Analysis
-
max time kernel
145s -
max time network
155s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
12-02-2022 05:36
Static task
static1
Behavioral task
behavioral1
Sample
1235f0d35686b31972ebb629be918bcb4f2178e3c896825dd65fc5d6325b15dc.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
1235f0d35686b31972ebb629be918bcb4f2178e3c896825dd65fc5d6325b15dc.exe
Resource
win10v2004-en-20220112
General
-
Target
1235f0d35686b31972ebb629be918bcb4f2178e3c896825dd65fc5d6325b15dc.exe
-
Size
92KB
-
MD5
1bf526548688d71ac26e41d91d89f8c1
-
SHA1
128b5b2fde6377c26a60da99e0a7bcb5ba8def60
-
SHA256
1235f0d35686b31972ebb629be918bcb4f2178e3c896825dd65fc5d6325b15dc
-
SHA512
c80d0b529a5dae39f913fa19892b6e9fb3073405704cb4d81326b3a8d8ba01ef040259fcd378b62ff69cc79a5c612c5c48cd0e422cf10c896af380ed5e81f8a2
Malware Config
Signatures
-
Sakula Payload 2 IoCs
Processes:
resource yara_rule \Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula -
suricata: ET MALWARE SUSPICIOUS UA (iexplore)
suricata: ET MALWARE SUSPICIOUS UA (iexplore)
-
suricata: ET MALWARE Sakula/Mivast RAT CnC Beacon 1
suricata: ET MALWARE Sakula/Mivast RAT CnC Beacon 1
-
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 588 MediaCenter.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 856 cmd.exe -
Loads dropped DLL 1 IoCs
Processes:
1235f0d35686b31972ebb629be918bcb4f2178e3c896825dd65fc5d6325b15dc.exepid process 1364 1235f0d35686b31972ebb629be918bcb4f2178e3c896825dd65fc5d6325b15dc.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
1235f0d35686b31972ebb629be918bcb4f2178e3c896825dd65fc5d6325b15dc.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 1235f0d35686b31972ebb629be918bcb4f2178e3c896825dd65fc5d6325b15dc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
1235f0d35686b31972ebb629be918bcb4f2178e3c896825dd65fc5d6325b15dc.exedescription pid process Token: SeIncBasePriorityPrivilege 1364 1235f0d35686b31972ebb629be918bcb4f2178e3c896825dd65fc5d6325b15dc.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
1235f0d35686b31972ebb629be918bcb4f2178e3c896825dd65fc5d6325b15dc.execmd.exedescription pid process target process PID 1364 wrote to memory of 588 1364 1235f0d35686b31972ebb629be918bcb4f2178e3c896825dd65fc5d6325b15dc.exe MediaCenter.exe PID 1364 wrote to memory of 588 1364 1235f0d35686b31972ebb629be918bcb4f2178e3c896825dd65fc5d6325b15dc.exe MediaCenter.exe PID 1364 wrote to memory of 588 1364 1235f0d35686b31972ebb629be918bcb4f2178e3c896825dd65fc5d6325b15dc.exe MediaCenter.exe PID 1364 wrote to memory of 588 1364 1235f0d35686b31972ebb629be918bcb4f2178e3c896825dd65fc5d6325b15dc.exe MediaCenter.exe PID 1364 wrote to memory of 856 1364 1235f0d35686b31972ebb629be918bcb4f2178e3c896825dd65fc5d6325b15dc.exe cmd.exe PID 1364 wrote to memory of 856 1364 1235f0d35686b31972ebb629be918bcb4f2178e3c896825dd65fc5d6325b15dc.exe cmd.exe PID 1364 wrote to memory of 856 1364 1235f0d35686b31972ebb629be918bcb4f2178e3c896825dd65fc5d6325b15dc.exe cmd.exe PID 1364 wrote to memory of 856 1364 1235f0d35686b31972ebb629be918bcb4f2178e3c896825dd65fc5d6325b15dc.exe cmd.exe PID 856 wrote to memory of 2024 856 cmd.exe PING.EXE PID 856 wrote to memory of 2024 856 cmd.exe PING.EXE PID 856 wrote to memory of 2024 856 cmd.exe PING.EXE PID 856 wrote to memory of 2024 856 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\1235f0d35686b31972ebb629be918bcb4f2178e3c896825dd65fc5d6325b15dc.exe"C:\Users\Admin\AppData\Local\Temp\1235f0d35686b31972ebb629be918bcb4f2178e3c896825dd65fc5d6325b15dc.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1364 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:588 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\1235f0d35686b31972ebb629be918bcb4f2178e3c896825dd65fc5d6325b15dc.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:856 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:2024
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
8130f92bb2419815dbdd517cc73b71dd
SHA1fe874e68dd58700b85aee04e9bbdb2305c978435
SHA2565ac72ce02877c54a819ad0e7ead25a6e4d5cb10c3f96525de550b147735a6429
SHA512ba30eda41d6654cd8f0de08cdad44ea0aaaaba1b3a714b2f5170e5aa93996b948db616c7a1f42d7aa9e03ef09b5f1631b4da9479c05c9971adef0b78ac24fa78
-
MD5
8130f92bb2419815dbdd517cc73b71dd
SHA1fe874e68dd58700b85aee04e9bbdb2305c978435
SHA2565ac72ce02877c54a819ad0e7ead25a6e4d5cb10c3f96525de550b147735a6429
SHA512ba30eda41d6654cd8f0de08cdad44ea0aaaaba1b3a714b2f5170e5aa93996b948db616c7a1f42d7aa9e03ef09b5f1631b4da9479c05c9971adef0b78ac24fa78