Analysis
-
max time kernel
136s -
max time network
140s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
12-02-2022 09:34
Static task
static1
Behavioral task
behavioral1
Sample
099c8dee19f5d24a9357d25727ae8977233cc1755a4293dcc5bfc92d04d46390.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
099c8dee19f5d24a9357d25727ae8977233cc1755a4293dcc5bfc92d04d46390.exe
Resource
win10v2004-en-20220112
General
-
Target
099c8dee19f5d24a9357d25727ae8977233cc1755a4293dcc5bfc92d04d46390.exe
-
Size
150KB
-
MD5
38f61730148180d53abcb15c1f7d0a3a
-
SHA1
4fbcf95203134e74d658184c6fd627f13e1607ed
-
SHA256
099c8dee19f5d24a9357d25727ae8977233cc1755a4293dcc5bfc92d04d46390
-
SHA512
9f6d38c317fec47e2bca9cca8cc0df66476f71113853d3961e82201acd11a4c6f296d68f493992d2fa6ba2e7b8703de06b64b208a9de09d100d2a59d49d9c2cc
Malware Config
Signatures
-
Sakula Payload 2 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula \Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula -
suricata: ET MALWARE SUSPICIOUS UA (iexplore)
suricata: ET MALWARE SUSPICIOUS UA (iexplore)
-
suricata: ET MALWARE Sakula/Mivast RAT CnC Beacon 1
suricata: ET MALWARE Sakula/Mivast RAT CnC Beacon 1
-
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 1096 MediaCenter.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 1224 cmd.exe -
Loads dropped DLL 1 IoCs
Processes:
099c8dee19f5d24a9357d25727ae8977233cc1755a4293dcc5bfc92d04d46390.exepid process 840 099c8dee19f5d24a9357d25727ae8977233cc1755a4293dcc5bfc92d04d46390.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
099c8dee19f5d24a9357d25727ae8977233cc1755a4293dcc5bfc92d04d46390.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 099c8dee19f5d24a9357d25727ae8977233cc1755a4293dcc5bfc92d04d46390.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
099c8dee19f5d24a9357d25727ae8977233cc1755a4293dcc5bfc92d04d46390.exedescription pid process Token: SeIncBasePriorityPrivilege 840 099c8dee19f5d24a9357d25727ae8977233cc1755a4293dcc5bfc92d04d46390.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
099c8dee19f5d24a9357d25727ae8977233cc1755a4293dcc5bfc92d04d46390.execmd.exedescription pid process target process PID 840 wrote to memory of 1096 840 099c8dee19f5d24a9357d25727ae8977233cc1755a4293dcc5bfc92d04d46390.exe MediaCenter.exe PID 840 wrote to memory of 1096 840 099c8dee19f5d24a9357d25727ae8977233cc1755a4293dcc5bfc92d04d46390.exe MediaCenter.exe PID 840 wrote to memory of 1096 840 099c8dee19f5d24a9357d25727ae8977233cc1755a4293dcc5bfc92d04d46390.exe MediaCenter.exe PID 840 wrote to memory of 1096 840 099c8dee19f5d24a9357d25727ae8977233cc1755a4293dcc5bfc92d04d46390.exe MediaCenter.exe PID 840 wrote to memory of 1224 840 099c8dee19f5d24a9357d25727ae8977233cc1755a4293dcc5bfc92d04d46390.exe cmd.exe PID 840 wrote to memory of 1224 840 099c8dee19f5d24a9357d25727ae8977233cc1755a4293dcc5bfc92d04d46390.exe cmd.exe PID 840 wrote to memory of 1224 840 099c8dee19f5d24a9357d25727ae8977233cc1755a4293dcc5bfc92d04d46390.exe cmd.exe PID 840 wrote to memory of 1224 840 099c8dee19f5d24a9357d25727ae8977233cc1755a4293dcc5bfc92d04d46390.exe cmd.exe PID 1224 wrote to memory of 632 1224 cmd.exe PING.EXE PID 1224 wrote to memory of 632 1224 cmd.exe PING.EXE PID 1224 wrote to memory of 632 1224 cmd.exe PING.EXE PID 1224 wrote to memory of 632 1224 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\099c8dee19f5d24a9357d25727ae8977233cc1755a4293dcc5bfc92d04d46390.exe"C:\Users\Admin\AppData\Local\Temp\099c8dee19f5d24a9357d25727ae8977233cc1755a4293dcc5bfc92d04d46390.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:840 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:1096 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\099c8dee19f5d24a9357d25727ae8977233cc1755a4293dcc5bfc92d04d46390.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:1224 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:632
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
8c8ae36e852f64c01af13169bdda6fb4
SHA13573bcc3af0bf42dc543762840063d935e14d1c3
SHA2562e7b30c012fb41ca3bc304114e051aefa9f5e03acea2fa34cb85ae178280e7ea
SHA512aa65aaf928bcc88bcab7121b64c8ff1a4449ff1d472f637fbb9607e2f8c82461597a9ae1271a7497e8bf3e9522aae592fe8c6df480a2c500199e33610e443526
-
\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
8c8ae36e852f64c01af13169bdda6fb4
SHA13573bcc3af0bf42dc543762840063d935e14d1c3
SHA2562e7b30c012fb41ca3bc304114e051aefa9f5e03acea2fa34cb85ae178280e7ea
SHA512aa65aaf928bcc88bcab7121b64c8ff1a4449ff1d472f637fbb9607e2f8c82461597a9ae1271a7497e8bf3e9522aae592fe8c6df480a2c500199e33610e443526
-
memory/840-54-0x0000000076491000-0x0000000076493000-memory.dmpFilesize
8KB