632f85dc3f3ffac959a06437d083e8370d473111741ebea6cffe429.exe MediaCenter.exe PID 808 wrote to memory of 520 808 15c86572a632f85dc3f3ffac959a06437d083e8370d473111741ebea6cffe429.exe MediaCenter.exe PID 808 wrote to memory of 520 808 15c86572a632f85dc3f3ffac959a06437d083e8370d473111741ebea6cffe429.exe MediaCenter.exe PID 808 wrote to memory of 1088 808 15c86572a632f85dc3f3ffac959a06437d083e8370d473111741ebea6cffe429.exe cmd.exe PID 808 wrote to memory of 1088 808 15c86572a632f85dc3f3ffac959a06437d083e8370d473111741ebea6cffe429.exe cmd.exe PID 808 wrote to memory of 1088 808 15c86572a632f85dc3f3ffac959a06437d083e8370d473111741ebea6cffe429.exe cmd.exe PID 808 wrote to memory of 1088 808 15c86572a632f85dc3f3ffac959a06437d083e8370d473111741ebea6cffe429.exe cmd.exe PID 1088 wrote to memory of 2020 1088 cmd.exe PING.EXE PID 1088 wrote to memory of 2020 1088 cmd.exe PING.EXE PID 1088 wrote to memory of 2020 1088 cmd.exe PING.EXE PID 1088 wrote to memory of 2020 1088 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\15c86572a632f85dc3f3ffac959a06437d083e8370d473111741ebea6cffe429.exe"C:\Users\Admin\AppData\Local\Temp\15c86572a632f85dc3f3ffac959a06437d083e8370d473111741ebea6cffe429.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:808 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:520 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\15c86572a632f85dc3f3ffac959a06437d083e8370d473111741ebea6cffe429.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:1088 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:2020
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
53338305108d2ac7c16758c872aa032a
SHA152143f0d1326f326189758a89699073b94da3688
SHA256d9d58e0c9980bb78b0c826d2dc5006840ddde03c2a3257d537c40f44deb4ffb3
SHA5121586365c016fedfce88fe2a76fcd1df7836994f32e7eae111f89d0c191de72146ecaf310df82f0f20e82375d6c10b63401cbaf4a3daf502dfbba07b58e01dd30
-
MD5
53338305108d2ac7c16758c872aa032a
SHA152143f0d1326f326189758a89699073b94da3688
SHA256d9d58e0c9980bb78b0c826d2dc5006840ddde03c2a3257d537c40f44deb4ffb3
SHA5121586365c016fedfce88fe2a76fcd1df7836994f32e7eae111f89d0c191de72146ecaf310df82f0f20e82375d6c10b63401cbaf4a3daf502dfbba07b58e01dd30