Analysis
-
max time kernel
137s -
max time network
149s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
12-02-2022 05:20
Static task
static1
Behavioral task
behavioral1
Sample
1303a5e8c40e398eb6d5bd1cad2f7a31fa0ac052c520db0e59d0bf73d3f70906.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
1303a5e8c40e398eb6d5bd1cad2f7a31fa0ac052c520db0e59d0bf73d3f70906.exe
Resource
win10v2004-en-20220113
General
-
Target
1303a5e8c40e398eb6d5bd1cad2f7a31fa0ac052c520db0e59d0bf73d3f70906.exe
-
Size
216KB
-
MD5
8c8d92397e5d19d85d32268c9f28c7dc
-
SHA1
a0f4c4835cf136965acbd517b4353c7f7f2f652d
-
SHA256
1303a5e8c40e398eb6d5bd1cad2f7a31fa0ac052c520db0e59d0bf73d3f70906
-
SHA512
a6aa8e556bff5c25b864d3d4bfc9e63ca9c2b303de57f55334b152ba87e0711813d155457cc437bbd1c05ba2f4709c698bfa394fdd9d959ff9554213c2c457bd
Malware Config
Signatures
-
Sakula Payload 4 IoCs
Processes:
resource yara_rule \Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula behavioral1/memory/1700-58-0x0000000000400000-0x0000000000420000-memory.dmp family_sakula behavioral1/memory/1552-59-0x0000000000400000-0x0000000000420000-memory.dmp family_sakula -
suricata: ET MALWARE SUSPICIOUS UA (iexplore)
suricata: ET MALWARE SUSPICIOUS UA (iexplore)
-
suricata: ET MALWARE Sakula/Mivast RAT CnC Beacon 1
suricata: ET MALWARE Sakula/Mivast RAT CnC Beacon 1
-
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 1552 MediaCenter.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 1528 cmd.exe -
Loads dropped DLL 1 IoCs
Processes:
1303a5e8c40e398eb6d5bd1cad2f7a31fa0ac052c520db0e59d0bf73d3f70906.exepid process 1700 1303a5e8c40e398eb6d5bd1cad2f7a31fa0ac052c520db0e59d0bf73d3f70906.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
1303a5e8c40e398eb6d5bd1cad2f7a31fa0ac052c520db0e59d0bf73d3f70906.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 1303a5e8c40e398eb6d5bd1cad2f7a31fa0ac052c520db0e59d0bf73d3f70906.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
1303a5e8c40e398eb6d5bd1cad2f7a31fa0ac052c520db0e59d0bf73d3f70906.exedescription pid process Token: SeIncBasePriorityPrivilege 1700 1303a5e8c40e398eb6d5bd1cad2f7a31fa0ac052c520db0e59d0bf73d3f70906.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
1303a5e8c40e398eb6d5bd1cad2f7a31fa0ac052c520db0e59d0bf73d3f70906.execmd.exedescription pid process target process PID 1700 wrote to memory of 1552 1700 1303a5e8c40e398eb6d5bd1cad2f7a31fa0ac052c520db0e59d0bf73d3f70906.exe MediaCenter.exe PID 1700 wrote to memory of 1552 1700 1303a5e8c40e398eb6d5bd1cad2f7a31fa0ac052c520db0e59d0bf73d3f70906.exe MediaCenter.exe PID 1700 wrote to memory of 1552 1700 1303a5e8c40e398eb6d5bd1cad2f7a31fa0ac052c520db0e59d0bf73d3f70906.exe MediaCenter.exe PID 1700 wrote to memory of 1552 1700 1303a5e8c40e398eb6d5bd1cad2f7a31fa0ac052c520db0e59d0bf73d3f70906.exe MediaCenter.exe PID 1700 wrote to memory of 1528 1700 1303a5e8c40e398eb6d5bd1cad2f7a31fa0ac052c520db0e59d0bf73d3f70906.exe cmd.exe PID 1700 wrote to memory of 1528 1700 1303a5e8c40e398eb6d5bd1cad2f7a31fa0ac052c520db0e59d0bf73d3f70906.exe cmd.exe PID 1700 wrote to memory of 1528 1700 1303a5e8c40e398eb6d5bd1cad2f7a31fa0ac052c520db0e59d0bf73d3f70906.exe cmd.exe PID 1700 wrote to memory of 1528 1700 1303a5e8c40e398eb6d5bd1cad2f7a31fa0ac052c520db0e59d0bf73d3f70906.exe cmd.exe PID 1528 wrote to memory of 1124 1528 cmd.exe PING.EXE PID 1528 wrote to memory of 1124 1528 cmd.exe PING.EXE PID 1528 wrote to memory of 1124 1528 cmd.exe PING.EXE PID 1528 wrote to memory of 1124 1528 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\1303a5e8c40e398eb6d5bd1cad2f7a31fa0ac052c520db0e59d0bf73d3f70906.exe"C:\Users\Admin\AppData\Local\Temp\1303a5e8c40e398eb6d5bd1cad2f7a31fa0ac052c520db0e59d0bf73d3f70906.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1700 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:1552 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\1303a5e8c40e398eb6d5bd1cad2f7a31fa0ac052c520db0e59d0bf73d3f70906.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:1528 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:1124
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
7e73d82daf2cdbc2cc327576170d5806
SHA14e710e23b979765a6cb3d7ebd722c32653672e3b
SHA256f20db3ae89532cd73d48ca69a129c32e9cefb857e967f778fe0953183d30f874
SHA51241191712981f337b34ca0eff639a42f20757d4fc251836288f13a876bf8373e2a0148359f286544b7c9e18f41d6f3c8e99ccb05ea4f68bd77e1566895100dde1
-
MD5
7e73d82daf2cdbc2cc327576170d5806
SHA14e710e23b979765a6cb3d7ebd722c32653672e3b
SHA256f20db3ae89532cd73d48ca69a129c32e9cefb857e967f778fe0953183d30f874
SHA51241191712981f337b34ca0eff639a42f20757d4fc251836288f13a876bf8373e2a0148359f286544b7c9e18f41d6f3c8e99ccb05ea4f68bd77e1566895100dde1