Analysis
-
max time kernel
143s -
max time network
161s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
12-02-2022 04:48
Static task
static1
Behavioral task
behavioral1
Sample
1455e88c24c9e19b808727bdf34e912b02541b467cd87eae1cfd4eeccc7a17a0.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
1455e88c24c9e19b808727bdf34e912b02541b467cd87eae1cfd4eeccc7a17a0.exe
Resource
win10v2004-en-20220113
General
-
Target
1455e88c24c9e19b808727bdf34e912b02541b467cd87eae1cfd4eeccc7a17a0.exe
-
Size
150KB
-
MD5
e1762451232f83828939e62b29b5d317
-
SHA1
a1b5e480dacc78969b770e1184351b4c46713b09
-
SHA256
1455e88c24c9e19b808727bdf34e912b02541b467cd87eae1cfd4eeccc7a17a0
-
SHA512
dfa909cfdee7554b9e58ffa2055763c43fcb2c023bfa727cecf65ed2364afff16e55ac1fe4eb1bf83f1ebe6720d8b9960ec1d0e50569239b79dea994b4929934
Malware Config
Signatures
-
Sakula Payload 2 IoCs
Processes:
resource yara_rule \Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula -
suricata: ET MALWARE SUSPICIOUS UA (iexplore)
suricata: ET MALWARE SUSPICIOUS UA (iexplore)
-
suricata: ET MALWARE Sakula/Mivast RAT CnC Beacon 1
suricata: ET MALWARE Sakula/Mivast RAT CnC Beacon 1
-
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 268 MediaCenter.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 528 cmd.exe -
Loads dropped DLL 1 IoCs
Processes:
1455e88c24c9e19b808727bdf34e912b02541b467cd87eae1cfd4eeccc7a17a0.exepid process 776 1455e88c24c9e19b808727bdf34e912b02541b467cd87eae1cfd4eeccc7a17a0.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
1455e88c24c9e19b808727bdf34e912b02541b467cd87eae1cfd4eeccc7a17a0.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 1455e88c24c9e19b808727bdf34e912b02541b467cd87eae1cfd4eeccc7a17a0.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
1455e88c24c9e19b808727bdf34e912b02541b467cd87eae1cfd4eeccc7a17a0.exedescription pid process Token: SeIncBasePriorityPrivilege 776 1455e88c24c9e19b808727bdf34e912b02541b467cd87eae1cfd4eeccc7a17a0.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
1455e88c24c9e19b808727bdf34e912b02541b467cd87eae1cfd4eeccc7a17a0.execmd.exedescription pid process target process PID 776 wrote to memory of 268 776 1455e88c24c9e19b808727bdf34e912b02541b467cd87eae1cfd4eeccc7a17a0.exe MediaCenter.exe PID 776 wrote to memory of 268 776 1455e88c24c9e19b808727bdf34e912b02541b467cd87eae1cfd4eeccc7a17a0.exe MediaCenter.exe PID 776 wrote to memory of 268 776 1455e88c24c9e19b808727bdf34e912b02541b467cd87eae1cfd4eeccc7a17a0.exe MediaCenter.exe PID 776 wrote to memory of 268 776 1455e88c24c9e19b808727bdf34e912b02541b467cd87eae1cfd4eeccc7a17a0.exe MediaCenter.exe PID 776 wrote to memory of 528 776 1455e88c24c9e19b808727bdf34e912b02541b467cd87eae1cfd4eeccc7a17a0.exe cmd.exe PID 776 wrote to memory of 528 776 1455e88c24c9e19b808727bdf34e912b02541b467cd87eae1cfd4eeccc7a17a0.exe cmd.exe PID 776 wrote to memory of 528 776 1455e88c24c9e19b808727bdf34e912b02541b467cd87eae1cfd4eeccc7a17a0.exe cmd.exe PID 776 wrote to memory of 528 776 1455e88c24c9e19b808727bdf34e912b02541b467cd87eae1cfd4eeccc7a17a0.exe cmd.exe PID 528 wrote to memory of 1132 528 cmd.exe PING.EXE PID 528 wrote to memory of 1132 528 cmd.exe PING.EXE PID 528 wrote to memory of 1132 528 cmd.exe PING.EXE PID 528 wrote to memory of 1132 528 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\1455e88c24c9e19b808727bdf34e912b02541b467cd87eae1cfd4eeccc7a17a0.exe"C:\Users\Admin\AppData\Local\Temp\1455e88c24c9e19b808727bdf34e912b02541b467cd87eae1cfd4eeccc7a17a0.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:776 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:268 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\1455e88c24c9e19b808727bdf34e912b02541b467cd87eae1cfd4eeccc7a17a0.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:528 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:1132
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
45f9b7fecdb574ac34f70a34528d2774
SHA10baacc9a25fda080fd16592431f0ae851e15f0ae
SHA256e4ca5fe77713d517d919266895f08e441fd38fe5fdb345371d908c6d16673ddb
SHA512f2cd94ee05848f3070edeb175ab8cf9fce4bba5aa3492a74f7db9650f4654cd278197b9881c121e4bee0932fad5ebeaf5b64e75d9b1a9d9fe00934151b0295d8
-
MD5
45f9b7fecdb574ac34f70a34528d2774
SHA10baacc9a25fda080fd16592431f0ae851e15f0ae
SHA256e4ca5fe77713d517d919266895f08e441fd38fe5fdb345371d908c6d16673ddb
SHA512f2cd94ee05848f3070edeb175ab8cf9fce4bba5aa3492a74f7db9650f4654cd278197b9881c121e4bee0932fad5ebeaf5b64e75d9b1a9d9fe00934151b0295d8