Analysis
-
max time kernel
140s -
max time network
148s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
12-02-2022 06:07
Static task
static1
Behavioral task
behavioral1
Sample
10cf5cc4281516a173c86f9a5a5a0264187ed03e1bc11d3ac79ed51080963508.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
10cf5cc4281516a173c86f9a5a5a0264187ed03e1bc11d3ac79ed51080963508.exe
Resource
win10v2004-en-20220113
General
-
Target
10cf5cc4281516a173c86f9a5a5a0264187ed03e1bc11d3ac79ed51080963508.exe
-
Size
152KB
-
MD5
285278ee7cc585a79a7ddd263939548e
-
SHA1
0e19e7d299f3e8f5b1be877cb724762a87c99480
-
SHA256
10cf5cc4281516a173c86f9a5a5a0264187ed03e1bc11d3ac79ed51080963508
-
SHA512
a52c784b8c516a722ea393749f325c0f4b96a9089c433fedd007242e8f8aaf8338740db3baeae5edbc7f07c960c49d78f7eac12e4894ddacb19d848fb76d10b3
Malware Config
Signatures
-
Sakula Payload 2 IoCs
Processes:
resource yara_rule \Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula -
suricata: ET MALWARE SUSPICIOUS UA (iexplore)
suricata: ET MALWARE SUSPICIOUS UA (iexplore)
-
suricata: ET MALWARE Sakula/Mivast RAT CnC Beacon 1
suricata: ET MALWARE Sakula/Mivast RAT CnC Beacon 1
-
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 524 MediaCenter.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 776 cmd.exe -
Loads dropped DLL 1 IoCs
Processes:
10cf5cc4281516a173c86f9a5a5a0264187ed03e1bc11d3ac79ed51080963508.exepid process 1680 10cf5cc4281516a173c86f9a5a5a0264187ed03e1bc11d3ac79ed51080963508.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
10cf5cc4281516a173c86f9a5a5a0264187ed03e1bc11d3ac79ed51080963508.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 10cf5cc4281516a173c86f9a5a5a0264187ed03e1bc11d3ac79ed51080963508.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
10cf5cc4281516a173c86f9a5a5a0264187ed03e1bc11d3ac79ed51080963508.exedescription pid process Token: SeIncBasePriorityPrivilege 1680 10cf5cc4281516a173c86f9a5a5a0264187ed03e1bc11d3ac79ed51080963508.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
10cf5cc4281516a173c86f9a5a5a0264187ed03e1bc11d3ac79ed51080963508.execmd.exedescription pid process target process PID 1680 wrote to memory of 524 1680 10cf5cc4281516a173c86f9a5a5a0264187ed03e1bc11d3ac79ed51080963508.exe MediaCenter.exe PID 1680 wrote to memory of 524 1680 10cf5cc4281516a173c86f9a5a5a0264187ed03e1bc11d3ac79ed51080963508.exe MediaCenter.exe PID 1680 wrote to memory of 524 1680 10cf5cc4281516a173c86f9a5a5a0264187ed03e1bc11d3ac79ed51080963508.exe MediaCenter.exe PID 1680 wrote to memory of 524 1680 10cf5cc4281516a173c86f9a5a5a0264187ed03e1bc11d3ac79ed51080963508.exe MediaCenter.exe PID 1680 wrote to memory of 776 1680 10cf5cc4281516a173c86f9a5a5a0264187ed03e1bc11d3ac79ed51080963508.exe cmd.exe PID 1680 wrote to memory of 776 1680 10cf5cc4281516a173c86f9a5a5a0264187ed03e1bc11d3ac79ed51080963508.exe cmd.exe PID 1680 wrote to memory of 776 1680 10cf5cc4281516a173c86f9a5a5a0264187ed03e1bc11d3ac79ed51080963508.exe cmd.exe PID 1680 wrote to memory of 776 1680 10cf5cc4281516a173c86f9a5a5a0264187ed03e1bc11d3ac79ed51080963508.exe cmd.exe PID 776 wrote to memory of 1096 776 cmd.exe PING.EXE PID 776 wrote to memory of 1096 776 cmd.exe PING.EXE PID 776 wrote to memory of 1096 776 cmd.exe PING.EXE PID 776 wrote to memory of 1096 776 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\10cf5cc4281516a173c86f9a5a5a0264187ed03e1bc11d3ac79ed51080963508.exe"C:\Users\Admin\AppData\Local\Temp\10cf5cc4281516a173c86f9a5a5a0264187ed03e1bc11d3ac79ed51080963508.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1680 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:524 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\10cf5cc4281516a173c86f9a5a5a0264187ed03e1bc11d3ac79ed51080963508.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:776 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:1096
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
534718c5323a9cdaa484699d0bc5d663
SHA1da95ad988ffecb5b7d05e05a13771ab6b1c5ba9e
SHA25689ff35d0e23ebc91cd20c132a1b83682245e4d11030265de549cf6ca907c7fca
SHA512463f6e0aafa94edd8adf680846200333a30e65c4b2e340e78015724c4b4dc66f5cf3d6a203bffee1304d899002513f79d1504677c60693fd3ea53de116a195d4
-
MD5
534718c5323a9cdaa484699d0bc5d663
SHA1da95ad988ffecb5b7d05e05a13771ab6b1c5ba9e
SHA25689ff35d0e23ebc91cd20c132a1b83682245e4d11030265de549cf6ca907c7fca
SHA512463f6e0aafa94edd8adf680846200333a30e65c4b2e340e78015724c4b4dc66f5cf3d6a203bffee1304d899002513f79d1504677c60693fd3ea53de116a195d4