Analysis
-
max time kernel
137s -
max time network
159s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
12-02-2022 04:55
Static task
static1
Behavioral task
behavioral1
Sample
14053a307b20f60ee5a23bfe6a1b7db2f9c510609889443a0a3c9250e0b1e7c4.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
14053a307b20f60ee5a23bfe6a1b7db2f9c510609889443a0a3c9250e0b1e7c4.exe
Resource
win10v2004-en-20220112
General
-
Target
14053a307b20f60ee5a23bfe6a1b7db2f9c510609889443a0a3c9250e0b1e7c4.exe
-
Size
92KB
-
MD5
79fd3572f2d429099b795671a89a053d
-
SHA1
9cd699611b96568075c9e9a309e5c6a0067a48ff
-
SHA256
14053a307b20f60ee5a23bfe6a1b7db2f9c510609889443a0a3c9250e0b1e7c4
-
SHA512
34d2aacab00ff5ee3710eb57ea5202695039069523646cb3cc2f18634b16b12b30240afd6d0d3709323317e71441fd55bd8e8ac9e2ed212fb243d7f514771419
Malware Config
Signatures
-
Sakula Payload 2 IoCs
Processes:
resource yara_rule \Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula -
suricata: ET MALWARE SUSPICIOUS UA (iexplore)
suricata: ET MALWARE SUSPICIOUS UA (iexplore)
-
suricata: ET MALWARE Sakula/Mivast RAT CnC Beacon 1
suricata: ET MALWARE Sakula/Mivast RAT CnC Beacon 1
-
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 1524 MediaCenter.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 396 cmd.exe -
Loads dropped DLL 1 IoCs
Processes:
14053a307b20f60ee5a23bfe6a1b7db2f9c510609889443a0a3c9250e0b1e7c4.exepid process 1684 14053a307b20f60ee5a23bfe6a1b7db2f9c510609889443a0a3c9250e0b1e7c4.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
14053a307b20f60ee5a23bfe6a1b7db2f9c510609889443a0a3c9250e0b1e7c4.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 14053a307b20f60ee5a23bfe6a1b7db2f9c510609889443a0a3c9250e0b1e7c4.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
14053a307b20f60ee5a23bfe6a1b7db2f9c510609889443a0a3c9250e0b1e7c4.exedescription pid process Token: SeIncBasePriorityPrivilege 1684 14053a307b20f60ee5a23bfe6a1b7db2f9c510609889443a0a3c9250e0b1e7c4.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
14053a307b20f60ee5a23bfe6a1b7db2f9c510609889443a0a3c9250e0b1e7c4.execmd.exedescription pid process target process PID 1684 wrote to memory of 1524 1684 14053a307b20f60ee5a23bfe6a1b7db2f9c510609889443a0a3c9250e0b1e7c4.exe MediaCenter.exe PID 1684 wrote to memory of 1524 1684 14053a307b20f60ee5a23bfe6a1b7db2f9c510609889443a0a3c9250e0b1e7c4.exe MediaCenter.exe PID 1684 wrote to memory of 1524 1684 14053a307b20f60ee5a23bfe6a1b7db2f9c510609889443a0a3c9250e0b1e7c4.exe MediaCenter.exe PID 1684 wrote to memory of 1524 1684 14053a307b20f60ee5a23bfe6a1b7db2f9c510609889443a0a3c9250e0b1e7c4.exe MediaCenter.exe PID 1684 wrote to memory of 396 1684 14053a307b20f60ee5a23bfe6a1b7db2f9c510609889443a0a3c9250e0b1e7c4.exe cmd.exe PID 1684 wrote to memory of 396 1684 14053a307b20f60ee5a23bfe6a1b7db2f9c510609889443a0a3c9250e0b1e7c4.exe cmd.exe PID 1684 wrote to memory of 396 1684 14053a307b20f60ee5a23bfe6a1b7db2f9c510609889443a0a3c9250e0b1e7c4.exe cmd.exe PID 1684 wrote to memory of 396 1684 14053a307b20f60ee5a23bfe6a1b7db2f9c510609889443a0a3c9250e0b1e7c4.exe cmd.exe PID 396 wrote to memory of 956 396 cmd.exe PING.EXE PID 396 wrote to memory of 956 396 cmd.exe PING.EXE PID 396 wrote to memory of 956 396 cmd.exe PING.EXE PID 396 wrote to memory of 956 396 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\14053a307b20f60ee5a23bfe6a1b7db2f9c510609889443a0a3c9250e0b1e7c4.exe"C:\Users\Admin\AppData\Local\Temp\14053a307b20f60ee5a23bfe6a1b7db2f9c510609889443a0a3c9250e0b1e7c4.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1684 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:1524 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\14053a307b20f60ee5a23bfe6a1b7db2f9c510609889443a0a3c9250e0b1e7c4.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:396 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:956
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
38a231d90fd9b7dcbe2bc65a3db53ce9
SHA15b050c3375a69b398d22f1234f7d0258c02060f7
SHA25686eaac29b19e60e5d9308d578b6af295d75baac51f7cdfe88b1c788392f47d71
SHA5126a4663635440c08bdb81115f22869920d20e0692403ca2d631e477963a2d62089d6e5ae770b7d1b54748967a8eec8a0d1b43df82afbbc58ea2956bb3b1f21f4d
-
MD5
38a231d90fd9b7dcbe2bc65a3db53ce9
SHA15b050c3375a69b398d22f1234f7d0258c02060f7
SHA25686eaac29b19e60e5d9308d578b6af295d75baac51f7cdfe88b1c788392f47d71
SHA5126a4663635440c08bdb81115f22869920d20e0692403ca2d631e477963a2d62089d6e5ae770b7d1b54748967a8eec8a0d1b43df82afbbc58ea2956bb3b1f21f4d