Analysis
-
max time kernel
154s -
max time network
175s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
12-02-2022 10:59
Behavioral task
behavioral1
Sample
059ba058df0e6f2a70bea99a254faa13621e7335103ea806f2e9efde0e03c949.exe
Resource
win7-en-20211208
General
-
Target
059ba058df0e6f2a70bea99a254faa13621e7335103ea806f2e9efde0e03c949.exe
-
Size
216KB
-
MD5
e78b7322cd18724a50ab5b8a2ddd0886
-
SHA1
43447243c511235028d38285b65d3c7e02e740b9
-
SHA256
059ba058df0e6f2a70bea99a254faa13621e7335103ea806f2e9efde0e03c949
-
SHA512
abdb2dba403e2154800f18f9448e62e285ee509bcfca591c167fd663f7f40848981a34c97e335b81a4937af5e3fb4485a4f82aa33ea5a808ff2bddd63191131f
Malware Config
Signatures
-
Sakula Payload 2 IoCs
Processes:
resource yara_rule \Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula -
suricata: ET MALWARE SUSPICIOUS UA (iexplore)
suricata: ET MALWARE SUSPICIOUS UA (iexplore)
-
suricata: ET MALWARE Sakula/Mivast RAT CnC Beacon 1
suricata: ET MALWARE Sakula/Mivast RAT CnC Beacon 1
-
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 1656 MediaCenter.exe -
Processes:
resource yara_rule \Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe upx C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe upx -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 2008 cmd.exe -
Loads dropped DLL 1 IoCs
Processes:
059ba058df0e6f2a70bea99a254faa13621e7335103ea806f2e9efde0e03c949.exepid process 1920 059ba058df0e6f2a70bea99a254faa13621e7335103ea806f2e9efde0e03c949.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
059ba058df0e6f2a70bea99a254faa13621e7335103ea806f2e9efde0e03c949.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 059ba058df0e6f2a70bea99a254faa13621e7335103ea806f2e9efde0e03c949.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
059ba058df0e6f2a70bea99a254faa13621e7335103ea806f2e9efde0e03c949.exedescription pid process Token: SeIncBasePriorityPrivilege 1920 059ba058df0e6f2a70bea99a254faa13621e7335103ea806f2e9efde0e03c949.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
059ba058df0e6f2a70bea99a254faa13621e7335103ea806f2e9efde0e03c949.execmd.exedescription pid process target process PID 1920 wrote to memory of 1656 1920 059ba058df0e6f2a70bea99a254faa13621e7335103ea806f2e9efde0e03c949.exe MediaCenter.exe PID 1920 wrote to memory of 1656 1920 059ba058df0e6f2a70bea99a254faa13621e7335103ea806f2e9efde0e03c949.exe MediaCenter.exe PID 1920 wrote to memory of 1656 1920 059ba058df0e6f2a70bea99a254faa13621e7335103ea806f2e9efde0e03c949.exe MediaCenter.exe PID 1920 wrote to memory of 1656 1920 059ba058df0e6f2a70bea99a254faa13621e7335103ea806f2e9efde0e03c949.exe MediaCenter.exe PID 1920 wrote to memory of 2008 1920 059ba058df0e6f2a70bea99a254faa13621e7335103ea806f2e9efde0e03c949.exe cmd.exe PID 1920 wrote to memory of 2008 1920 059ba058df0e6f2a70bea99a254faa13621e7335103ea806f2e9efde0e03c949.exe cmd.exe PID 1920 wrote to memory of 2008 1920 059ba058df0e6f2a70bea99a254faa13621e7335103ea806f2e9efde0e03c949.exe cmd.exe PID 1920 wrote to memory of 2008 1920 059ba058df0e6f2a70bea99a254faa13621e7335103ea806f2e9efde0e03c949.exe cmd.exe PID 2008 wrote to memory of 2000 2008 cmd.exe PING.EXE PID 2008 wrote to memory of 2000 2008 cmd.exe PING.EXE PID 2008 wrote to memory of 2000 2008 cmd.exe PING.EXE PID 2008 wrote to memory of 2000 2008 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\059ba058df0e6f2a70bea99a254faa13621e7335103ea806f2e9efde0e03c949.exe"C:\Users\Admin\AppData\Local\Temp\059ba058df0e6f2a70bea99a254faa13621e7335103ea806f2e9efde0e03c949.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1920 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:1656 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\059ba058df0e6f2a70bea99a254faa13621e7335103ea806f2e9efde0e03c949.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:2008 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:2000
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
3ae4955847f7e1b3bc8b7c23e6a1a299
SHA16f4c0039571bc3df8af6e19cc592418f9e0659fc
SHA2562e5de6862b04b21ff619878e75589a147883ce8daee782a450a217885609ae46
SHA512e8b0530fd01a7c4b599fe19097f9f40ecf6f1dcb71d61f642dd06f19c460e92221f88d08c0d585089a76fb463dca4b3e951e32d8461680463d37096f9baecfc2
-
\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
3ae4955847f7e1b3bc8b7c23e6a1a299
SHA16f4c0039571bc3df8af6e19cc592418f9e0659fc
SHA2562e5de6862b04b21ff619878e75589a147883ce8daee782a450a217885609ae46
SHA512e8b0530fd01a7c4b599fe19097f9f40ecf6f1dcb71d61f642dd06f19c460e92221f88d08c0d585089a76fb463dca4b3e951e32d8461680463d37096f9baecfc2
-
memory/1920-54-0x0000000076041000-0x0000000076043000-memory.dmpFilesize
8KB