Analysis
-
max time kernel
147s -
max time network
159s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
12-02-2022 06:10
Static task
static1
Behavioral task
behavioral1
Sample
10ab7c4230e5f02540585d8cc2a0c107b9638e544ebb767e16cb6e4e6862db87.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
10ab7c4230e5f02540585d8cc2a0c107b9638e544ebb767e16cb6e4e6862db87.exe
Resource
win10v2004-en-20220112
General
-
Target
10ab7c4230e5f02540585d8cc2a0c107b9638e544ebb767e16cb6e4e6862db87.exe
-
Size
92KB
-
MD5
7d74c24d105d3c239164cb019c62bd0e
-
SHA1
13767e228ecfeb1a6a33300a0a71eba04abc4d77
-
SHA256
10ab7c4230e5f02540585d8cc2a0c107b9638e544ebb767e16cb6e4e6862db87
-
SHA512
2e267e96942f1b0360229458ce8485c4216252e7d6586b6ee501637d2ce8a885bfccd35caf83705f58c4969fd048cb90e64b22490f79286092bca805102d9875
Malware Config
Signatures
-
Sakula Payload 2 IoCs
Processes:
resource yara_rule \Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula -
suricata: ET MALWARE SUSPICIOUS UA (iexplore)
suricata: ET MALWARE SUSPICIOUS UA (iexplore)
-
suricata: ET MALWARE Sakula/Mivast RAT CnC Beacon 1
suricata: ET MALWARE Sakula/Mivast RAT CnC Beacon 1
-
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 948 MediaCenter.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 728 cmd.exe -
Loads dropped DLL 1 IoCs
Processes:
10ab7c4230e5f02540585d8cc2a0c107b9638e544ebb767e16cb6e4e6862db87.exepid process 812 10ab7c4230e5f02540585d8cc2a0c107b9638e544ebb767e16cb6e4e6862db87.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
10ab7c4230e5f02540585d8cc2a0c107b9638e544ebb767e16cb6e4e6862db87.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 10ab7c4230e5f02540585d8cc2a0c107b9638e544ebb767e16cb6e4e6862db87.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
10ab7c4230e5f02540585d8cc2a0c107b9638e544ebb767e16cb6e4e6862db87.exedescription pid process Token: SeIncBasePriorityPrivilege 812 10ab7c4230e5f02540585d8cc2a0c107b9638e544ebb767e16cb6e4e6862db87.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
10ab7c4230e5f02540585d8cc2a0c107b9638e544ebb767e16cb6e4e6862db87.execmd.exedescription pid process target process PID 812 wrote to memory of 948 812 10ab7c4230e5f02540585d8cc2a0c107b9638e544ebb767e16cb6e4e6862db87.exe MediaCenter.exe PID 812 wrote to memory of 948 812 10ab7c4230e5f02540585d8cc2a0c107b9638e544ebb767e16cb6e4e6862db87.exe MediaCenter.exe PID 812 wrote to memory of 948 812 10ab7c4230e5f02540585d8cc2a0c107b9638e544ebb767e16cb6e4e6862db87.exe MediaCenter.exe PID 812 wrote to memory of 948 812 10ab7c4230e5f02540585d8cc2a0c107b9638e544ebb767e16cb6e4e6862db87.exe MediaCenter.exe PID 812 wrote to memory of 728 812 10ab7c4230e5f02540585d8cc2a0c107b9638e544ebb767e16cb6e4e6862db87.exe cmd.exe PID 812 wrote to memory of 728 812 10ab7c4230e5f02540585d8cc2a0c107b9638e544ebb767e16cb6e4e6862db87.exe cmd.exe PID 812 wrote to memory of 728 812 10ab7c4230e5f02540585d8cc2a0c107b9638e544ebb767e16cb6e4e6862db87.exe cmd.exe PID 812 wrote to memory of 728 812 10ab7c4230e5f02540585d8cc2a0c107b9638e544ebb767e16cb6e4e6862db87.exe cmd.exe PID 728 wrote to memory of 736 728 cmd.exe PING.EXE PID 728 wrote to memory of 736 728 cmd.exe PING.EXE PID 728 wrote to memory of 736 728 cmd.exe PING.EXE PID 728 wrote to memory of 736 728 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\10ab7c4230e5f02540585d8cc2a0c107b9638e544ebb767e16cb6e4e6862db87.exe"C:\Users\Admin\AppData\Local\Temp\10ab7c4230e5f02540585d8cc2a0c107b9638e544ebb767e16cb6e4e6862db87.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:812 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:948 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\10ab7c4230e5f02540585d8cc2a0c107b9638e544ebb767e16cb6e4e6862db87.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:728 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:736
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
f25cbdfe3f975d0720ab878ee5a95ba6
SHA136549547878304333690a026a55fb4caceabfcc4
SHA256c81361b989af6ebfdfb479d095b1a0c27cc085ef6e829bd145c56ac2443b2704
SHA512efe78fec3a3182e5cf481b44ff1390167f0fec355388fbf3c4537ebc01ed32579e14ae6d3c963a628ff6c14f630c8aed10ede3ac386fd58b37e8119f8a224fab
-
MD5
f25cbdfe3f975d0720ab878ee5a95ba6
SHA136549547878304333690a026a55fb4caceabfcc4
SHA256c81361b989af6ebfdfb479d095b1a0c27cc085ef6e829bd145c56ac2443b2704
SHA512efe78fec3a3182e5cf481b44ff1390167f0fec355388fbf3c4537ebc01ed32579e14ae6d3c963a628ff6c14f630c8aed10ede3ac386fd58b37e8119f8a224fab