Analysis
-
max time kernel
145s -
max time network
169s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
12-02-2022 06:21
Static task
static1
Behavioral task
behavioral1
Sample
103eede7d55650429c82dc2164b4506fff72554a91610155b9840b54f3f1544e.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
103eede7d55650429c82dc2164b4506fff72554a91610155b9840b54f3f1544e.exe
Resource
win10v2004-en-20220113
General
-
Target
103eede7d55650429c82dc2164b4506fff72554a91610155b9840b54f3f1544e.exe
-
Size
150KB
-
MD5
258be498df76a8a9ee6e3ab283622ecf
-
SHA1
b90d29738d9f9e62a9505cc57996fe9bedfa98b0
-
SHA256
103eede7d55650429c82dc2164b4506fff72554a91610155b9840b54f3f1544e
-
SHA512
b764565725db1c120ebbb2186a6c0bf6024b8781e7cef93d3189a8078790d2f12267fbc47bfd9739caf409cdd0b7664023af7bead97dbdecb3939cec923b7fa8
Malware Config
Signatures
-
Sakula Payload 2 IoCs
Processes:
resource yara_rule \Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula -
suricata: ET MALWARE SUSPICIOUS UA (iexplore)
suricata: ET MALWARE SUSPICIOUS UA (iexplore)
-
suricata: ET MALWARE Sakula/Mivast RAT CnC Beacon 1
suricata: ET MALWARE Sakula/Mivast RAT CnC Beacon 1
-
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 1616 MediaCenter.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 740 cmd.exe -
Loads dropped DLL 1 IoCs
Processes:
103eede7d55650429c82dc2164b4506fff72554a91610155b9840b54f3f1544e.exepid process 1608 103eede7d55650429c82dc2164b4506fff72554a91610155b9840b54f3f1544e.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
103eede7d55650429c82dc2164b4506fff72554a91610155b9840b54f3f1544e.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 103eede7d55650429c82dc2164b4506fff72554a91610155b9840b54f3f1544e.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
103eede7d55650429c82dc2164b4506fff72554a91610155b9840b54f3f1544e.exedescription pid process Token: SeIncBasePriorityPrivilege 1608 103eede7d55650429c82dc2164b4506fff72554a91610155b9840b54f3f1544e.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
103eede7d55650429c82dc2164b4506fff72554a91610155b9840b54f3f1544e.execmd.exedescription pid process target process PID 1608 wrote to memory of 1616 1608 103eede7d55650429c82dc2164b4506fff72554a91610155b9840b54f3f1544e.exe MediaCenter.exe PID 1608 wrote to memory of 1616 1608 103eede7d55650429c82dc2164b4506fff72554a91610155b9840b54f3f1544e.exe MediaCenter.exe PID 1608 wrote to memory of 1616 1608 103eede7d55650429c82dc2164b4506fff72554a91610155b9840b54f3f1544e.exe MediaCenter.exe PID 1608 wrote to memory of 1616 1608 103eede7d55650429c82dc2164b4506fff72554a91610155b9840b54f3f1544e.exe MediaCenter.exe PID 1608 wrote to memory of 740 1608 103eede7d55650429c82dc2164b4506fff72554a91610155b9840b54f3f1544e.exe cmd.exe PID 1608 wrote to memory of 740 1608 103eede7d55650429c82dc2164b4506fff72554a91610155b9840b54f3f1544e.exe cmd.exe PID 1608 wrote to memory of 740 1608 103eede7d55650429c82dc2164b4506fff72554a91610155b9840b54f3f1544e.exe cmd.exe PID 1608 wrote to memory of 740 1608 103eede7d55650429c82dc2164b4506fff72554a91610155b9840b54f3f1544e.exe cmd.exe PID 740 wrote to memory of 804 740 cmd.exe PING.EXE PID 740 wrote to memory of 804 740 cmd.exe PING.EXE PID 740 wrote to memory of 804 740 cmd.exe PING.EXE PID 740 wrote to memory of 804 740 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\103eede7d55650429c82dc2164b4506fff72554a91610155b9840b54f3f1544e.exe"C:\Users\Admin\AppData\Local\Temp\103eede7d55650429c82dc2164b4506fff72554a91610155b9840b54f3f1544e.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1608 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:1616 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\103eede7d55650429c82dc2164b4506fff72554a91610155b9840b54f3f1544e.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:740 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:804
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
aaddf17a7de7799b09e31dc366cc0f49
SHA1ac18a809fe8bb0118bcb7581cbf0e5ba646a426f
SHA256033f6fe97b058ed9b6878d887ab22b5436638488fc49991cc654a9781de716d1
SHA5125fdab2e222c853676cc74b038ef0286baf2f7ec121a4f989efebcd41fec0caf568a2fafd5ae9ba4ae03b23c82ba129f0fde4c9f2495db8114758b0a5d5898031
-
MD5
aaddf17a7de7799b09e31dc366cc0f49
SHA1ac18a809fe8bb0118bcb7581cbf0e5ba646a426f
SHA256033f6fe97b058ed9b6878d887ab22b5436638488fc49991cc654a9781de716d1
SHA5125fdab2e222c853676cc74b038ef0286baf2f7ec121a4f989efebcd41fec0caf568a2fafd5ae9ba4ae03b23c82ba129f0fde4c9f2495db8114758b0a5d5898031