Analysis
-
max time kernel
144s -
max time network
158s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
12-02-2022 06:17
Static task
static1
Behavioral task
behavioral1
Sample
106875161a73af7a2b857be111a7559283c5135b494ffba498281c82cb952a21.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
106875161a73af7a2b857be111a7559283c5135b494ffba498281c82cb952a21.exe
Resource
win10v2004-en-20220113
General
-
Target
106875161a73af7a2b857be111a7559283c5135b494ffba498281c82cb952a21.exe
-
Size
216KB
-
MD5
ec0d33f9ba5379071c38133b5736a04d
-
SHA1
54e5eda285d3f08f6bd1f28f1dde1341af34e913
-
SHA256
106875161a73af7a2b857be111a7559283c5135b494ffba498281c82cb952a21
-
SHA512
dc83e9b16b6bfeb2a1cf3adf562ca112eb5d8fd331ef3ad9ae2a2c975bec723233ebd4e741e1da69bc882cba6d0132d6bb9388cc2889909e79dc75aeaa6114ae
Malware Config
Signatures
-
Sakula Payload 4 IoCs
Processes:
resource yara_rule \Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula behavioral1/memory/880-59-0x0000000000400000-0x0000000000420000-memory.dmp family_sakula behavioral1/memory/1612-60-0x0000000000400000-0x0000000000420000-memory.dmp family_sakula -
suricata: ET MALWARE SUSPICIOUS UA (iexplore)
suricata: ET MALWARE SUSPICIOUS UA (iexplore)
-
suricata: ET MALWARE Sakula/Mivast RAT CnC Beacon 1
suricata: ET MALWARE Sakula/Mivast RAT CnC Beacon 1
-
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 1612 MediaCenter.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 1648 cmd.exe -
Loads dropped DLL 1 IoCs
Processes:
106875161a73af7a2b857be111a7559283c5135b494ffba498281c82cb952a21.exepid process 880 106875161a73af7a2b857be111a7559283c5135b494ffba498281c82cb952a21.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
106875161a73af7a2b857be111a7559283c5135b494ffba498281c82cb952a21.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 106875161a73af7a2b857be111a7559283c5135b494ffba498281c82cb952a21.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
106875161a73af7a2b857be111a7559283c5135b494ffba498281c82cb952a21.exedescription pid process Token: SeIncBasePriorityPrivilege 880 106875161a73af7a2b857be111a7559283c5135b494ffba498281c82cb952a21.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
106875161a73af7a2b857be111a7559283c5135b494ffba498281c82cb952a21.execmd.exedescription pid process target process PID 880 wrote to memory of 1612 880 106875161a73af7a2b857be111a7559283c5135b494ffba498281c82cb952a21.exe MediaCenter.exe PID 880 wrote to memory of 1612 880 106875161a73af7a2b857be111a7559283c5135b494ffba498281c82cb952a21.exe MediaCenter.exe PID 880 wrote to memory of 1612 880 106875161a73af7a2b857be111a7559283c5135b494ffba498281c82cb952a21.exe MediaCenter.exe PID 880 wrote to memory of 1612 880 106875161a73af7a2b857be111a7559283c5135b494ffba498281c82cb952a21.exe MediaCenter.exe PID 880 wrote to memory of 1648 880 106875161a73af7a2b857be111a7559283c5135b494ffba498281c82cb952a21.exe cmd.exe PID 880 wrote to memory of 1648 880 106875161a73af7a2b857be111a7559283c5135b494ffba498281c82cb952a21.exe cmd.exe PID 880 wrote to memory of 1648 880 106875161a73af7a2b857be111a7559283c5135b494ffba498281c82cb952a21.exe cmd.exe PID 880 wrote to memory of 1648 880 106875161a73af7a2b857be111a7559283c5135b494ffba498281c82cb952a21.exe cmd.exe PID 1648 wrote to memory of 540 1648 cmd.exe PING.EXE PID 1648 wrote to memory of 540 1648 cmd.exe PING.EXE PID 1648 wrote to memory of 540 1648 cmd.exe PING.EXE PID 1648 wrote to memory of 540 1648 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\106875161a73af7a2b857be111a7559283c5135b494ffba498281c82cb952a21.exe"C:\Users\Admin\AppData\Local\Temp\106875161a73af7a2b857be111a7559283c5135b494ffba498281c82cb952a21.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:880 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:1612 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\106875161a73af7a2b857be111a7559283c5135b494ffba498281c82cb952a21.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:1648 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:540
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
4cea6b753f5340bf5d9d9c4d4ba4b55e
SHA17b3ba7388462e145d9d8fb76253e67d3bc2fd45e
SHA256c1dd43032319c3588a73b578c0c0342cb9c314be8bce8f625f4fd4bd40332925
SHA5122477f5df43eb59d4a2b8af7dd53e30fc00f49d2c216d58b25889a089306a0b4ef18857da05ca3b2a6aeed9c79f79211d0fb48ee5b2f7c9c7953618f2e5f473aa
-
MD5
4cea6b753f5340bf5d9d9c4d4ba4b55e
SHA17b3ba7388462e145d9d8fb76253e67d3bc2fd45e
SHA256c1dd43032319c3588a73b578c0c0342cb9c314be8bce8f625f4fd4bd40332925
SHA5122477f5df43eb59d4a2b8af7dd53e30fc00f49d2c216d58b25889a089306a0b4ef18857da05ca3b2a6aeed9c79f79211d0fb48ee5b2f7c9c7953618f2e5f473aa