Analysis
-
max time kernel
144s -
max time network
158s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
12-02-2022 04:51
Static task
static1
Behavioral task
behavioral1
Sample
14366ac9ecf55e98afe202d138fb08dac5e0c53d800fe151376a807349f30599.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
14366ac9ecf55e98afe202d138fb08dac5e0c53d800fe151376a807349f30599.exe
Resource
win10v2004-en-20220113
General
-
Target
14366ac9ecf55e98afe202d138fb08dac5e0c53d800fe151376a807349f30599.exe
-
Size
116KB
-
MD5
a6f6e36cd5fb690446a3f078bf84834b
-
SHA1
92e5d658cc9f24fb6773b93b857d4af54d14dbed
-
SHA256
14366ac9ecf55e98afe202d138fb08dac5e0c53d800fe151376a807349f30599
-
SHA512
dfd637e693e0aee6817cbaa47befeee813f46615e56ad9a6bc448f18abe4eeb2dcbc89befa37e27e1c6ee28f0e83136173a13feb2c3677eecddedd82701d0eb6
Malware Config
Signatures
-
Sakula Payload 4 IoCs
Processes:
resource yara_rule \Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula behavioral1/memory/1888-58-0x0000000000400000-0x0000000000420000-memory.dmp family_sakula behavioral1/memory/980-59-0x0000000000400000-0x0000000000420000-memory.dmp family_sakula -
suricata: ET MALWARE SUSPICIOUS UA (iexplore)
suricata: ET MALWARE SUSPICIOUS UA (iexplore)
-
suricata: ET MALWARE Sakula/Mivast RAT CnC Beacon 1
suricata: ET MALWARE Sakula/Mivast RAT CnC Beacon 1
-
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 980 MediaCenter.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 684 cmd.exe -
Loads dropped DLL 1 IoCs
Processes:
14366ac9ecf55e98afe202d138fb08dac5e0c53d800fe151376a807349f30599.exepid process 1888 14366ac9ecf55e98afe202d138fb08dac5e0c53d800fe151376a807349f30599.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
14366ac9ecf55e98afe202d138fb08dac5e0c53d800fe151376a807349f30599.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 14366ac9ecf55e98afe202d138fb08dac5e0c53d800fe151376a807349f30599.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
14366ac9ecf55e98afe202d138fb08dac5e0c53d800fe151376a807349f30599.exedescription pid process Token: SeIncBasePriorityPrivilege 1888 14366ac9ecf55e98afe202d138fb08dac5e0c53d800fe151376a807349f30599.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
14366ac9ecf55e98afe202d138fb08dac5e0c53d800fe151376a807349f30599.execmd.exedescription pid process target process PID 1888 wrote to memory of 980 1888 14366ac9ecf55e98afe202d138fb08dac5e0c53d800fe151376a807349f30599.exe MediaCenter.exe PID 1888 wrote to memory of 980 1888 14366ac9ecf55e98afe202d138fb08dac5e0c53d800fe151376a807349f30599.exe MediaCenter.exe PID 1888 wrote to memory of 980 1888 14366ac9ecf55e98afe202d138fb08dac5e0c53d800fe151376a807349f30599.exe MediaCenter.exe PID 1888 wrote to memory of 980 1888 14366ac9ecf55e98afe202d138fb08dac5e0c53d800fe151376a807349f30599.exe MediaCenter.exe PID 1888 wrote to memory of 684 1888 14366ac9ecf55e98afe202d138fb08dac5e0c53d800fe151376a807349f30599.exe cmd.exe PID 1888 wrote to memory of 684 1888 14366ac9ecf55e98afe202d138fb08dac5e0c53d800fe151376a807349f30599.exe cmd.exe PID 1888 wrote to memory of 684 1888 14366ac9ecf55e98afe202d138fb08dac5e0c53d800fe151376a807349f30599.exe cmd.exe PID 1888 wrote to memory of 684 1888 14366ac9ecf55e98afe202d138fb08dac5e0c53d800fe151376a807349f30599.exe cmd.exe PID 684 wrote to memory of 1800 684 cmd.exe PING.EXE PID 684 wrote to memory of 1800 684 cmd.exe PING.EXE PID 684 wrote to memory of 1800 684 cmd.exe PING.EXE PID 684 wrote to memory of 1800 684 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\14366ac9ecf55e98afe202d138fb08dac5e0c53d800fe151376a807349f30599.exe"C:\Users\Admin\AppData\Local\Temp\14366ac9ecf55e98afe202d138fb08dac5e0c53d800fe151376a807349f30599.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1888 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:980 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\14366ac9ecf55e98afe202d138fb08dac5e0c53d800fe151376a807349f30599.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:684 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:1800
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
84ad404e5972cbcd5d007cdbb3895eb9
SHA1e43c7a35262656445aaff53fef4837cf7976f829
SHA256194d7d5866503fae50b0e6c829bc78066d14d3b53d6e4904badd3139ec8267ee
SHA51274e04ffe2eddb2a8b3b8214e07331e591e6975d44e35fa2cd251a142636fab71b84b89ca6f362a434519f27815d49c6e662756d4b497619cbd66217cc224148a
-
MD5
84ad404e5972cbcd5d007cdbb3895eb9
SHA1e43c7a35262656445aaff53fef4837cf7976f829
SHA256194d7d5866503fae50b0e6c829bc78066d14d3b53d6e4904badd3139ec8267ee
SHA51274e04ffe2eddb2a8b3b8214e07331e591e6975d44e35fa2cd251a142636fab71b84b89ca6f362a434519f27815d49c6e662756d4b497619cbd66217cc224148a