Analysis
-
max time kernel
138s -
max time network
144s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
12-02-2022 04:44
Static task
static1
Behavioral task
behavioral1
Sample
14a6d8576deb4de1bf5342924c6fed7f3335b6a4db2e628fc82ae10e19ebd260.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
14a6d8576deb4de1bf5342924c6fed7f3335b6a4db2e628fc82ae10e19ebd260.exe
Resource
win10v2004-en-20220112
General
-
Target
14a6d8576deb4de1bf5342924c6fed7f3335b6a4db2e628fc82ae10e19ebd260.exe
-
Size
92KB
-
MD5
527224b36cbb1542d0ab5756cd8fa40e
-
SHA1
7d8a18f0c8c19ab2d940a7f54a2896b9797b1a7f
-
SHA256
14a6d8576deb4de1bf5342924c6fed7f3335b6a4db2e628fc82ae10e19ebd260
-
SHA512
bab730c8db3b05eab1e30c1424bcf1fd7a9e5281ddaac0e8fa181c2a2900c771c0ad23c00f1d926c694e304e44c720065a812a81389877a33fb909265c6811a4
Malware Config
Signatures
-
Sakula Payload 2 IoCs
Processes:
resource yara_rule \Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula -
suricata: ET MALWARE SUSPICIOUS UA (iexplore)
suricata: ET MALWARE SUSPICIOUS UA (iexplore)
-
suricata: ET MALWARE Sakula/Mivast RAT CnC Beacon 1
suricata: ET MALWARE Sakula/Mivast RAT CnC Beacon 1
-
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 1212 MediaCenter.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 624 cmd.exe -
Loads dropped DLL 1 IoCs
Processes:
14a6d8576deb4de1bf5342924c6fed7f3335b6a4db2e628fc82ae10e19ebd260.exepid process 856 14a6d8576deb4de1bf5342924c6fed7f3335b6a4db2e628fc82ae10e19ebd260.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
14a6d8576deb4de1bf5342924c6fed7f3335b6a4db2e628fc82ae10e19ebd260.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 14a6d8576deb4de1bf5342924c6fed7f3335b6a4db2e628fc82ae10e19ebd260.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
14a6d8576deb4de1bf5342924c6fed7f3335b6a4db2e628fc82ae10e19ebd260.exedescription pid process Token: SeIncBasePriorityPrivilege 856 14a6d8576deb4de1bf5342924c6fed7f3335b6a4db2e628fc82ae10e19ebd260.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
14a6d8576deb4de1bf5342924c6fed7f3335b6a4db2e628fc82ae10e19ebd260.execmd.exedescription pid process target process PID 856 wrote to memory of 1212 856 14a6d8576deb4de1bf5342924c6fed7f3335b6a4db2e628fc82ae10e19ebd260.exe MediaCenter.exe PID 856 wrote to memory of 1212 856 14a6d8576deb4de1bf5342924c6fed7f3335b6a4db2e628fc82ae10e19ebd260.exe MediaCenter.exe PID 856 wrote to memory of 1212 856 14a6d8576deb4de1bf5342924c6fed7f3335b6a4db2e628fc82ae10e19ebd260.exe MediaCenter.exe PID 856 wrote to memory of 1212 856 14a6d8576deb4de1bf5342924c6fed7f3335b6a4db2e628fc82ae10e19ebd260.exe MediaCenter.exe PID 856 wrote to memory of 624 856 14a6d8576deb4de1bf5342924c6fed7f3335b6a4db2e628fc82ae10e19ebd260.exe cmd.exe PID 856 wrote to memory of 624 856 14a6d8576deb4de1bf5342924c6fed7f3335b6a4db2e628fc82ae10e19ebd260.exe cmd.exe PID 856 wrote to memory of 624 856 14a6d8576deb4de1bf5342924c6fed7f3335b6a4db2e628fc82ae10e19ebd260.exe cmd.exe PID 856 wrote to memory of 624 856 14a6d8576deb4de1bf5342924c6fed7f3335b6a4db2e628fc82ae10e19ebd260.exe cmd.exe PID 624 wrote to memory of 2016 624 cmd.exe PING.EXE PID 624 wrote to memory of 2016 624 cmd.exe PING.EXE PID 624 wrote to memory of 2016 624 cmd.exe PING.EXE PID 624 wrote to memory of 2016 624 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\14a6d8576deb4de1bf5342924c6fed7f3335b6a4db2e628fc82ae10e19ebd260.exe"C:\Users\Admin\AppData\Local\Temp\14a6d8576deb4de1bf5342924c6fed7f3335b6a4db2e628fc82ae10e19ebd260.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:856 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:1212 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\14a6d8576deb4de1bf5342924c6fed7f3335b6a4db2e628fc82ae10e19ebd260.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:624 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:2016
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
30ca5bd17993043213b23ab70f4db2c0
SHA188bd02844f4ccc43ebf053fe0c4476aa246a479b
SHA256825188a1e12efc18689bbe43da605a3692b9dca9203d53f9505b7b7047453469
SHA512ddd97fc44f3697b161b4afde4bdb57c7a21cdcd6c74a35cc54946c0d3dbb3d6539db6e64b8c48642223a887bf7c8705763f6af830b274588dbc19e9f9fa93280
-
MD5
30ca5bd17993043213b23ab70f4db2c0
SHA188bd02844f4ccc43ebf053fe0c4476aa246a479b
SHA256825188a1e12efc18689bbe43da605a3692b9dca9203d53f9505b7b7047453469
SHA512ddd97fc44f3697b161b4afde4bdb57c7a21cdcd6c74a35cc54946c0d3dbb3d6539db6e64b8c48642223a887bf7c8705763f6af830b274588dbc19e9f9fa93280