Analysis
-
max time kernel
149s -
max time network
152s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
12-02-2022 04:12
Static task
static1
Behavioral task
behavioral1
Sample
15cd6653f3eb10e648496b73c7a147dbc8d340fd6b1ea574cb1e63e75d70c8ec.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
15cd6653f3eb10e648496b73c7a147dbc8d340fd6b1ea574cb1e63e75d70c8ec.exe
Resource
win10v2004-en-20220113
General
-
Target
15cd6653f3eb10e648496b73c7a147dbc8d340fd6b1ea574cb1e63e75d70c8ec.exe
-
Size
220KB
-
MD5
6cadba42b1ecb0a5828fe838a6fd376a
-
SHA1
b763849ab884231e1062f5e9f9cf50b61e7cd957
-
SHA256
15cd6653f3eb10e648496b73c7a147dbc8d340fd6b1ea574cb1e63e75d70c8ec
-
SHA512
9ef350c1e29e18f4fb7ff9a0cdb785f102d12529741dc4fbd2d84d349f68d23b8bf6a71418c93170051a43808283ebed41cce1ec50d81d46af5311c42e8c259d
Malware Config
Signatures
-
Sakula Payload 4 IoCs
Processes:
resource yara_rule \Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula behavioral1/memory/964-58-0x0000000000400000-0x0000000000420000-memory.dmp family_sakula behavioral1/memory/1712-59-0x0000000000400000-0x0000000000420000-memory.dmp family_sakula -
suricata: ET MALWARE SUSPICIOUS UA (iexplore)
suricata: ET MALWARE SUSPICIOUS UA (iexplore)
-
suricata: ET MALWARE Sakula/Mivast RAT CnC Beacon 1
suricata: ET MALWARE Sakula/Mivast RAT CnC Beacon 1
-
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 1712 MediaCenter.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 440 cmd.exe -
Loads dropped DLL 1 IoCs
Processes:
15cd6653f3eb10e648496b73c7a147dbc8d340fd6b1ea574cb1e63e75d70c8ec.exepid process 964 15cd6653f3eb10e648496b73c7a147dbc8d340fd6b1ea574cb1e63e75d70c8ec.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
15cd6653f3eb10e648496b73c7a147dbc8d340fd6b1ea574cb1e63e75d70c8ec.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 15cd6653f3eb10e648496b73c7a147dbc8d340fd6b1ea574cb1e63e75d70c8ec.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
15cd6653f3eb10e648496b73c7a147dbc8d340fd6b1ea574cb1e63e75d70c8ec.exedescription pid process Token: SeIncBasePriorityPrivilege 964 15cd6653f3eb10e648496b73c7a147dbc8d340fd6b1ea574cb1e63e75d70c8ec.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
15cd6653f3eb10e648496b73c7a147dbc8d340fd6b1ea574cb1e63e75d70c8ec.execmd.exedescription pid process target process PID 964 wrote to memory of 1712 964 15cd6653f3eb10e648496b73c7a147dbc8d340fd6b1ea574cb1e63e75d70c8ec.exe MediaCenter.exe PID 964 wrote to memory of 1712 964 15cd6653f3eb10e648496b73c7a147dbc8d340fd6b1ea574cb1e63e75d70c8ec.exe MediaCenter.exe PID 964 wrote to memory of 1712 964 15cd6653f3eb10e648496b73c7a147dbc8d340fd6b1ea574cb1e63e75d70c8ec.exe MediaCenter.exe PID 964 wrote to memory of 1712 964 15cd6653f3eb10e648496b73c7a147dbc8d340fd6b1ea574cb1e63e75d70c8ec.exe MediaCenter.exe PID 964 wrote to memory of 440 964 15cd6653f3eb10e648496b73c7a147dbc8d340fd6b1ea574cb1e63e75d70c8ec.exe cmd.exe PID 964 wrote to memory of 440 964 15cd6653f3eb10e648496b73c7a147dbc8d340fd6b1ea574cb1e63e75d70c8ec.exe cmd.exe PID 964 wrote to memory of 440 964 15cd6653f3eb10e648496b73c7a147dbc8d340fd6b1ea574cb1e63e75d70c8ec.exe cmd.exe PID 964 wrote to memory of 440 964 15cd6653f3eb10e648496b73c7a147dbc8d340fd6b1ea574cb1e63e75d70c8ec.exe cmd.exe PID 440 wrote to memory of 1608 440 cmd.exe PING.EXE PID 440 wrote to memory of 1608 440 cmd.exe PING.EXE PID 440 wrote to memory of 1608 440 cmd.exe PING.EXE PID 440 wrote to memory of 1608 440 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\15cd6653f3eb10e648496b73c7a147dbc8d340fd6b1ea574cb1e63e75d70c8ec.exe"C:\Users\Admin\AppData\Local\Temp\15cd6653f3eb10e648496b73c7a147dbc8d340fd6b1ea574cb1e63e75d70c8ec.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:964 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:1712 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\15cd6653f3eb10e648496b73c7a147dbc8d340fd6b1ea574cb1e63e75d70c8ec.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:440 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:1608
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
2264ac3cb26eef0cd3186e4d21d4b527
SHA1fab4e0db786aac030f6c4d719fd05a9f3ad81f3d
SHA2569f1570756ce52722bc9184edb5cb2492462b15a5cc18c3b2196100154498d642
SHA51281af4e900672c99ac394aaf99b504a4343d8aa2cced704721e1f9bbf58874271450e2d9e3a26da4c44d5a6a688633968ef794a8cba176a33855a056a85d46b7f
-
MD5
2264ac3cb26eef0cd3186e4d21d4b527
SHA1fab4e0db786aac030f6c4d719fd05a9f3ad81f3d
SHA2569f1570756ce52722bc9184edb5cb2492462b15a5cc18c3b2196100154498d642
SHA51281af4e900672c99ac394aaf99b504a4343d8aa2cced704721e1f9bbf58874271450e2d9e3a26da4c44d5a6a688633968ef794a8cba176a33855a056a85d46b7f