Analysis
-
max time kernel
140s -
max time network
149s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
12-02-2022 04:18
Static task
static1
Behavioral task
behavioral1
Sample
158c03a6741c745790eea9304d273d207f3bb1427232e2ac9cd581616b130151.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
158c03a6741c745790eea9304d273d207f3bb1427232e2ac9cd581616b130151.exe
Resource
win10v2004-en-20220113
General
-
Target
158c03a6741c745790eea9304d273d207f3bb1427232e2ac9cd581616b130151.exe
-
Size
150KB
-
MD5
3a402c05d2baa65da1a9a15f7bf5c9ee
-
SHA1
387c652ccb3763aa0846a9ad306c8e1886b77041
-
SHA256
158c03a6741c745790eea9304d273d207f3bb1427232e2ac9cd581616b130151
-
SHA512
d19b48cb2e01548ac134d6041dac250683ba93aaf6c833f0e9dc8a9d207d93b64d522eba9fce46103cb0ee0e5de854a21b28a7eb571fd9dd17b83f478425ec71
Malware Config
Signatures
-
Sakula Payload 2 IoCs
Processes:
resource yara_rule \Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula -
suricata: ET MALWARE SUSPICIOUS UA (iexplore)
suricata: ET MALWARE SUSPICIOUS UA (iexplore)
-
suricata: ET MALWARE Sakula/Mivast RAT CnC Beacon 1
suricata: ET MALWARE Sakula/Mivast RAT CnC Beacon 1
-
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 1872 MediaCenter.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 392 cmd.exe -
Loads dropped DLL 1 IoCs
Processes:
158c03a6741c745790eea9304d273d207f3bb1427232e2ac9cd581616b130151.exepid process 940 158c03a6741c745790eea9304d273d207f3bb1427232e2ac9cd581616b130151.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
158c03a6741c745790eea9304d273d207f3bb1427232e2ac9cd581616b130151.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 158c03a6741c745790eea9304d273d207f3bb1427232e2ac9cd581616b130151.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
158c03a6741c745790eea9304d273d207f3bb1427232e2ac9cd581616b130151.exedescription pid process Token: SeIncBasePriorityPrivilege 940 158c03a6741c745790eea9304d273d207f3bb1427232e2ac9cd581616b130151.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
158c03a6741c745790eea9304d273d207f3bb1427232e2ac9cd581616b130151.execmd.exedescription pid process target process PID 940 wrote to memory of 1872 940 158c03a6741c745790eea9304d273d207f3bb1427232e2ac9cd581616b130151.exe MediaCenter.exe PID 940 wrote to memory of 1872 940 158c03a6741c745790eea9304d273d207f3bb1427232e2ac9cd581616b130151.exe MediaCenter.exe PID 940 wrote to memory of 1872 940 158c03a6741c745790eea9304d273d207f3bb1427232e2ac9cd581616b130151.exe MediaCenter.exe PID 940 wrote to memory of 1872 940 158c03a6741c745790eea9304d273d207f3bb1427232e2ac9cd581616b130151.exe MediaCenter.exe PID 940 wrote to memory of 392 940 158c03a6741c745790eea9304d273d207f3bb1427232e2ac9cd581616b130151.exe cmd.exe PID 940 wrote to memory of 392 940 158c03a6741c745790eea9304d273d207f3bb1427232e2ac9cd581616b130151.exe cmd.exe PID 940 wrote to memory of 392 940 158c03a6741c745790eea9304d273d207f3bb1427232e2ac9cd581616b130151.exe cmd.exe PID 940 wrote to memory of 392 940 158c03a6741c745790eea9304d273d207f3bb1427232e2ac9cd581616b130151.exe cmd.exe PID 392 wrote to memory of 1160 392 cmd.exe PING.EXE PID 392 wrote to memory of 1160 392 cmd.exe PING.EXE PID 392 wrote to memory of 1160 392 cmd.exe PING.EXE PID 392 wrote to memory of 1160 392 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\158c03a6741c745790eea9304d273d207f3bb1427232e2ac9cd581616b130151.exe"C:\Users\Admin\AppData\Local\Temp\158c03a6741c745790eea9304d273d207f3bb1427232e2ac9cd581616b130151.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:940 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:1872 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\158c03a6741c745790eea9304d273d207f3bb1427232e2ac9cd581616b130151.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:392 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:1160
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
6a9f7e6bf7baffcd6b034ee09c21f14b
SHA1f68d0370a320fffea7c1dbbcb94bbd9defcf482e
SHA256ecbac09f3e43917e8611165a9bb2b128abfc4de5aa6c74798ee446e7687af641
SHA512fd803398c0f0d9629dae17a953970dedf39c27c8628b116df449d4ab08d7b233bba1d901bc455267118cdffe9be592a092408214ff3d31491b24dd149c29837e
-
MD5
6a9f7e6bf7baffcd6b034ee09c21f14b
SHA1f68d0370a320fffea7c1dbbcb94bbd9defcf482e
SHA256ecbac09f3e43917e8611165a9bb2b128abfc4de5aa6c74798ee446e7687af641
SHA512fd803398c0f0d9629dae17a953970dedf39c27c8628b116df449d4ab08d7b233bba1d901bc455267118cdffe9be592a092408214ff3d31491b24dd149c29837e