Analysis
-
max time kernel
136s -
max time network
146s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
12-02-2022 06:04
Static task
static1
Behavioral task
behavioral1
Sample
10f92fc82c4e205ae9a07b49793825556e82a131e1e0b8f55fa9e66f061f5b8f.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
10f92fc82c4e205ae9a07b49793825556e82a131e1e0b8f55fa9e66f061f5b8f.exe
Resource
win10v2004-en-20220112
General
-
Target
10f92fc82c4e205ae9a07b49793825556e82a131e1e0b8f55fa9e66f061f5b8f.exe
-
Size
92KB
-
MD5
19b96b1f196c372be09c209cf92d6ec8
-
SHA1
813f23b80e8b04d60f3c762f6fdafc0cdf6b4b86
-
SHA256
10f92fc82c4e205ae9a07b49793825556e82a131e1e0b8f55fa9e66f061f5b8f
-
SHA512
02643f120608c0b33c7d875cb7aaa3d00ade547d6286e09f9c78f125167f0c2d23881ecbb0a4889f4c841febe6e387202eceb445fd3fd8b832353e477ceba5f9
Malware Config
Signatures
-
Sakula Payload 2 IoCs
Processes:
resource yara_rule \Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula -
suricata: ET MALWARE SUSPICIOUS UA (iexplore)
suricata: ET MALWARE SUSPICIOUS UA (iexplore)
-
suricata: ET MALWARE Sakula/Mivast RAT CnC Beacon 1
suricata: ET MALWARE Sakula/Mivast RAT CnC Beacon 1
-
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 1656 MediaCenter.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 780 cmd.exe -
Loads dropped DLL 1 IoCs
Processes:
10f92fc82c4e205ae9a07b49793825556e82a131e1e0b8f55fa9e66f061f5b8f.exepid process 1488 10f92fc82c4e205ae9a07b49793825556e82a131e1e0b8f55fa9e66f061f5b8f.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
10f92fc82c4e205ae9a07b49793825556e82a131e1e0b8f55fa9e66f061f5b8f.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 10f92fc82c4e205ae9a07b49793825556e82a131e1e0b8f55fa9e66f061f5b8f.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
10f92fc82c4e205ae9a07b49793825556e82a131e1e0b8f55fa9e66f061f5b8f.exedescription pid process Token: SeIncBasePriorityPrivilege 1488 10f92fc82c4e205ae9a07b49793825556e82a131e1e0b8f55fa9e66f061f5b8f.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
10f92fc82c4e205ae9a07b49793825556e82a131e1e0b8f55fa9e66f061f5b8f.execmd.exedescription pid process target process PID 1488 wrote to memory of 1656 1488 10f92fc82c4e205ae9a07b49793825556e82a131e1e0b8f55fa9e66f061f5b8f.exe MediaCenter.exe PID 1488 wrote to memory of 1656 1488 10f92fc82c4e205ae9a07b49793825556e82a131e1e0b8f55fa9e66f061f5b8f.exe MediaCenter.exe PID 1488 wrote to memory of 1656 1488 10f92fc82c4e205ae9a07b49793825556e82a131e1e0b8f55fa9e66f061f5b8f.exe MediaCenter.exe PID 1488 wrote to memory of 1656 1488 10f92fc82c4e205ae9a07b49793825556e82a131e1e0b8f55fa9e66f061f5b8f.exe MediaCenter.exe PID 1488 wrote to memory of 780 1488 10f92fc82c4e205ae9a07b49793825556e82a131e1e0b8f55fa9e66f061f5b8f.exe cmd.exe PID 1488 wrote to memory of 780 1488 10f92fc82c4e205ae9a07b49793825556e82a131e1e0b8f55fa9e66f061f5b8f.exe cmd.exe PID 1488 wrote to memory of 780 1488 10f92fc82c4e205ae9a07b49793825556e82a131e1e0b8f55fa9e66f061f5b8f.exe cmd.exe PID 1488 wrote to memory of 780 1488 10f92fc82c4e205ae9a07b49793825556e82a131e1e0b8f55fa9e66f061f5b8f.exe cmd.exe PID 780 wrote to memory of 288 780 cmd.exe PING.EXE PID 780 wrote to memory of 288 780 cmd.exe PING.EXE PID 780 wrote to memory of 288 780 cmd.exe PING.EXE PID 780 wrote to memory of 288 780 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\10f92fc82c4e205ae9a07b49793825556e82a131e1e0b8f55fa9e66f061f5b8f.exe"C:\Users\Admin\AppData\Local\Temp\10f92fc82c4e205ae9a07b49793825556e82a131e1e0b8f55fa9e66f061f5b8f.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1488 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:1656 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\10f92fc82c4e205ae9a07b49793825556e82a131e1e0b8f55fa9e66f061f5b8f.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:780 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:288
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
227a15da7aa51c110c8d9fcb3e91f8d4
SHA14b82e5c41e35667489ec41ef9fbe63c924ac5e3e
SHA25685378112b840ae3c28801e9ea3857a06bb215428d600c8334dbafc25181694b1
SHA512d676672f3c8744cc41ed3c3715f864d84b1d573b11d4124fcd8844b3158d63afbfa7d754c3be17f0d6e75e42a3df98ec5d96852b991e7cb43a413497e74006cf
-
MD5
227a15da7aa51c110c8d9fcb3e91f8d4
SHA14b82e5c41e35667489ec41ef9fbe63c924ac5e3e
SHA25685378112b840ae3c28801e9ea3857a06bb215428d600c8334dbafc25181694b1
SHA512d676672f3c8744cc41ed3c3715f864d84b1d573b11d4124fcd8844b3158d63afbfa7d754c3be17f0d6e75e42a3df98ec5d96852b991e7cb43a413497e74006cf