Analysis
-
max time kernel
156s -
max time network
174s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
12-02-2022 04:14
Static task
static1
Behavioral task
behavioral1
Sample
15bd9db794e940a53f7974e86222882398eb6341b57f6b734ebab43ef424f2b6.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
15bd9db794e940a53f7974e86222882398eb6341b57f6b734ebab43ef424f2b6.exe
Resource
win10v2004-en-20220112
General
-
Target
15bd9db794e940a53f7974e86222882398eb6341b57f6b734ebab43ef424f2b6.exe
-
Size
92KB
-
MD5
8c462ae510f799b1f7addce90c1d4fb8
-
SHA1
590d8644258967d3a182a466c4554becb9597635
-
SHA256
15bd9db794e940a53f7974e86222882398eb6341b57f6b734ebab43ef424f2b6
-
SHA512
75fdbb9fc4019dbf3a61cc662f07c3d500c4596b143f7f106776ef74b5233853acacda25638b0cae84d01391dbc6598a84e0731e519a11f287dc7256b5c10c5b
Malware Config
Signatures
-
Sakula Payload 2 IoCs
Processes:
resource yara_rule \Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula -
suricata: ET MALWARE SUSPICIOUS UA (iexplore)
suricata: ET MALWARE SUSPICIOUS UA (iexplore)
-
suricata: ET MALWARE Sakula/Mivast RAT CnC Beacon 1
suricata: ET MALWARE Sakula/Mivast RAT CnC Beacon 1
-
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 1204 MediaCenter.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 1408 cmd.exe -
Loads dropped DLL 1 IoCs
Processes:
15bd9db794e940a53f7974e86222882398eb6341b57f6b734ebab43ef424f2b6.exepid process 1180 15bd9db794e940a53f7974e86222882398eb6341b57f6b734ebab43ef424f2b6.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
15bd9db794e940a53f7974e86222882398eb6341b57f6b734ebab43ef424f2b6.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 15bd9db794e940a53f7974e86222882398eb6341b57f6b734ebab43ef424f2b6.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
15bd9db794e940a53f7974e86222882398eb6341b57f6b734ebab43ef424f2b6.exedescription pid process Token: SeIncBasePriorityPrivilege 1180 15bd9db794e940a53f7974e86222882398eb6341b57f6b734ebab43ef424f2b6.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
15bd9db794e940a53f7974e86222882398eb6341b57f6b734ebab43ef424f2b6.execmd.exedescription pid process target process PID 1180 wrote to memory of 1204 1180 15bd9db794e940a53f7974e86222882398eb6341b57f6b734ebab43ef424f2b6.exe MediaCenter.exe PID 1180 wrote to memory of 1204 1180 15bd9db794e940a53f7974e86222882398eb6341b57f6b734ebab43ef424f2b6.exe MediaCenter.exe PID 1180 wrote to memory of 1204 1180 15bd9db794e940a53f7974e86222882398eb6341b57f6b734ebab43ef424f2b6.exe MediaCenter.exe PID 1180 wrote to memory of 1204 1180 15bd9db794e940a53f7974e86222882398eb6341b57f6b734ebab43ef424f2b6.exe MediaCenter.exe PID 1180 wrote to memory of 1408 1180 15bd9db794e940a53f7974e86222882398eb6341b57f6b734ebab43ef424f2b6.exe cmd.exe PID 1180 wrote to memory of 1408 1180 15bd9db794e940a53f7974e86222882398eb6341b57f6b734ebab43ef424f2b6.exe cmd.exe PID 1180 wrote to memory of 1408 1180 15bd9db794e940a53f7974e86222882398eb6341b57f6b734ebab43ef424f2b6.exe cmd.exe PID 1180 wrote to memory of 1408 1180 15bd9db794e940a53f7974e86222882398eb6341b57f6b734ebab43ef424f2b6.exe cmd.exe PID 1408 wrote to memory of 364 1408 cmd.exe PING.EXE PID 1408 wrote to memory of 364 1408 cmd.exe PING.EXE PID 1408 wrote to memory of 364 1408 cmd.exe PING.EXE PID 1408 wrote to memory of 364 1408 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\15bd9db794e940a53f7974e86222882398eb6341b57f6b734ebab43ef424f2b6.exe"C:\Users\Admin\AppData\Local\Temp\15bd9db794e940a53f7974e86222882398eb6341b57f6b734ebab43ef424f2b6.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1180 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:1204 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\15bd9db794e940a53f7974e86222882398eb6341b57f6b734ebab43ef424f2b6.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:1408 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:364
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
336b94ef904f6948cdf1f2fce5367e82
SHA17ff0bebcc3eb79f767d8462c38b82e1cc72588e5
SHA256c6f6a5cb7e47c754fbefdee3a9f532f5f474b40647d3446f2a3023088a9913bd
SHA512eae74fd778ec0909f9d360758faf2517baa485869d3f3a6b7f2908a76eeccd520fd3352eb6fd787ca66ccd28d2d53e186ecea268a0cd35e0b233cbc03fd2ac03
-
MD5
336b94ef904f6948cdf1f2fce5367e82
SHA17ff0bebcc3eb79f767d8462c38b82e1cc72588e5
SHA256c6f6a5cb7e47c754fbefdee3a9f532f5f474b40647d3446f2a3023088a9913bd
SHA512eae74fd778ec0909f9d360758faf2517baa485869d3f3a6b7f2908a76eeccd520fd3352eb6fd787ca66ccd28d2d53e186ecea268a0cd35e0b233cbc03fd2ac03