Analysis
-
max time kernel
154s -
max time network
165s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
12-02-2022 09:29
Static task
static1
Behavioral task
behavioral1
Sample
09e5b79d2c0bd54d55c9b53779c817b0479d811eef512d2b8efb8d3cb6d88333.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
09e5b79d2c0bd54d55c9b53779c817b0479d811eef512d2b8efb8d3cb6d88333.exe
Resource
win10v2004-en-20220113
General
-
Target
09e5b79d2c0bd54d55c9b53779c817b0479d811eef512d2b8efb8d3cb6d88333.exe
-
Size
216KB
-
MD5
99c98e88b064f33c2014dfb6c136ca66
-
SHA1
4010616210d9a0c2965548ce1ca76fe5e6580265
-
SHA256
09e5b79d2c0bd54d55c9b53779c817b0479d811eef512d2b8efb8d3cb6d88333
-
SHA512
c159ee34a0d3eb8e5f969cddcf1649d50970fd44f0930bc65bb6855626dbe03d1fe3857f3de755356e309998c7f5363ad30b33d4d521b0092c35a8c7b1de5fb0
Malware Config
Signatures
-
Sakula Payload 4 IoCs
Processes:
resource yara_rule \Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula behavioral1/memory/964-58-0x0000000000400000-0x0000000000420000-memory.dmp family_sakula behavioral1/memory/804-59-0x0000000000400000-0x0000000000420000-memory.dmp family_sakula -
suricata: ET MALWARE SUSPICIOUS UA (iexplore)
suricata: ET MALWARE SUSPICIOUS UA (iexplore)
-
suricata: ET MALWARE Sakula/Mivast RAT CnC Beacon 1
suricata: ET MALWARE Sakula/Mivast RAT CnC Beacon 1
-
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 804 MediaCenter.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 828 cmd.exe -
Loads dropped DLL 1 IoCs
Processes:
09e5b79d2c0bd54d55c9b53779c817b0479d811eef512d2b8efb8d3cb6d88333.exepid process 964 09e5b79d2c0bd54d55c9b53779c817b0479d811eef512d2b8efb8d3cb6d88333.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
09e5b79d2c0bd54d55c9b53779c817b0479d811eef512d2b8efb8d3cb6d88333.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 09e5b79d2c0bd54d55c9b53779c817b0479d811eef512d2b8efb8d3cb6d88333.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
09e5b79d2c0bd54d55c9b53779c817b0479d811eef512d2b8efb8d3cb6d88333.exedescription pid process Token: SeIncBasePriorityPrivilege 964 09e5b79d2c0bd54d55c9b53779c817b0479d811eef512d2b8efb8d3cb6d88333.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
09e5b79d2c0bd54d55c9b53779c817b0479d811eef512d2b8efb8d3cb6d88333.execmd.exedescription pid process target process PID 964 wrote to memory of 804 964 09e5b79d2c0bd54d55c9b53779c817b0479d811eef512d2b8efb8d3cb6d88333.exe MediaCenter.exe PID 964 wrote to memory of 804 964 09e5b79d2c0bd54d55c9b53779c817b0479d811eef512d2b8efb8d3cb6d88333.exe MediaCenter.exe PID 964 wrote to memory of 804 964 09e5b79d2c0bd54d55c9b53779c817b0479d811eef512d2b8efb8d3cb6d88333.exe MediaCenter.exe PID 964 wrote to memory of 804 964 09e5b79d2c0bd54d55c9b53779c817b0479d811eef512d2b8efb8d3cb6d88333.exe MediaCenter.exe PID 964 wrote to memory of 828 964 09e5b79d2c0bd54d55c9b53779c817b0479d811eef512d2b8efb8d3cb6d88333.exe cmd.exe PID 964 wrote to memory of 828 964 09e5b79d2c0bd54d55c9b53779c817b0479d811eef512d2b8efb8d3cb6d88333.exe cmd.exe PID 964 wrote to memory of 828 964 09e5b79d2c0bd54d55c9b53779c817b0479d811eef512d2b8efb8d3cb6d88333.exe cmd.exe PID 964 wrote to memory of 828 964 09e5b79d2c0bd54d55c9b53779c817b0479d811eef512d2b8efb8d3cb6d88333.exe cmd.exe PID 828 wrote to memory of 1804 828 cmd.exe PING.EXE PID 828 wrote to memory of 1804 828 cmd.exe PING.EXE PID 828 wrote to memory of 1804 828 cmd.exe PING.EXE PID 828 wrote to memory of 1804 828 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\09e5b79d2c0bd54d55c9b53779c817b0479d811eef512d2b8efb8d3cb6d88333.exe"C:\Users\Admin\AppData\Local\Temp\09e5b79d2c0bd54d55c9b53779c817b0479d811eef512d2b8efb8d3cb6d88333.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:964 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:804 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\09e5b79d2c0bd54d55c9b53779c817b0479d811eef512d2b8efb8d3cb6d88333.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:828 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:1804
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
5e0343e205b87a0727928fc3792be536
SHA1545b4290b7d978b0a9a2aac364c9c8fa6bdfcbb4
SHA25619151fc9771dca91fbcb6a5769acfef61371d2fe8d7312f62bc4f7fa21b1f147
SHA5125fb56bc4dec947cb18258f80e7b8dae6731cf10938ff75893c3da5396d6e944732651b72e8e640c424d9f3b51a4cdfac99e325264f69d23a0a8a95114d4b9255
-
\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
5e0343e205b87a0727928fc3792be536
SHA1545b4290b7d978b0a9a2aac364c9c8fa6bdfcbb4
SHA25619151fc9771dca91fbcb6a5769acfef61371d2fe8d7312f62bc4f7fa21b1f147
SHA5125fb56bc4dec947cb18258f80e7b8dae6731cf10938ff75893c3da5396d6e944732651b72e8e640c424d9f3b51a4cdfac99e325264f69d23a0a8a95114d4b9255
-
memory/804-59-0x0000000000400000-0x0000000000420000-memory.dmpFilesize
128KB
-
memory/964-54-0x0000000075341000-0x0000000075343000-memory.dmpFilesize
8KB
-
memory/964-58-0x0000000000400000-0x0000000000420000-memory.dmpFilesize
128KB