Analysis
-
max time kernel
134s -
max time network
159s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
12-02-2022 05:42
Static task
static1
Behavioral task
behavioral1
Sample
11f679d46af893e5f77f97aeedbab6df13c7fcd916be3c0bf596067e6413141f.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
11f679d46af893e5f77f97aeedbab6df13c7fcd916be3c0bf596067e6413141f.exe
Resource
win10v2004-en-20220113
General
-
Target
11f679d46af893e5f77f97aeedbab6df13c7fcd916be3c0bf596067e6413141f.exe
-
Size
216KB
-
MD5
4fdb9db18adc89fe16c3443e6b8f08c1
-
SHA1
db0b3665888e38bc58a49774d19266b94f778f77
-
SHA256
11f679d46af893e5f77f97aeedbab6df13c7fcd916be3c0bf596067e6413141f
-
SHA512
d7075c15a5fb39b8e589f8f76508f1c3378361b5ab515871d3493091953de5275fe3266972615503cea03778102c224e77b4f96723689bfad600f282c2f83062
Malware Config
Signatures
-
Sakula Payload 4 IoCs
Processes:
resource yara_rule \Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula behavioral1/memory/1156-59-0x0000000000400000-0x0000000000420000-memory.dmp family_sakula behavioral1/memory/596-60-0x0000000000400000-0x0000000000420000-memory.dmp family_sakula -
suricata: ET MALWARE SUSPICIOUS UA (iexplore)
suricata: ET MALWARE SUSPICIOUS UA (iexplore)
-
suricata: ET MALWARE Sakula/Mivast RAT CnC Beacon 1
suricata: ET MALWARE Sakula/Mivast RAT CnC Beacon 1
-
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 596 MediaCenter.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 2020 cmd.exe -
Loads dropped DLL 1 IoCs
Processes:
11f679d46af893e5f77f97aeedbab6df13c7fcd916be3c0bf596067e6413141f.exepid process 1156 11f679d46af893e5f77f97aeedbab6df13c7fcd916be3c0bf596067e6413141f.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
11f679d46af893e5f77f97aeedbab6df13c7fcd916be3c0bf596067e6413141f.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 11f679d46af893e5f77f97aeedbab6df13c7fcd916be3c0bf596067e6413141f.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
11f679d46af893e5f77f97aeedbab6df13c7fcd916be3c0bf596067e6413141f.exedescription pid process Token: SeIncBasePriorityPrivilege 1156 11f679d46af893e5f77f97aeedbab6df13c7fcd916be3c0bf596067e6413141f.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
11f679d46af893e5f77f97aeedbab6df13c7fcd916be3c0bf596067e6413141f.execmd.exedescription pid process target process PID 1156 wrote to memory of 596 1156 11f679d46af893e5f77f97aeedbab6df13c7fcd916be3c0bf596067e6413141f.exe MediaCenter.exe PID 1156 wrote to memory of 596 1156 11f679d46af893e5f77f97aeedbab6df13c7fcd916be3c0bf596067e6413141f.exe MediaCenter.exe PID 1156 wrote to memory of 596 1156 11f679d46af893e5f77f97aeedbab6df13c7fcd916be3c0bf596067e6413141f.exe MediaCenter.exe PID 1156 wrote to memory of 596 1156 11f679d46af893e5f77f97aeedbab6df13c7fcd916be3c0bf596067e6413141f.exe MediaCenter.exe PID 1156 wrote to memory of 2020 1156 11f679d46af893e5f77f97aeedbab6df13c7fcd916be3c0bf596067e6413141f.exe cmd.exe PID 1156 wrote to memory of 2020 1156 11f679d46af893e5f77f97aeedbab6df13c7fcd916be3c0bf596067e6413141f.exe cmd.exe PID 1156 wrote to memory of 2020 1156 11f679d46af893e5f77f97aeedbab6df13c7fcd916be3c0bf596067e6413141f.exe cmd.exe PID 1156 wrote to memory of 2020 1156 11f679d46af893e5f77f97aeedbab6df13c7fcd916be3c0bf596067e6413141f.exe cmd.exe PID 2020 wrote to memory of 1916 2020 cmd.exe PING.EXE PID 2020 wrote to memory of 1916 2020 cmd.exe PING.EXE PID 2020 wrote to memory of 1916 2020 cmd.exe PING.EXE PID 2020 wrote to memory of 1916 2020 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\11f679d46af893e5f77f97aeedbab6df13c7fcd916be3c0bf596067e6413141f.exe"C:\Users\Admin\AppData\Local\Temp\11f679d46af893e5f77f97aeedbab6df13c7fcd916be3c0bf596067e6413141f.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1156 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:596 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\11f679d46af893e5f77f97aeedbab6df13c7fcd916be3c0bf596067e6413141f.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:2020 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:1916
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
764a270fa36e44d86af5952b99be3a20
SHA1dfd69dff9a3202df8d77c5d2c6cd53ee4657e571
SHA256a000806a2bdb0c68bad2e4dbf32925e391ae48af5be9d8fa785c5531e50d79d7
SHA512d12d894dc4e0c287fcaac9d162cffd1a397c757bdda147cdefe114f356df22107d3c5f64c72006b4ddd12c85dd90e3c9e53baa1f973a68e64a42a7b987520ec7
-
MD5
764a270fa36e44d86af5952b99be3a20
SHA1dfd69dff9a3202df8d77c5d2c6cd53ee4657e571
SHA256a000806a2bdb0c68bad2e4dbf32925e391ae48af5be9d8fa785c5531e50d79d7
SHA512d12d894dc4e0c287fcaac9d162cffd1a397c757bdda147cdefe114f356df22107d3c5f64c72006b4ddd12c85dd90e3c9e53baa1f973a68e64a42a7b987520ec7