Analysis
-
max time kernel
141s -
max time network
160s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
12-02-2022 04:49
Static task
static1
Behavioral task
behavioral1
Sample
144a2fed586531ff7b0d8fd4384bc150b08e64197ca8ba4b19aa7e933c3eedd7.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
144a2fed586531ff7b0d8fd4384bc150b08e64197ca8ba4b19aa7e933c3eedd7.exe
Resource
win10v2004-en-20220113
General
-
Target
144a2fed586531ff7b0d8fd4384bc150b08e64197ca8ba4b19aa7e933c3eedd7.exe
-
Size
150KB
-
MD5
e60acf699d5d2096710be21f701f0764
-
SHA1
e382e5c28665067d8a14647eacc8428c78612560
-
SHA256
144a2fed586531ff7b0d8fd4384bc150b08e64197ca8ba4b19aa7e933c3eedd7
-
SHA512
8260b83deb0a303e1752a5dd336ecfe2898a592ef85671428b5ed47a1a56fab7a15a8a701b332f79c60efa7f9fd84bb53e4e0d11f3922f5809f26ad01bcc59f7
Malware Config
Signatures
-
Sakula Payload 2 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula \Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula -
suricata: ET MALWARE SUSPICIOUS UA (iexplore)
suricata: ET MALWARE SUSPICIOUS UA (iexplore)
-
suricata: ET MALWARE Sakula/Mivast RAT CnC Beacon 1
suricata: ET MALWARE Sakula/Mivast RAT CnC Beacon 1
-
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 840 MediaCenter.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 1072 cmd.exe -
Loads dropped DLL 1 IoCs
Processes:
144a2fed586531ff7b0d8fd4384bc150b08e64197ca8ba4b19aa7e933c3eedd7.exepid process 1660 144a2fed586531ff7b0d8fd4384bc150b08e64197ca8ba4b19aa7e933c3eedd7.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
144a2fed586531ff7b0d8fd4384bc150b08e64197ca8ba4b19aa7e933c3eedd7.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 144a2fed586531ff7b0d8fd4384bc150b08e64197ca8ba4b19aa7e933c3eedd7.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
144a2fed586531ff7b0d8fd4384bc150b08e64197ca8ba4b19aa7e933c3eedd7.exedescription pid process Token: SeIncBasePriorityPrivilege 1660 144a2fed586531ff7b0d8fd4384bc150b08e64197ca8ba4b19aa7e933c3eedd7.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
144a2fed586531ff7b0d8fd4384bc150b08e64197ca8ba4b19aa7e933c3eedd7.execmd.exedescription pid process target process PID 1660 wrote to memory of 840 1660 144a2fed586531ff7b0d8fd4384bc150b08e64197ca8ba4b19aa7e933c3eedd7.exe MediaCenter.exe PID 1660 wrote to memory of 840 1660 144a2fed586531ff7b0d8fd4384bc150b08e64197ca8ba4b19aa7e933c3eedd7.exe MediaCenter.exe PID 1660 wrote to memory of 840 1660 144a2fed586531ff7b0d8fd4384bc150b08e64197ca8ba4b19aa7e933c3eedd7.exe MediaCenter.exe PID 1660 wrote to memory of 840 1660 144a2fed586531ff7b0d8fd4384bc150b08e64197ca8ba4b19aa7e933c3eedd7.exe MediaCenter.exe PID 1660 wrote to memory of 1072 1660 144a2fed586531ff7b0d8fd4384bc150b08e64197ca8ba4b19aa7e933c3eedd7.exe cmd.exe PID 1660 wrote to memory of 1072 1660 144a2fed586531ff7b0d8fd4384bc150b08e64197ca8ba4b19aa7e933c3eedd7.exe cmd.exe PID 1660 wrote to memory of 1072 1660 144a2fed586531ff7b0d8fd4384bc150b08e64197ca8ba4b19aa7e933c3eedd7.exe cmd.exe PID 1660 wrote to memory of 1072 1660 144a2fed586531ff7b0d8fd4384bc150b08e64197ca8ba4b19aa7e933c3eedd7.exe cmd.exe PID 1072 wrote to memory of 556 1072 cmd.exe PING.EXE PID 1072 wrote to memory of 556 1072 cmd.exe PING.EXE PID 1072 wrote to memory of 556 1072 cmd.exe PING.EXE PID 1072 wrote to memory of 556 1072 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\144a2fed586531ff7b0d8fd4384bc150b08e64197ca8ba4b19aa7e933c3eedd7.exe"C:\Users\Admin\AppData\Local\Temp\144a2fed586531ff7b0d8fd4384bc150b08e64197ca8ba4b19aa7e933c3eedd7.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1660 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:840 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\144a2fed586531ff7b0d8fd4384bc150b08e64197ca8ba4b19aa7e933c3eedd7.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:1072 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:556
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
733cd8f557cdf7988e44e64be777e69d
SHA18900e50499377649cdc615ab3e46bb6a67f30d82
SHA256d630b9c3e5569802d11ae5241edfdd2904f1246f33562811accb25dbe370826d
SHA512b12ddc3336ec7860e7452b240e826811b014d234798149c525c4be8d55ba40fe6c883e4f1082f68bb357d3808f41df4736febe510031e61159d75368e1f79139
-
MD5
733cd8f557cdf7988e44e64be777e69d
SHA18900e50499377649cdc615ab3e46bb6a67f30d82
SHA256d630b9c3e5569802d11ae5241edfdd2904f1246f33562811accb25dbe370826d
SHA512b12ddc3336ec7860e7452b240e826811b014d234798149c525c4be8d55ba40fe6c883e4f1082f68bb357d3808f41df4736febe510031e61159d75368e1f79139