Analysis
-
max time kernel
145s -
max time network
153s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
12-02-2022 04:19
Static task
static1
Behavioral task
behavioral1
Sample
1586703f8a2624fb562863f6e6539b5fa647a0e0858ce131cb49eb943ac2b966.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
1586703f8a2624fb562863f6e6539b5fa647a0e0858ce131cb49eb943ac2b966.exe
Resource
win10v2004-en-20220113
General
-
Target
1586703f8a2624fb562863f6e6539b5fa647a0e0858ce131cb49eb943ac2b966.exe
-
Size
89KB
-
MD5
77c19572915d6949592e2ec5614fb8b4
-
SHA1
2857e956fe9d32a682289966cfe3c4a8445f718f
-
SHA256
1586703f8a2624fb562863f6e6539b5fa647a0e0858ce131cb49eb943ac2b966
-
SHA512
b67a35c5ad85ba939b948de34e2a2a4c016b049bc64db1a8e350ce375de5e75f6bac708282af38d4b8029ea8ea5951fbf256494a7b2b861a96753b0560f9f254
Malware Config
Signatures
-
Sakula Payload 2 IoCs
Processes:
resource yara_rule \Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula -
suricata: ET MALWARE SUSPICIOUS UA (iexplore)
suricata: ET MALWARE SUSPICIOUS UA (iexplore)
-
suricata: ET MALWARE Sakula/Mivast RAT CnC Beacon 1
suricata: ET MALWARE Sakula/Mivast RAT CnC Beacon 1
-
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 1028 MediaCenter.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 1932 cmd.exe -
Loads dropped DLL 1 IoCs
Processes:
1586703f8a2624fb562863f6e6539b5fa647a0e0858ce131cb49eb943ac2b966.exepid process 960 1586703f8a2624fb562863f6e6539b5fa647a0e0858ce131cb49eb943ac2b966.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
1586703f8a2624fb562863f6e6539b5fa647a0e0858ce131cb49eb943ac2b966.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 1586703f8a2624fb562863f6e6539b5fa647a0e0858ce131cb49eb943ac2b966.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
1586703f8a2624fb562863f6e6539b5fa647a0e0858ce131cb49eb943ac2b966.exedescription pid process Token: SeIncBasePriorityPrivilege 960 1586703f8a2624fb562863f6e6539b5fa647a0e0858ce131cb49eb943ac2b966.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
1586703f8a2624fb562863f6e6539b5fa647a0e0858ce131cb49eb943ac2b966.execmd.exedescription pid process target process PID 960 wrote to memory of 1028 960 1586703f8a2624fb562863f6e6539b5fa647a0e0858ce131cb49eb943ac2b966.exe MediaCenter.exe PID 960 wrote to memory of 1028 960 1586703f8a2624fb562863f6e6539b5fa647a0e0858ce131cb49eb943ac2b966.exe MediaCenter.exe PID 960 wrote to memory of 1028 960 1586703f8a2624fb562863f6e6539b5fa647a0e0858ce131cb49eb943ac2b966.exe MediaCenter.exe PID 960 wrote to memory of 1028 960 1586703f8a2624fb562863f6e6539b5fa647a0e0858ce131cb49eb943ac2b966.exe MediaCenter.exe PID 960 wrote to memory of 1932 960 1586703f8a2624fb562863f6e6539b5fa647a0e0858ce131cb49eb943ac2b966.exe cmd.exe PID 960 wrote to memory of 1932 960 1586703f8a2624fb562863f6e6539b5fa647a0e0858ce131cb49eb943ac2b966.exe cmd.exe PID 960 wrote to memory of 1932 960 1586703f8a2624fb562863f6e6539b5fa647a0e0858ce131cb49eb943ac2b966.exe cmd.exe PID 960 wrote to memory of 1932 960 1586703f8a2624fb562863f6e6539b5fa647a0e0858ce131cb49eb943ac2b966.exe cmd.exe PID 1932 wrote to memory of 1124 1932 cmd.exe PING.EXE PID 1932 wrote to memory of 1124 1932 cmd.exe PING.EXE PID 1932 wrote to memory of 1124 1932 cmd.exe PING.EXE PID 1932 wrote to memory of 1124 1932 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\1586703f8a2624fb562863f6e6539b5fa647a0e0858ce131cb49eb943ac2b966.exe"C:\Users\Admin\AppData\Local\Temp\1586703f8a2624fb562863f6e6539b5fa647a0e0858ce131cb49eb943ac2b966.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:960 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:1028 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\1586703f8a2624fb562863f6e6539b5fa647a0e0858ce131cb49eb943ac2b966.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:1932 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:1124
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
13b4ef14da5b1a861c198cfd6459085d
SHA17230cca17c35751cae631d422f83870a79b12401
SHA25690b60381d1741b54f7aa4c4f607e9d1839b208b9dd38e279396faf96fdd61e97
SHA512cdb7ff71a14a82c0d818feec41b933e7db5a7bd47d7c2451c11c6f126df81928505c7a9acd453e64de1621a506f07de06bbfbd98408d867c9554ac3a332663e3
-
MD5
13b4ef14da5b1a861c198cfd6459085d
SHA17230cca17c35751cae631d422f83870a79b12401
SHA25690b60381d1741b54f7aa4c4f607e9d1839b208b9dd38e279396faf96fdd61e97
SHA512cdb7ff71a14a82c0d818feec41b933e7db5a7bd47d7c2451c11c6f126df81928505c7a9acd453e64de1621a506f07de06bbfbd98408d867c9554ac3a332663e3