Analysis
-
max time kernel
142s -
max time network
159s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
12-02-2022 09:28
Static task
static1
Behavioral task
behavioral1
Sample
09f678c4fa3a8fe058d82729e176c055c8e4b2f82e322445923aa08d1274d204.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
09f678c4fa3a8fe058d82729e176c055c8e4b2f82e322445923aa08d1274d204.exe
Resource
win10v2004-en-20220113
General
-
Target
09f678c4fa3a8fe058d82729e176c055c8e4b2f82e322445923aa08d1274d204.exe
-
Size
151KB
-
MD5
d5f44d4757a0ca579bd35ab40633aa29
-
SHA1
5ac6874123a0bba1273aff2de9bd913ed29689e2
-
SHA256
09f678c4fa3a8fe058d82729e176c055c8e4b2f82e322445923aa08d1274d204
-
SHA512
2788a15aca9382be9df469fc5296571e41f4f3504368e1f919fc822900b8a2d06dde8d46bb448ca40f6fcce7e877d8c6e00c28f77bff78ed8933d8166e3b4317
Malware Config
Signatures
-
Sakula Payload 2 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula \Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula -
suricata: ET MALWARE SUSPICIOUS UA (iexplore)
suricata: ET MALWARE SUSPICIOUS UA (iexplore)
-
suricata: ET MALWARE Sakula/Mivast RAT CnC Beacon 1
suricata: ET MALWARE Sakula/Mivast RAT CnC Beacon 1
-
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 648 MediaCenter.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 1204 cmd.exe -
Loads dropped DLL 1 IoCs
Processes:
09f678c4fa3a8fe058d82729e176c055c8e4b2f82e322445923aa08d1274d204.exepid process 1668 09f678c4fa3a8fe058d82729e176c055c8e4b2f82e322445923aa08d1274d204.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
09f678c4fa3a8fe058d82729e176c055c8e4b2f82e322445923aa08d1274d204.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 09f678c4fa3a8fe058d82729e176c055c8e4b2f82e322445923aa08d1274d204.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
09f678c4fa3a8fe058d82729e176c055c8e4b2f82e322445923aa08d1274d204.exedescription pid process Token: SeIncBasePriorityPrivilege 1668 09f678c4fa3a8fe058d82729e176c055c8e4b2f82e322445923aa08d1274d204.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
09f678c4fa3a8fe058d82729e176c055c8e4b2f82e322445923aa08d1274d204.execmd.exedescription pid process target process PID 1668 wrote to memory of 648 1668 09f678c4fa3a8fe058d82729e176c055c8e4b2f82e322445923aa08d1274d204.exe MediaCenter.exe PID 1668 wrote to memory of 648 1668 09f678c4fa3a8fe058d82729e176c055c8e4b2f82e322445923aa08d1274d204.exe MediaCenter.exe PID 1668 wrote to memory of 648 1668 09f678c4fa3a8fe058d82729e176c055c8e4b2f82e322445923aa08d1274d204.exe MediaCenter.exe PID 1668 wrote to memory of 648 1668 09f678c4fa3a8fe058d82729e176c055c8e4b2f82e322445923aa08d1274d204.exe MediaCenter.exe PID 1668 wrote to memory of 1204 1668 09f678c4fa3a8fe058d82729e176c055c8e4b2f82e322445923aa08d1274d204.exe cmd.exe PID 1668 wrote to memory of 1204 1668 09f678c4fa3a8fe058d82729e176c055c8e4b2f82e322445923aa08d1274d204.exe cmd.exe PID 1668 wrote to memory of 1204 1668 09f678c4fa3a8fe058d82729e176c055c8e4b2f82e322445923aa08d1274d204.exe cmd.exe PID 1668 wrote to memory of 1204 1668 09f678c4fa3a8fe058d82729e176c055c8e4b2f82e322445923aa08d1274d204.exe cmd.exe PID 1204 wrote to memory of 1792 1204 cmd.exe PING.EXE PID 1204 wrote to memory of 1792 1204 cmd.exe PING.EXE PID 1204 wrote to memory of 1792 1204 cmd.exe PING.EXE PID 1204 wrote to memory of 1792 1204 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\09f678c4fa3a8fe058d82729e176c055c8e4b2f82e322445923aa08d1274d204.exe"C:\Users\Admin\AppData\Local\Temp\09f678c4fa3a8fe058d82729e176c055c8e4b2f82e322445923aa08d1274d204.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1668 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:648 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\09f678c4fa3a8fe058d82729e176c055c8e4b2f82e322445923aa08d1274d204.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:1204 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:1792
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
7dc82730c170e1d321031aaa5ab5cbb3
SHA182070eaf116a470f48117f4426bfb61e7c3f6555
SHA2565f2497c010ad33e07975b22cc4e4bd63c50f7d0e27c4e80234269c21ae1e3cc3
SHA5126c4c6aefff7906a3510d54525b3447ba8ba5cbe8986ddd66e3657c964ee4856416edb238e222bd0b238d9afed197497831a213b7dce13598ff815fb83390916c
-
\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
7dc82730c170e1d321031aaa5ab5cbb3
SHA182070eaf116a470f48117f4426bfb61e7c3f6555
SHA2565f2497c010ad33e07975b22cc4e4bd63c50f7d0e27c4e80234269c21ae1e3cc3
SHA5126c4c6aefff7906a3510d54525b3447ba8ba5cbe8986ddd66e3657c964ee4856416edb238e222bd0b238d9afed197497831a213b7dce13598ff815fb83390916c
-
memory/1668-55-0x0000000075191000-0x0000000075193000-memory.dmpFilesize
8KB