Analysis
-
max time kernel
147s -
max time network
167s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
12-02-2022 05:56
Static task
static1
Behavioral task
behavioral1
Sample
1143cf737f5f325e4bdc9c1adfa4d8d259931050046e5da772e65fd97772c1be.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
1143cf737f5f325e4bdc9c1adfa4d8d259931050046e5da772e65fd97772c1be.exe
Resource
win10v2004-en-20220112
General
-
Target
1143cf737f5f325e4bdc9c1adfa4d8d259931050046e5da772e65fd97772c1be.exe
-
Size
188KB
-
MD5
6b0398395e1b06438e72a5ee9bec96da
-
SHA1
5ed76d0cd15dcbdf2fa7e8b31c59e0bdec67c7fc
-
SHA256
1143cf737f5f325e4bdc9c1adfa4d8d259931050046e5da772e65fd97772c1be
-
SHA512
fe607428548921eccc6f2e9a71d6aa0176f7f907bc4679a30dc18208b7a7e229d9d04cda8f9d748135e4a7512d2d3d0aa8880c97e4b1b837776f2eb8c2b26176
Malware Config
Signatures
-
Sakula Payload 4 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula \Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula behavioral1/memory/952-59-0x0000000000400000-0x0000000000420000-memory.dmp family_sakula behavioral1/memory/1752-60-0x0000000000400000-0x0000000000420000-memory.dmp family_sakula -
suricata: ET MALWARE SUSPICIOUS UA (iexplore)
suricata: ET MALWARE SUSPICIOUS UA (iexplore)
-
suricata: ET MALWARE Sakula/Mivast RAT CnC Beacon 1
suricata: ET MALWARE Sakula/Mivast RAT CnC Beacon 1
-
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 1752 MediaCenter.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 1984 cmd.exe -
Loads dropped DLL 1 IoCs
Processes:
1143cf737f5f325e4bdc9c1adfa4d8d259931050046e5da772e65fd97772c1be.exepid process 952 1143cf737f5f325e4bdc9c1adfa4d8d259931050046e5da772e65fd97772c1be.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
1143cf737f5f325e4bdc9c1adfa4d8d259931050046e5da772e65fd97772c1be.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 1143cf737f5f325e4bdc9c1adfa4d8d259931050046e5da772e65fd97772c1be.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
1143cf737f5f325e4bdc9c1adfa4d8d259931050046e5da772e65fd97772c1be.exedescription pid process Token: SeIncBasePriorityPrivilege 952 1143cf737f5f325e4bdc9c1adfa4d8d259931050046e5da772e65fd97772c1be.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
1143cf737f5f325e4bdc9c1adfa4d8d259931050046e5da772e65fd97772c1be.execmd.exedescription pid process target process PID 952 wrote to memory of 1752 952 1143cf737f5f325e4bdc9c1adfa4d8d259931050046e5da772e65fd97772c1be.exe MediaCenter.exe PID 952 wrote to memory of 1752 952 1143cf737f5f325e4bdc9c1adfa4d8d259931050046e5da772e65fd97772c1be.exe MediaCenter.exe PID 952 wrote to memory of 1752 952 1143cf737f5f325e4bdc9c1adfa4d8d259931050046e5da772e65fd97772c1be.exe MediaCenter.exe PID 952 wrote to memory of 1752 952 1143cf737f5f325e4bdc9c1adfa4d8d259931050046e5da772e65fd97772c1be.exe MediaCenter.exe PID 952 wrote to memory of 1984 952 1143cf737f5f325e4bdc9c1adfa4d8d259931050046e5da772e65fd97772c1be.exe cmd.exe PID 952 wrote to memory of 1984 952 1143cf737f5f325e4bdc9c1adfa4d8d259931050046e5da772e65fd97772c1be.exe cmd.exe PID 952 wrote to memory of 1984 952 1143cf737f5f325e4bdc9c1adfa4d8d259931050046e5da772e65fd97772c1be.exe cmd.exe PID 952 wrote to memory of 1984 952 1143cf737f5f325e4bdc9c1adfa4d8d259931050046e5da772e65fd97772c1be.exe cmd.exe PID 1984 wrote to memory of 1656 1984 cmd.exe PING.EXE PID 1984 wrote to memory of 1656 1984 cmd.exe PING.EXE PID 1984 wrote to memory of 1656 1984 cmd.exe PING.EXE PID 1984 wrote to memory of 1656 1984 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\1143cf737f5f325e4bdc9c1adfa4d8d259931050046e5da772e65fd97772c1be.exe"C:\Users\Admin\AppData\Local\Temp\1143cf737f5f325e4bdc9c1adfa4d8d259931050046e5da772e65fd97772c1be.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:952 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:1752 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\1143cf737f5f325e4bdc9c1adfa4d8d259931050046e5da772e65fd97772c1be.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:1984 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:1656
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
cc5e56014cc31f4439d60119a0e9fe4f
SHA13056d0cce36830f3dfc372c4e2abddf6dbb1b08d
SHA256d44cfaf44197b3f9a21a7480c38d0df7960522c62c1d991cb6d8926d9017ec35
SHA5129a4a7d510e091bfa0c917126e460a5ace0b918e8aede04aee949cdd96d1ec7eea137cb251bba116be8d608adcf4a1cf4c3fe20017ba952edc7dd0643bac33d31
-
MD5
cc5e56014cc31f4439d60119a0e9fe4f
SHA13056d0cce36830f3dfc372c4e2abddf6dbb1b08d
SHA256d44cfaf44197b3f9a21a7480c38d0df7960522c62c1d991cb6d8926d9017ec35
SHA5129a4a7d510e091bfa0c917126e460a5ace0b918e8aede04aee949cdd96d1ec7eea137cb251bba116be8d608adcf4a1cf4c3fe20017ba952edc7dd0643bac33d31