Analysis
-
max time kernel
142s -
max time network
159s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
12-02-2022 05:23
Behavioral task
behavioral1
Sample
12dbf7edc260170e13f62576e5cd52e71724af6a11f1c9914504f3a314bfce72.exe
Resource
win7-en-20211208
General
-
Target
12dbf7edc260170e13f62576e5cd52e71724af6a11f1c9914504f3a314bfce72.exe
-
Size
212KB
-
MD5
90cdb47cfbf4f43ca63db6ba94f92bb2
-
SHA1
5ec6c83edd3dae7b03234c42afc9b8d48efd5b99
-
SHA256
12dbf7edc260170e13f62576e5cd52e71724af6a11f1c9914504f3a314bfce72
-
SHA512
0c53d3ca9cd22d920e62b1533a06cd650b21e0b83f76b1701ad0dea9504412346df20936e9fd90edc0f9e353a46a0710a05a3c237977c7181c064484f6b1a295
Malware Config
Signatures
-
Sakula Payload 2 IoCs
Processes:
resource yara_rule \Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula -
suricata: ET MALWARE SUSPICIOUS UA (iexplore)
suricata: ET MALWARE SUSPICIOUS UA (iexplore)
-
suricata: ET MALWARE Sakula/Mivast RAT CnC Beacon 1
suricata: ET MALWARE Sakula/Mivast RAT CnC Beacon 1
-
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 956 MediaCenter.exe -
Processes:
resource yara_rule \Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe upx C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe upx -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 1612 cmd.exe -
Loads dropped DLL 1 IoCs
Processes:
12dbf7edc260170e13f62576e5cd52e71724af6a11f1c9914504f3a314bfce72.exepid process 1672 12dbf7edc260170e13f62576e5cd52e71724af6a11f1c9914504f3a314bfce72.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
12dbf7edc260170e13f62576e5cd52e71724af6a11f1c9914504f3a314bfce72.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 12dbf7edc260170e13f62576e5cd52e71724af6a11f1c9914504f3a314bfce72.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
12dbf7edc260170e13f62576e5cd52e71724af6a11f1c9914504f3a314bfce72.exedescription pid process Token: SeIncBasePriorityPrivilege 1672 12dbf7edc260170e13f62576e5cd52e71724af6a11f1c9914504f3a314bfce72.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
12dbf7edc260170e13f62576e5cd52e71724af6a11f1c9914504f3a314bfce72.execmd.exedescription pid process target process PID 1672 wrote to memory of 956 1672 12dbf7edc260170e13f62576e5cd52e71724af6a11f1c9914504f3a314bfce72.exe MediaCenter.exe PID 1672 wrote to memory of 956 1672 12dbf7edc260170e13f62576e5cd52e71724af6a11f1c9914504f3a314bfce72.exe MediaCenter.exe PID 1672 wrote to memory of 956 1672 12dbf7edc260170e13f62576e5cd52e71724af6a11f1c9914504f3a314bfce72.exe MediaCenter.exe PID 1672 wrote to memory of 956 1672 12dbf7edc260170e13f62576e5cd52e71724af6a11f1c9914504f3a314bfce72.exe MediaCenter.exe PID 1672 wrote to memory of 1612 1672 12dbf7edc260170e13f62576e5cd52e71724af6a11f1c9914504f3a314bfce72.exe cmd.exe PID 1672 wrote to memory of 1612 1672 12dbf7edc260170e13f62576e5cd52e71724af6a11f1c9914504f3a314bfce72.exe cmd.exe PID 1672 wrote to memory of 1612 1672 12dbf7edc260170e13f62576e5cd52e71724af6a11f1c9914504f3a314bfce72.exe cmd.exe PID 1672 wrote to memory of 1612 1672 12dbf7edc260170e13f62576e5cd52e71724af6a11f1c9914504f3a314bfce72.exe cmd.exe PID 1612 wrote to memory of 1084 1612 cmd.exe PING.EXE PID 1612 wrote to memory of 1084 1612 cmd.exe PING.EXE PID 1612 wrote to memory of 1084 1612 cmd.exe PING.EXE PID 1612 wrote to memory of 1084 1612 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\12dbf7edc260170e13f62576e5cd52e71724af6a11f1c9914504f3a314bfce72.exe"C:\Users\Admin\AppData\Local\Temp\12dbf7edc260170e13f62576e5cd52e71724af6a11f1c9914504f3a314bfce72.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1672 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:956 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\12dbf7edc260170e13f62576e5cd52e71724af6a11f1c9914504f3a314bfce72.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:1612 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:1084
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
2a73ccd7944bb6ee703f04423f8309d6
SHA1fc72c81f0acf6c78d894fd91c4635743a9378e35
SHA2564cfdfc2fff54a62c0c269130e44028078f6dd5594495db19586d74e1abbe5e91
SHA5129ce6c7ac3769cbe72e6af5e222416fdb042d98c03916b8b435e51ab8d4d53b18082c9992c9bd04fbca52ea4f6d2a1782e0ce17cb2558caee636e79696f232109
-
MD5
2a73ccd7944bb6ee703f04423f8309d6
SHA1fc72c81f0acf6c78d894fd91c4635743a9378e35
SHA2564cfdfc2fff54a62c0c269130e44028078f6dd5594495db19586d74e1abbe5e91
SHA5129ce6c7ac3769cbe72e6af5e222416fdb042d98c03916b8b435e51ab8d4d53b18082c9992c9bd04fbca52ea4f6d2a1782e0ce17cb2558caee636e79696f232109