Analysis
-
max time kernel
134s -
max time network
150s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
12-02-2022 04:23
Static task
static1
Behavioral task
behavioral1
Sample
1563656d1cf8f63368af6f94e44266d0f269410c057ae93a82692ab6484cb073.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
1563656d1cf8f63368af6f94e44266d0f269410c057ae93a82692ab6484cb073.exe
Resource
win10v2004-en-20220113
General
-
Target
1563656d1cf8f63368af6f94e44266d0f269410c057ae93a82692ab6484cb073.exe
-
Size
216KB
-
MD5
fd44014f2c89029d37f32eeae55c8bba
-
SHA1
ae4c5acc032fca4335c9ba03edbcf56438627853
-
SHA256
1563656d1cf8f63368af6f94e44266d0f269410c057ae93a82692ab6484cb073
-
SHA512
d15a87b42ccfbd24ea18bc2d77fd10e5c921a645e720627848bb8897df5ba30d5587f13329f06d5307da35611966269d8659156f92b70741cb2c96e50c9a0fca
Malware Config
Signatures
-
Sakula Payload 4 IoCs
Processes:
resource yara_rule \Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula behavioral1/memory/1624-59-0x0000000000400000-0x0000000000420000-memory.dmp family_sakula behavioral1/memory/1548-60-0x0000000000400000-0x0000000000420000-memory.dmp family_sakula -
suricata: ET MALWARE SUSPICIOUS UA (iexplore)
suricata: ET MALWARE SUSPICIOUS UA (iexplore)
-
suricata: ET MALWARE Sakula/Mivast RAT CnC Beacon 1
suricata: ET MALWARE Sakula/Mivast RAT CnC Beacon 1
-
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 1548 MediaCenter.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 740 cmd.exe -
Loads dropped DLL 1 IoCs
Processes:
1563656d1cf8f63368af6f94e44266d0f269410c057ae93a82692ab6484cb073.exepid process 1624 1563656d1cf8f63368af6f94e44266d0f269410c057ae93a82692ab6484cb073.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
1563656d1cf8f63368af6f94e44266d0f269410c057ae93a82692ab6484cb073.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 1563656d1cf8f63368af6f94e44266d0f269410c057ae93a82692ab6484cb073.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
1563656d1cf8f63368af6f94e44266d0f269410c057ae93a82692ab6484cb073.exedescription pid process Token: SeIncBasePriorityPrivilege 1624 1563656d1cf8f63368af6f94e44266d0f269410c057ae93a82692ab6484cb073.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
1563656d1cf8f63368af6f94e44266d0f269410c057ae93a82692ab6484cb073.execmd.exedescription pid process target process PID 1624 wrote to memory of 1548 1624 1563656d1cf8f63368af6f94e44266d0f269410c057ae93a82692ab6484cb073.exe MediaCenter.exe PID 1624 wrote to memory of 1548 1624 1563656d1cf8f63368af6f94e44266d0f269410c057ae93a82692ab6484cb073.exe MediaCenter.exe PID 1624 wrote to memory of 1548 1624 1563656d1cf8f63368af6f94e44266d0f269410c057ae93a82692ab6484cb073.exe MediaCenter.exe PID 1624 wrote to memory of 1548 1624 1563656d1cf8f63368af6f94e44266d0f269410c057ae93a82692ab6484cb073.exe MediaCenter.exe PID 1624 wrote to memory of 740 1624 1563656d1cf8f63368af6f94e44266d0f269410c057ae93a82692ab6484cb073.exe cmd.exe PID 1624 wrote to memory of 740 1624 1563656d1cf8f63368af6f94e44266d0f269410c057ae93a82692ab6484cb073.exe cmd.exe PID 1624 wrote to memory of 740 1624 1563656d1cf8f63368af6f94e44266d0f269410c057ae93a82692ab6484cb073.exe cmd.exe PID 1624 wrote to memory of 740 1624 1563656d1cf8f63368af6f94e44266d0f269410c057ae93a82692ab6484cb073.exe cmd.exe PID 740 wrote to memory of 1764 740 cmd.exe PING.EXE PID 740 wrote to memory of 1764 740 cmd.exe PING.EXE PID 740 wrote to memory of 1764 740 cmd.exe PING.EXE PID 740 wrote to memory of 1764 740 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\1563656d1cf8f63368af6f94e44266d0f269410c057ae93a82692ab6484cb073.exe"C:\Users\Admin\AppData\Local\Temp\1563656d1cf8f63368af6f94e44266d0f269410c057ae93a82692ab6484cb073.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1624 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:1548 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\1563656d1cf8f63368af6f94e44266d0f269410c057ae93a82692ab6484cb073.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:740 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:1764
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
8fab8553b1363b1472b5e45d33c55b2a
SHA1fcdb149cf7b5ef2a9177cd8471ce927825ebf5db
SHA2569f4c55e8cb102ae4b09ef8c3dce5b7007eccb2b5d7f83945f9d62b04178dd7a5
SHA512260532f88c7b21864a2c6c4a70cd63144bce10f114bbbd0c62eacf71176987a13365f73c5693a6f9b6e7f864be5901692613fcc35ee84a5525d5dff47062a57f
-
MD5
8fab8553b1363b1472b5e45d33c55b2a
SHA1fcdb149cf7b5ef2a9177cd8471ce927825ebf5db
SHA2569f4c55e8cb102ae4b09ef8c3dce5b7007eccb2b5d7f83945f9d62b04178dd7a5
SHA512260532f88c7b21864a2c6c4a70cd63144bce10f114bbbd0c62eacf71176987a13365f73c5693a6f9b6e7f864be5901692613fcc35ee84a5525d5dff47062a57f