Analysis
-
max time kernel
142s -
max time network
158s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
12-02-2022 06:26
Static task
static1
Behavioral task
behavioral1
Sample
1000e73e10e8d7e40be9ee1c5b6be98b1021bb8cc81dc918cd73b373b17f44ce.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
1000e73e10e8d7e40be9ee1c5b6be98b1021bb8cc81dc918cd73b373b17f44ce.exe
Resource
win10v2004-en-20220112
General
-
Target
1000e73e10e8d7e40be9ee1c5b6be98b1021bb8cc81dc918cd73b373b17f44ce.exe
-
Size
176KB
-
MD5
a87aaecdc10772206fbdfdc0d8a3a2b0
-
SHA1
1c69ff6c9fdfd6a29db9203162f6a207131ee4aa
-
SHA256
1000e73e10e8d7e40be9ee1c5b6be98b1021bb8cc81dc918cd73b373b17f44ce
-
SHA512
ffbbc1b4839d610f4e8e1d6b2bf6cd7ba2278b0f0affce1f09ab7661ca1e6f107420314ce02cd9c2bd5aa06b394d625f99afcde2d6d6fc225a898e0b1d790482
Malware Config
Signatures
-
Sakula Payload 4 IoCs
Processes:
resource yara_rule \Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula behavioral1/memory/1572-58-0x0000000000400000-0x0000000000420000-memory.dmp family_sakula behavioral1/memory/1124-59-0x0000000000400000-0x0000000000420000-memory.dmp family_sakula -
suricata: ET MALWARE SUSPICIOUS UA (iexplore)
suricata: ET MALWARE SUSPICIOUS UA (iexplore)
-
suricata: ET MALWARE Sakula/Mivast RAT CnC Beacon 1
suricata: ET MALWARE Sakula/Mivast RAT CnC Beacon 1
-
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 1124 MediaCenter.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 672 cmd.exe -
Loads dropped DLL 1 IoCs
Processes:
1000e73e10e8d7e40be9ee1c5b6be98b1021bb8cc81dc918cd73b373b17f44ce.exepid process 1572 1000e73e10e8d7e40be9ee1c5b6be98b1021bb8cc81dc918cd73b373b17f44ce.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
1000e73e10e8d7e40be9ee1c5b6be98b1021bb8cc81dc918cd73b373b17f44ce.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 1000e73e10e8d7e40be9ee1c5b6be98b1021bb8cc81dc918cd73b373b17f44ce.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
1000e73e10e8d7e40be9ee1c5b6be98b1021bb8cc81dc918cd73b373b17f44ce.exedescription pid process Token: SeIncBasePriorityPrivilege 1572 1000e73e10e8d7e40be9ee1c5b6be98b1021bb8cc81dc918cd73b373b17f44ce.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
1000e73e10e8d7e40be9ee1c5b6be98b1021bb8cc81dc918cd73b373b17f44ce.execmd.exedescription pid process target process PID 1572 wrote to memory of 1124 1572 1000e73e10e8d7e40be9ee1c5b6be98b1021bb8cc81dc918cd73b373b17f44ce.exe MediaCenter.exe PID 1572 wrote to memory of 1124 1572 1000e73e10e8d7e40be9ee1c5b6be98b1021bb8cc81dc918cd73b373b17f44ce.exe MediaCenter.exe PID 1572 wrote to memory of 1124 1572 1000e73e10e8d7e40be9ee1c5b6be98b1021bb8cc81dc918cd73b373b17f44ce.exe MediaCenter.exe PID 1572 wrote to memory of 1124 1572 1000e73e10e8d7e40be9ee1c5b6be98b1021bb8cc81dc918cd73b373b17f44ce.exe MediaCenter.exe PID 1572 wrote to memory of 672 1572 1000e73e10e8d7e40be9ee1c5b6be98b1021bb8cc81dc918cd73b373b17f44ce.exe cmd.exe PID 1572 wrote to memory of 672 1572 1000e73e10e8d7e40be9ee1c5b6be98b1021bb8cc81dc918cd73b373b17f44ce.exe cmd.exe PID 1572 wrote to memory of 672 1572 1000e73e10e8d7e40be9ee1c5b6be98b1021bb8cc81dc918cd73b373b17f44ce.exe cmd.exe PID 1572 wrote to memory of 672 1572 1000e73e10e8d7e40be9ee1c5b6be98b1021bb8cc81dc918cd73b373b17f44ce.exe cmd.exe PID 672 wrote to memory of 1876 672 cmd.exe PING.EXE PID 672 wrote to memory of 1876 672 cmd.exe PING.EXE PID 672 wrote to memory of 1876 672 cmd.exe PING.EXE PID 672 wrote to memory of 1876 672 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\1000e73e10e8d7e40be9ee1c5b6be98b1021bb8cc81dc918cd73b373b17f44ce.exe"C:\Users\Admin\AppData\Local\Temp\1000e73e10e8d7e40be9ee1c5b6be98b1021bb8cc81dc918cd73b373b17f44ce.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1572 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:1124 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\1000e73e10e8d7e40be9ee1c5b6be98b1021bb8cc81dc918cd73b373b17f44ce.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:672 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:1876
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
207f096988123aedf59b4a44d7745098
SHA1e6e0af92e6b5e4c9aa2da8afbf6dfe0e470a5db3
SHA256bddade3fbd8f942354a8755733564f5bee532a4e515c464c16d2c04f699f1d96
SHA512e326cdb0697e4351e11b085e7ed31a11efeabb3462eecee381af42c5f83642a4b7ad174474bcf61d8d058644283b8b490e9275ba606650921d35023a0138facc
-
MD5
207f096988123aedf59b4a44d7745098
SHA1e6e0af92e6b5e4c9aa2da8afbf6dfe0e470a5db3
SHA256bddade3fbd8f942354a8755733564f5bee532a4e515c464c16d2c04f699f1d96
SHA512e326cdb0697e4351e11b085e7ed31a11efeabb3462eecee381af42c5f83642a4b7ad174474bcf61d8d058644283b8b490e9275ba606650921d35023a0138facc