Analysis
-
max time kernel
153s -
max time network
169s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
12-02-2022 06:01
Static task
static1
Behavioral task
behavioral1
Sample
111d5a185a7e0b10ccbe4f67179fc03a1d18abda039297dd3aa29cfa0cff665d.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
111d5a185a7e0b10ccbe4f67179fc03a1d18abda039297dd3aa29cfa0cff665d.exe
Resource
win10v2004-en-20220113
General
-
Target
111d5a185a7e0b10ccbe4f67179fc03a1d18abda039297dd3aa29cfa0cff665d.exe
-
Size
116KB
-
MD5
dbcc2e09b92133870550bf10ffc6a7ac
-
SHA1
ac0a3bfb2e4fe1142f8f49c6c2bbea3a91d55db1
-
SHA256
111d5a185a7e0b10ccbe4f67179fc03a1d18abda039297dd3aa29cfa0cff665d
-
SHA512
1a0926ae843b4d6479bb03766cb30b5863f9f0cc2a4cf50f4c5141468319b9b56967306cb4ef48e2bf7ce2552da24c1d38e20f446b37da5824dbb2b54f05748e
Malware Config
Signatures
-
Sakula Payload 4 IoCs
Processes:
resource yara_rule \Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula behavioral1/memory/1532-59-0x0000000000400000-0x0000000000420000-memory.dmp family_sakula behavioral1/memory/904-60-0x0000000000400000-0x0000000000420000-memory.dmp family_sakula -
suricata: ET MALWARE SUSPICIOUS UA (iexplore)
suricata: ET MALWARE SUSPICIOUS UA (iexplore)
-
suricata: ET MALWARE Sakula/Mivast RAT CnC Beacon 1
suricata: ET MALWARE Sakula/Mivast RAT CnC Beacon 1
-
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 904 MediaCenter.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 284 cmd.exe -
Loads dropped DLL 1 IoCs
Processes:
111d5a185a7e0b10ccbe4f67179fc03a1d18abda039297dd3aa29cfa0cff665d.exepid process 1532 111d5a185a7e0b10ccbe4f67179fc03a1d18abda039297dd3aa29cfa0cff665d.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
111d5a185a7e0b10ccbe4f67179fc03a1d18abda039297dd3aa29cfa0cff665d.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 111d5a185a7e0b10ccbe4f67179fc03a1d18abda039297dd3aa29cfa0cff665d.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
111d5a185a7e0b10ccbe4f67179fc03a1d18abda039297dd3aa29cfa0cff665d.exedescription pid process Token: SeIncBasePriorityPrivilege 1532 111d5a185a7e0b10ccbe4f67179fc03a1d18abda039297dd3aa29cfa0cff665d.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
111d5a185a7e0b10ccbe4f67179fc03a1d18abda039297dd3aa29cfa0cff665d.execmd.exedescription pid process target process PID 1532 wrote to memory of 904 1532 111d5a185a7e0b10ccbe4f67179fc03a1d18abda039297dd3aa29cfa0cff665d.exe MediaCenter.exe PID 1532 wrote to memory of 904 1532 111d5a185a7e0b10ccbe4f67179fc03a1d18abda039297dd3aa29cfa0cff665d.exe MediaCenter.exe PID 1532 wrote to memory of 904 1532 111d5a185a7e0b10ccbe4f67179fc03a1d18abda039297dd3aa29cfa0cff665d.exe MediaCenter.exe PID 1532 wrote to memory of 904 1532 111d5a185a7e0b10ccbe4f67179fc03a1d18abda039297dd3aa29cfa0cff665d.exe MediaCenter.exe PID 1532 wrote to memory of 284 1532 111d5a185a7e0b10ccbe4f67179fc03a1d18abda039297dd3aa29cfa0cff665d.exe cmd.exe PID 1532 wrote to memory of 284 1532 111d5a185a7e0b10ccbe4f67179fc03a1d18abda039297dd3aa29cfa0cff665d.exe cmd.exe PID 1532 wrote to memory of 284 1532 111d5a185a7e0b10ccbe4f67179fc03a1d18abda039297dd3aa29cfa0cff665d.exe cmd.exe PID 1532 wrote to memory of 284 1532 111d5a185a7e0b10ccbe4f67179fc03a1d18abda039297dd3aa29cfa0cff665d.exe cmd.exe PID 284 wrote to memory of 1076 284 cmd.exe PING.EXE PID 284 wrote to memory of 1076 284 cmd.exe PING.EXE PID 284 wrote to memory of 1076 284 cmd.exe PING.EXE PID 284 wrote to memory of 1076 284 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\111d5a185a7e0b10ccbe4f67179fc03a1d18abda039297dd3aa29cfa0cff665d.exe"C:\Users\Admin\AppData\Local\Temp\111d5a185a7e0b10ccbe4f67179fc03a1d18abda039297dd3aa29cfa0cff665d.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1532 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:904 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\111d5a185a7e0b10ccbe4f67179fc03a1d18abda039297dd3aa29cfa0cff665d.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:284 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:1076
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
08e95293dec655115c15eed70ba7ad50
SHA1938786cb988da7d49d0e585de4f7a2fb796a1191
SHA2564af13fe3e7bc7a81efa9295e447aa54c83e05faa37872246d3bd312d865b53f2
SHA5120798a9c29eed1412a344ae4259f0b174cb3d3847dc4723d89e909364a484d38299b3384228bbc65683b83e2fa44539f335e3afb5ec10114d95dadc6067c38b84
-
MD5
08e95293dec655115c15eed70ba7ad50
SHA1938786cb988da7d49d0e585de4f7a2fb796a1191
SHA2564af13fe3e7bc7a81efa9295e447aa54c83e05faa37872246d3bd312d865b53f2
SHA5120798a9c29eed1412a344ae4259f0b174cb3d3847dc4723d89e909364a484d38299b3384228bbc65683b83e2fa44539f335e3afb5ec10114d95dadc6067c38b84