Analysis
-
max time kernel
152s -
max time network
162s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
12-02-2022 06:09
Static task
static1
Behavioral task
behavioral1
Sample
10b2bf6aa046146845d968f2350af50215a109034b79deb1375385d69f0b8ab4.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
10b2bf6aa046146845d968f2350af50215a109034b79deb1375385d69f0b8ab4.exe
Resource
win10v2004-en-20220112
General
-
Target
10b2bf6aa046146845d968f2350af50215a109034b79deb1375385d69f0b8ab4.exe
-
Size
216KB
-
MD5
22a8f741f2e94c89d3d95fd05fc1dfba
-
SHA1
6c50604a4e989d4cb41a32e1518568bcba1ee4e2
-
SHA256
10b2bf6aa046146845d968f2350af50215a109034b79deb1375385d69f0b8ab4
-
SHA512
0c20891241dd2bdda591abf7bf2935616bd6be45c72cd9f653a26ae8c16738e884ac096e86a43926a4b749a9b29a5e9922f5e039be1d8480f2dd6f2266634698
Malware Config
Signatures
-
Sakula Payload 4 IoCs
Processes:
resource yara_rule \Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula behavioral1/memory/1560-58-0x0000000000400000-0x0000000000420000-memory.dmp family_sakula behavioral1/memory/528-59-0x0000000000400000-0x0000000000420000-memory.dmp family_sakula -
suricata: ET MALWARE SUSPICIOUS UA (iexplore)
suricata: ET MALWARE SUSPICIOUS UA (iexplore)
-
suricata: ET MALWARE Sakula/Mivast RAT CnC Beacon 1
suricata: ET MALWARE Sakula/Mivast RAT CnC Beacon 1
-
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 528 MediaCenter.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 616 cmd.exe -
Loads dropped DLL 1 IoCs
Processes:
10b2bf6aa046146845d968f2350af50215a109034b79deb1375385d69f0b8ab4.exepid process 1560 10b2bf6aa046146845d968f2350af50215a109034b79deb1375385d69f0b8ab4.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
10b2bf6aa046146845d968f2350af50215a109034b79deb1375385d69f0b8ab4.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 10b2bf6aa046146845d968f2350af50215a109034b79deb1375385d69f0b8ab4.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
10b2bf6aa046146845d968f2350af50215a109034b79deb1375385d69f0b8ab4.exedescription pid process Token: SeIncBasePriorityPrivilege 1560 10b2bf6aa046146845d968f2350af50215a109034b79deb1375385d69f0b8ab4.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
10b2bf6aa046146845d968f2350af50215a109034b79deb1375385d69f0b8ab4.execmd.exedescription pid process target process PID 1560 wrote to memory of 528 1560 10b2bf6aa046146845d968f2350af50215a109034b79deb1375385d69f0b8ab4.exe MediaCenter.exe PID 1560 wrote to memory of 528 1560 10b2bf6aa046146845d968f2350af50215a109034b79deb1375385d69f0b8ab4.exe MediaCenter.exe PID 1560 wrote to memory of 528 1560 10b2bf6aa046146845d968f2350af50215a109034b79deb1375385d69f0b8ab4.exe MediaCenter.exe PID 1560 wrote to memory of 528 1560 10b2bf6aa046146845d968f2350af50215a109034b79deb1375385d69f0b8ab4.exe MediaCenter.exe PID 1560 wrote to memory of 616 1560 10b2bf6aa046146845d968f2350af50215a109034b79deb1375385d69f0b8ab4.exe cmd.exe PID 1560 wrote to memory of 616 1560 10b2bf6aa046146845d968f2350af50215a109034b79deb1375385d69f0b8ab4.exe cmd.exe PID 1560 wrote to memory of 616 1560 10b2bf6aa046146845d968f2350af50215a109034b79deb1375385d69f0b8ab4.exe cmd.exe PID 1560 wrote to memory of 616 1560 10b2bf6aa046146845d968f2350af50215a109034b79deb1375385d69f0b8ab4.exe cmd.exe PID 616 wrote to memory of 1164 616 cmd.exe PING.EXE PID 616 wrote to memory of 1164 616 cmd.exe PING.EXE PID 616 wrote to memory of 1164 616 cmd.exe PING.EXE PID 616 wrote to memory of 1164 616 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\10b2bf6aa046146845d968f2350af50215a109034b79deb1375385d69f0b8ab4.exe"C:\Users\Admin\AppData\Local\Temp\10b2bf6aa046146845d968f2350af50215a109034b79deb1375385d69f0b8ab4.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1560 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:528 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\10b2bf6aa046146845d968f2350af50215a109034b79deb1375385d69f0b8ab4.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:616 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:1164
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
36c9f22ddc7307253fc493d13af59cbd
SHA161219fdb30fe2d7581f617d90bceda6108ac9d1c
SHA2563340c1f8c72426a5b1bc7c8ea89811b7416db42a5b8ca1ccb7a7f29a9d07ee61
SHA51297d09b0ab5a30791deb09e2d6f45f45c365af01ee136f2251967f35e7ff90c56d63e5382aa4a57865e21caec9fdc3891b6293e6cda40af525aad93dd28b43be6
-
MD5
36c9f22ddc7307253fc493d13af59cbd
SHA161219fdb30fe2d7581f617d90bceda6108ac9d1c
SHA2563340c1f8c72426a5b1bc7c8ea89811b7416db42a5b8ca1ccb7a7f29a9d07ee61
SHA51297d09b0ab5a30791deb09e2d6f45f45c365af01ee136f2251967f35e7ff90c56d63e5382aa4a57865e21caec9fdc3891b6293e6cda40af525aad93dd28b43be6