Analysis
-
max time kernel
158s -
max time network
165s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
12-02-2022 10:59
Static task
static1
Behavioral task
behavioral1
Sample
059bd8c35332459c2b2e512835f43986f013e5c7edcce96b8ba7012826e35dcf.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
059bd8c35332459c2b2e512835f43986f013e5c7edcce96b8ba7012826e35dcf.exe
Resource
win10v2004-en-20220112
General
-
Target
059bd8c35332459c2b2e512835f43986f013e5c7edcce96b8ba7012826e35dcf.exe
-
Size
89KB
-
MD5
0a872bcec45661087fd44dabcd51f820
-
SHA1
e5929be30ed166730b2988f9de350f45f6d59edf
-
SHA256
059bd8c35332459c2b2e512835f43986f013e5c7edcce96b8ba7012826e35dcf
-
SHA512
7a96a8b06d20f058052862f0a557ddba5c3507066c7256a85bc691e118d39582e514d901ea53ccebb92c7ab4a2c828fe5028a2d0f730b7a5dd748496f60fec9d
Malware Config
Signatures
-
Sakula Payload 2 IoCs
Processes:
resource yara_rule \Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula -
suricata: ET MALWARE SUSPICIOUS UA (iexplore)
suricata: ET MALWARE SUSPICIOUS UA (iexplore)
-
suricata: ET MALWARE Sakula/Mivast RAT CnC Beacon 1
suricata: ET MALWARE Sakula/Mivast RAT CnC Beacon 1
-
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 944 MediaCenter.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 1788 cmd.exe -
Loads dropped DLL 1 IoCs
Processes:
059bd8c35332459c2b2e512835f43986f013e5c7edcce96b8ba7012826e35dcf.exepid process 1704 059bd8c35332459c2b2e512835f43986f013e5c7edcce96b8ba7012826e35dcf.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
059bd8c35332459c2b2e512835f43986f013e5c7edcce96b8ba7012826e35dcf.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 059bd8c35332459c2b2e512835f43986f013e5c7edcce96b8ba7012826e35dcf.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
059bd8c35332459c2b2e512835f43986f013e5c7edcce96b8ba7012826e35dcf.exedescription pid process Token: SeIncBasePriorityPrivilege 1704 059bd8c35332459c2b2e512835f43986f013e5c7edcce96b8ba7012826e35dcf.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
059bd8c35332459c2b2e512835f43986f013e5c7edcce96b8ba7012826e35dcf.execmd.exedescription pid process target process PID 1704 wrote to memory of 944 1704 059bd8c35332459c2b2e512835f43986f013e5c7edcce96b8ba7012826e35dcf.exe MediaCenter.exe PID 1704 wrote to memory of 944 1704 059bd8c35332459c2b2e512835f43986f013e5c7edcce96b8ba7012826e35dcf.exe MediaCenter.exe PID 1704 wrote to memory of 944 1704 059bd8c35332459c2b2e512835f43986f013e5c7edcce96b8ba7012826e35dcf.exe MediaCenter.exe PID 1704 wrote to memory of 944 1704 059bd8c35332459c2b2e512835f43986f013e5c7edcce96b8ba7012826e35dcf.exe MediaCenter.exe PID 1704 wrote to memory of 1788 1704 059bd8c35332459c2b2e512835f43986f013e5c7edcce96b8ba7012826e35dcf.exe cmd.exe PID 1704 wrote to memory of 1788 1704 059bd8c35332459c2b2e512835f43986f013e5c7edcce96b8ba7012826e35dcf.exe cmd.exe PID 1704 wrote to memory of 1788 1704 059bd8c35332459c2b2e512835f43986f013e5c7edcce96b8ba7012826e35dcf.exe cmd.exe PID 1704 wrote to memory of 1788 1704 059bd8c35332459c2b2e512835f43986f013e5c7edcce96b8ba7012826e35dcf.exe cmd.exe PID 1788 wrote to memory of 1632 1788 cmd.exe PING.EXE PID 1788 wrote to memory of 1632 1788 cmd.exe PING.EXE PID 1788 wrote to memory of 1632 1788 cmd.exe PING.EXE PID 1788 wrote to memory of 1632 1788 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\059bd8c35332459c2b2e512835f43986f013e5c7edcce96b8ba7012826e35dcf.exe"C:\Users\Admin\AppData\Local\Temp\059bd8c35332459c2b2e512835f43986f013e5c7edcce96b8ba7012826e35dcf.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1704 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:944 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\059bd8c35332459c2b2e512835f43986f013e5c7edcce96b8ba7012826e35dcf.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:1788 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:1632
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
9df03878038868ba96f5e66bdfde1fd9
SHA1a96b7268d423eeb18f2791c6eee8fa5d50ffb0a0
SHA2569a869dfd3c85d48d3804ae92f16e38cce52679fa5d91c609a10c3022b5db155b
SHA512e06603fee945823f1c53e1376364eb9700746e244895e770b13d0c68a987380613819cbd63af1299d7bdff98b8ac4cdbc2ef2a61e0b594ec4b1086aac5ae99b6
-
\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
9df03878038868ba96f5e66bdfde1fd9
SHA1a96b7268d423eeb18f2791c6eee8fa5d50ffb0a0
SHA2569a869dfd3c85d48d3804ae92f16e38cce52679fa5d91c609a10c3022b5db155b
SHA512e06603fee945823f1c53e1376364eb9700746e244895e770b13d0c68a987380613819cbd63af1299d7bdff98b8ac4cdbc2ef2a61e0b594ec4b1086aac5ae99b6
-
memory/1704-55-0x0000000075F91000-0x0000000075F93000-memory.dmpFilesize
8KB