Analysis
-
max time kernel
140s -
max time network
149s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
12-02-2022 06:14
Static task
static1
Behavioral task
behavioral1
Sample
108518289c20a01b1d748ccfa33e32e184c64cf65c7b91fda0509814f33a1fdc.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
108518289c20a01b1d748ccfa33e32e184c64cf65c7b91fda0509814f33a1fdc.exe
Resource
win10v2004-en-20220113
General
-
Target
108518289c20a01b1d748ccfa33e32e184c64cf65c7b91fda0509814f33a1fdc.exe
-
Size
150KB
-
MD5
6c549ed77a70301a03b92b091059123c
-
SHA1
d23e43353556c33bfa53c3cfc6a68ee04353c106
-
SHA256
108518289c20a01b1d748ccfa33e32e184c64cf65c7b91fda0509814f33a1fdc
-
SHA512
606729b529142a919ba4978401b1931a0229bcddde43bd6dbe5ccf678e10e1a19126d96aa3f355e955bfef94a6cb38a78611aa72eaf1742581f62076402addca
Malware Config
Signatures
-
Sakula Payload 2 IoCs
Processes:
resource yara_rule \Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula -
suricata: ET MALWARE SUSPICIOUS UA (iexplore)
suricata: ET MALWARE SUSPICIOUS UA (iexplore)
-
suricata: ET MALWARE Sakula/Mivast RAT CnC Beacon 1
suricata: ET MALWARE Sakula/Mivast RAT CnC Beacon 1
-
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 1068 MediaCenter.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 1060 cmd.exe -
Loads dropped DLL 1 IoCs
Processes:
108518289c20a01b1d748ccfa33e32e184c64cf65c7b91fda0509814f33a1fdc.exepid process 848 108518289c20a01b1d748ccfa33e32e184c64cf65c7b91fda0509814f33a1fdc.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
108518289c20a01b1d748ccfa33e32e184c64cf65c7b91fda0509814f33a1fdc.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 108518289c20a01b1d748ccfa33e32e184c64cf65c7b91fda0509814f33a1fdc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
108518289c20a01b1d748ccfa33e32e184c64cf65c7b91fda0509814f33a1fdc.exedescription pid process Token: SeIncBasePriorityPrivilege 848 108518289c20a01b1d748ccfa33e32e184c64cf65c7b91fda0509814f33a1fdc.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
108518289c20a01b1d748ccfa33e32e184c64cf65c7b91fda0509814f33a1fdc.execmd.exedescription pid process target process PID 848 wrote to memory of 1068 848 108518289c20a01b1d748ccfa33e32e184c64cf65c7b91fda0509814f33a1fdc.exe MediaCenter.exe PID 848 wrote to memory of 1068 848 108518289c20a01b1d748ccfa33e32e184c64cf65c7b91fda0509814f33a1fdc.exe MediaCenter.exe PID 848 wrote to memory of 1068 848 108518289c20a01b1d748ccfa33e32e184c64cf65c7b91fda0509814f33a1fdc.exe MediaCenter.exe PID 848 wrote to memory of 1068 848 108518289c20a01b1d748ccfa33e32e184c64cf65c7b91fda0509814f33a1fdc.exe MediaCenter.exe PID 848 wrote to memory of 1060 848 108518289c20a01b1d748ccfa33e32e184c64cf65c7b91fda0509814f33a1fdc.exe cmd.exe PID 848 wrote to memory of 1060 848 108518289c20a01b1d748ccfa33e32e184c64cf65c7b91fda0509814f33a1fdc.exe cmd.exe PID 848 wrote to memory of 1060 848 108518289c20a01b1d748ccfa33e32e184c64cf65c7b91fda0509814f33a1fdc.exe cmd.exe PID 848 wrote to memory of 1060 848 108518289c20a01b1d748ccfa33e32e184c64cf65c7b91fda0509814f33a1fdc.exe cmd.exe PID 1060 wrote to memory of 1528 1060 cmd.exe PING.EXE PID 1060 wrote to memory of 1528 1060 cmd.exe PING.EXE PID 1060 wrote to memory of 1528 1060 cmd.exe PING.EXE PID 1060 wrote to memory of 1528 1060 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\108518289c20a01b1d748ccfa33e32e184c64cf65c7b91fda0509814f33a1fdc.exe"C:\Users\Admin\AppData\Local\Temp\108518289c20a01b1d748ccfa33e32e184c64cf65c7b91fda0509814f33a1fdc.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:848 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:1068 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\108518289c20a01b1d748ccfa33e32e184c64cf65c7b91fda0509814f33a1fdc.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:1060 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:1528
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
29149302a0f0da51097ee3eef356f94d
SHA1fdf265ff129b103922aeac2357d0046ea8a7ee12
SHA25692f1f04cd48178fc5559429dabd77cdcabeef6dd1d2827fd48995cd2f047e5e0
SHA51232faf05d81a2057147755f7760427a08e588e9d19e24eab395e133e354b952c291fd4ab0b6104e8710431527ba524ef3629f18886b34b45090201c96f591a96f
-
MD5
29149302a0f0da51097ee3eef356f94d
SHA1fdf265ff129b103922aeac2357d0046ea8a7ee12
SHA25692f1f04cd48178fc5559429dabd77cdcabeef6dd1d2827fd48995cd2f047e5e0
SHA51232faf05d81a2057147755f7760427a08e588e9d19e24eab395e133e354b952c291fd4ab0b6104e8710431527ba524ef3629f18886b34b45090201c96f591a96f