Analysis
-
max time kernel
156s -
max time network
178s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
12-02-2022 05:43
Static task
static1
Behavioral task
behavioral1
Sample
11e64d21cac71c3ca1d98e243031b7575607b8981d2c5935704e0a263828c1de.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
11e64d21cac71c3ca1d98e243031b7575607b8981d2c5935704e0a263828c1de.exe
Resource
win10v2004-en-20220113
General
-
Target
11e64d21cac71c3ca1d98e243031b7575607b8981d2c5935704e0a263828c1de.exe
-
Size
150KB
-
MD5
ed10cfcc4fe6402ac90b594ebc7b7511
-
SHA1
3d2676e878e68cd7b94595dbbec7b9bc874f74d9
-
SHA256
11e64d21cac71c3ca1d98e243031b7575607b8981d2c5935704e0a263828c1de
-
SHA512
61d54fbc4030f4141aa9f2869bda2698cc0126746ebf0205f724184f6b558d491272df474c2997a41fe1497068309268f439646d0d9f8d05832b968c2eadd6a3
Malware Config
Signatures
-
Sakula Payload 2 IoCs
Processes:
resource yara_rule \Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula -
suricata: ET MALWARE SUSPICIOUS UA (iexplore)
suricata: ET MALWARE SUSPICIOUS UA (iexplore)
-
suricata: ET MALWARE Sakula/Mivast RAT CnC Beacon 1
suricata: ET MALWARE Sakula/Mivast RAT CnC Beacon 1
-
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 808 MediaCenter.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 824 cmd.exe -
Loads dropped DLL 1 IoCs
Processes:
11e64d21cac71c3ca1d98e243031b7575607b8981d2c5935704e0a263828c1de.exepid process 1476 11e64d21cac71c3ca1d98e243031b7575607b8981d2c5935704e0a263828c1de.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
11e64d21cac71c3ca1d98e243031b7575607b8981d2c5935704e0a263828c1de.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 11e64d21cac71c3ca1d98e243031b7575607b8981d2c5935704e0a263828c1de.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
11e64d21cac71c3ca1d98e243031b7575607b8981d2c5935704e0a263828c1de.exedescription pid process Token: SeIncBasePriorityPrivilege 1476 11e64d21cac71c3ca1d98e243031b7575607b8981d2c5935704e0a263828c1de.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
11e64d21cac71c3ca1d98e243031b7575607b8981d2c5935704e0a263828c1de.execmd.exedescription pid process target process PID 1476 wrote to memory of 808 1476 11e64d21cac71c3ca1d98e243031b7575607b8981d2c5935704e0a263828c1de.exe MediaCenter.exe PID 1476 wrote to memory of 808 1476 11e64d21cac71c3ca1d98e243031b7575607b8981d2c5935704e0a263828c1de.exe MediaCenter.exe PID 1476 wrote to memory of 808 1476 11e64d21cac71c3ca1d98e243031b7575607b8981d2c5935704e0a263828c1de.exe MediaCenter.exe PID 1476 wrote to memory of 808 1476 11e64d21cac71c3ca1d98e243031b7575607b8981d2c5935704e0a263828c1de.exe MediaCenter.exe PID 1476 wrote to memory of 824 1476 11e64d21cac71c3ca1d98e243031b7575607b8981d2c5935704e0a263828c1de.exe cmd.exe PID 1476 wrote to memory of 824 1476 11e64d21cac71c3ca1d98e243031b7575607b8981d2c5935704e0a263828c1de.exe cmd.exe PID 1476 wrote to memory of 824 1476 11e64d21cac71c3ca1d98e243031b7575607b8981d2c5935704e0a263828c1de.exe cmd.exe PID 1476 wrote to memory of 824 1476 11e64d21cac71c3ca1d98e243031b7575607b8981d2c5935704e0a263828c1de.exe cmd.exe PID 824 wrote to memory of 1844 824 cmd.exe PING.EXE PID 824 wrote to memory of 1844 824 cmd.exe PING.EXE PID 824 wrote to memory of 1844 824 cmd.exe PING.EXE PID 824 wrote to memory of 1844 824 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\11e64d21cac71c3ca1d98e243031b7575607b8981d2c5935704e0a263828c1de.exe"C:\Users\Admin\AppData\Local\Temp\11e64d21cac71c3ca1d98e243031b7575607b8981d2c5935704e0a263828c1de.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1476 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:808 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\11e64d21cac71c3ca1d98e243031b7575607b8981d2c5935704e0a263828c1de.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:824 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:1844
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
3bb25f750ed6e0b40e13762eb7f9d7a6
SHA18e30b8881848ffb814fb91e66039e13f9238112d
SHA256b597a960af4289c06076cf903421c8d7ca38aafea4b134687d58344adc0b62ed
SHA512bf2de62e273a4c7de839556f713cf9a0a7c3feb1d2b953be03c48ce1e3d98bd80944dc103ed22cbbae4b12e8fb6cf49b7cda57a6d55c3d9425742649d58d6616
-
MD5
3bb25f750ed6e0b40e13762eb7f9d7a6
SHA18e30b8881848ffb814fb91e66039e13f9238112d
SHA256b597a960af4289c06076cf903421c8d7ca38aafea4b134687d58344adc0b62ed
SHA512bf2de62e273a4c7de839556f713cf9a0a7c3feb1d2b953be03c48ce1e3d98bd80944dc103ed22cbbae4b12e8fb6cf49b7cda57a6d55c3d9425742649d58d6616