Analysis
-
max time kernel
125s -
max time network
132s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
12-02-2022 06:03
Static task
static1
Behavioral task
behavioral1
Sample
1106496c890c677a57fa7a61317ef9d6fb3cfedebdef24750c85c30cda73769a.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
1106496c890c677a57fa7a61317ef9d6fb3cfedebdef24750c85c30cda73769a.exe
Resource
win10v2004-en-20220112
General
-
Target
1106496c890c677a57fa7a61317ef9d6fb3cfedebdef24750c85c30cda73769a.exe
-
Size
152KB
-
MD5
80d133fa05e6617504e945bd7ff784f6
-
SHA1
068c6bb93cbd6991fcab43a878b837b444a22e93
-
SHA256
1106496c890c677a57fa7a61317ef9d6fb3cfedebdef24750c85c30cda73769a
-
SHA512
c938713c0693a05b5971d04c8c93624445f406e38b954085906a3fc1f083ebe2072d3ba2d4dbaf778de98a309c60284f998fff21539035edd75b9efa3d068077
Malware Config
Signatures
-
Sakula Payload 2 IoCs
Processes:
resource yara_rule \Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula -
suricata: ET MALWARE SUSPICIOUS UA (iexplore)
suricata: ET MALWARE SUSPICIOUS UA (iexplore)
-
suricata: ET MALWARE Sakula/Mivast RAT CnC Beacon 1
suricata: ET MALWARE Sakula/Mivast RAT CnC Beacon 1
-
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 1660 MediaCenter.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 1284 cmd.exe -
Loads dropped DLL 1 IoCs
Processes:
1106496c890c677a57fa7a61317ef9d6fb3cfedebdef24750c85c30cda73769a.exepid process 1468 1106496c890c677a57fa7a61317ef9d6fb3cfedebdef24750c85c30cda73769a.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
1106496c890c677a57fa7a61317ef9d6fb3cfedebdef24750c85c30cda73769a.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 1106496c890c677a57fa7a61317ef9d6fb3cfedebdef24750c85c30cda73769a.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
1106496c890c677a57fa7a61317ef9d6fb3cfedebdef24750c85c30cda73769a.exedescription pid process Token: SeIncBasePriorityPrivilege 1468 1106496c890c677a57fa7a61317ef9d6fb3cfedebdef24750c85c30cda73769a.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
1106496c890c677a57fa7a61317ef9d6fb3cfedebdef24750c85c30cda73769a.execmd.exedescription pid process target process PID 1468 wrote to memory of 1660 1468 1106496c890c677a57fa7a61317ef9d6fb3cfedebdef24750c85c30cda73769a.exe MediaCenter.exe PID 1468 wrote to memory of 1660 1468 1106496c890c677a57fa7a61317ef9d6fb3cfedebdef24750c85c30cda73769a.exe MediaCenter.exe PID 1468 wrote to memory of 1660 1468 1106496c890c677a57fa7a61317ef9d6fb3cfedebdef24750c85c30cda73769a.exe MediaCenter.exe PID 1468 wrote to memory of 1660 1468 1106496c890c677a57fa7a61317ef9d6fb3cfedebdef24750c85c30cda73769a.exe MediaCenter.exe PID 1468 wrote to memory of 1284 1468 1106496c890c677a57fa7a61317ef9d6fb3cfedebdef24750c85c30cda73769a.exe cmd.exe PID 1468 wrote to memory of 1284 1468 1106496c890c677a57fa7a61317ef9d6fb3cfedebdef24750c85c30cda73769a.exe cmd.exe PID 1468 wrote to memory of 1284 1468 1106496c890c677a57fa7a61317ef9d6fb3cfedebdef24750c85c30cda73769a.exe cmd.exe PID 1468 wrote to memory of 1284 1468 1106496c890c677a57fa7a61317ef9d6fb3cfedebdef24750c85c30cda73769a.exe cmd.exe PID 1284 wrote to memory of 964 1284 cmd.exe PING.EXE PID 1284 wrote to memory of 964 1284 cmd.exe PING.EXE PID 1284 wrote to memory of 964 1284 cmd.exe PING.EXE PID 1284 wrote to memory of 964 1284 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\1106496c890c677a57fa7a61317ef9d6fb3cfedebdef24750c85c30cda73769a.exe"C:\Users\Admin\AppData\Local\Temp\1106496c890c677a57fa7a61317ef9d6fb3cfedebdef24750c85c30cda73769a.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1468 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:1660 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\1106496c890c677a57fa7a61317ef9d6fb3cfedebdef24750c85c30cda73769a.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:1284 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:964
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
65d0d2a32dc30f818e644a6d8353dc1d
SHA15005f88f80e9d08cf1874c68fbed6dd8aa54f306
SHA25686b8d1c62fbcd9f7103f8257234a4afa023e4db374a60bcae3f31a3ad617fc9a
SHA5120c46b67a896b65d061655010a99a7d545a5a69b9fbafb41d4866e008cb397341bc70bd92e408438a25d845a93256df87a943a3b2dcb6a159e6db0492b386c138
-
MD5
65d0d2a32dc30f818e644a6d8353dc1d
SHA15005f88f80e9d08cf1874c68fbed6dd8aa54f306
SHA25686b8d1c62fbcd9f7103f8257234a4afa023e4db374a60bcae3f31a3ad617fc9a
SHA5120c46b67a896b65d061655010a99a7d545a5a69b9fbafb41d4866e008cb397341bc70bd92e408438a25d845a93256df87a943a3b2dcb6a159e6db0492b386c138