Analysis
-
max time kernel
148s -
max time network
180s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
12-02-2022 11:07
Static task
static1
Behavioral task
behavioral1
Sample
054da09fb903748f7e22cf05eb4c05bf2bc7139099797d927f0dc4bac8310e7a.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
054da09fb903748f7e22cf05eb4c05bf2bc7139099797d927f0dc4bac8310e7a.exe
Resource
win10v2004-en-20220113
General
-
Target
054da09fb903748f7e22cf05eb4c05bf2bc7139099797d927f0dc4bac8310e7a.exe
-
Size
216KB
-
MD5
911d8638b650d122df51e315096c9957
-
SHA1
9a203a22ddfe575760da231814aebaddfb6559bc
-
SHA256
054da09fb903748f7e22cf05eb4c05bf2bc7139099797d927f0dc4bac8310e7a
-
SHA512
20c978113918ab06a1102ba4aacb4e6ea833115f30047ea93a2eb5f7d000a73cf5a91c84f0e70902f2294a495d28d24344bcd64b0628e495114e2ba53cc120e0
Malware Config
Signatures
-
Sakula Payload 4 IoCs
Processes:
resource yara_rule \Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula behavioral1/memory/964-58-0x0000000000400000-0x0000000000420000-memory.dmp family_sakula behavioral1/memory/804-59-0x0000000000400000-0x0000000000420000-memory.dmp family_sakula -
suricata: ET MALWARE SUSPICIOUS UA (iexplore)
suricata: ET MALWARE SUSPICIOUS UA (iexplore)
-
suricata: ET MALWARE Sakula/Mivast RAT CnC Beacon 1
suricata: ET MALWARE Sakula/Mivast RAT CnC Beacon 1
-
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 804 MediaCenter.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 1108 cmd.exe -
Loads dropped DLL 1 IoCs
Processes:
054da09fb903748f7e22cf05eb4c05bf2bc7139099797d927f0dc4bac8310e7a.exepid process 964 054da09fb903748f7e22cf05eb4c05bf2bc7139099797d927f0dc4bac8310e7a.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
054da09fb903748f7e22cf05eb4c05bf2bc7139099797d927f0dc4bac8310e7a.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 054da09fb903748f7e22cf05eb4c05bf2bc7139099797d927f0dc4bac8310e7a.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
054da09fb903748f7e22cf05eb4c05bf2bc7139099797d927f0dc4bac8310e7a.exedescription pid process Token: SeIncBasePriorityPrivilege 964 054da09fb903748f7e22cf05eb4c05bf2bc7139099797d927f0dc4bac8310e7a.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
054da09fb903748f7e22cf05eb4c05bf2bc7139099797d927f0dc4bac8310e7a.execmd.exedescription pid process target process PID 964 wrote to memory of 804 964 054da09fb903748f7e22cf05eb4c05bf2bc7139099797d927f0dc4bac8310e7a.exe MediaCenter.exe PID 964 wrote to memory of 804 964 054da09fb903748f7e22cf05eb4c05bf2bc7139099797d927f0dc4bac8310e7a.exe MediaCenter.exe PID 964 wrote to memory of 804 964 054da09fb903748f7e22cf05eb4c05bf2bc7139099797d927f0dc4bac8310e7a.exe MediaCenter.exe PID 964 wrote to memory of 804 964 054da09fb903748f7e22cf05eb4c05bf2bc7139099797d927f0dc4bac8310e7a.exe MediaCenter.exe PID 964 wrote to memory of 1108 964 054da09fb903748f7e22cf05eb4c05bf2bc7139099797d927f0dc4bac8310e7a.exe cmd.exe PID 964 wrote to memory of 1108 964 054da09fb903748f7e22cf05eb4c05bf2bc7139099797d927f0dc4bac8310e7a.exe cmd.exe PID 964 wrote to memory of 1108 964 054da09fb903748f7e22cf05eb4c05bf2bc7139099797d927f0dc4bac8310e7a.exe cmd.exe PID 964 wrote to memory of 1108 964 054da09fb903748f7e22cf05eb4c05bf2bc7139099797d927f0dc4bac8310e7a.exe cmd.exe PID 1108 wrote to memory of 1984 1108 cmd.exe PING.EXE PID 1108 wrote to memory of 1984 1108 cmd.exe PING.EXE PID 1108 wrote to memory of 1984 1108 cmd.exe PING.EXE PID 1108 wrote to memory of 1984 1108 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\054da09fb903748f7e22cf05eb4c05bf2bc7139099797d927f0dc4bac8310e7a.exe"C:\Users\Admin\AppData\Local\Temp\054da09fb903748f7e22cf05eb4c05bf2bc7139099797d927f0dc4bac8310e7a.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:964 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:804 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\054da09fb903748f7e22cf05eb4c05bf2bc7139099797d927f0dc4bac8310e7a.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:1108 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:1984
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
4dc7503356ba34009402ac99075443d5
SHA1c9e96abb7c6bee3ecfffda4f3e07c8034482abe1
SHA2567db49bc1a1e427164deef1a924c54bcb2cb62690a47b18b20e6c3a579da923c9
SHA512fa169be9ee5f9fa0695fccf9de4d073025cd0a1114fce4a8de2b9c920fdacd24c613815e7697807a5afbc51c3483b03479a519c463462200d6639615cbae6a69
-
\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
4dc7503356ba34009402ac99075443d5
SHA1c9e96abb7c6bee3ecfffda4f3e07c8034482abe1
SHA2567db49bc1a1e427164deef1a924c54bcb2cb62690a47b18b20e6c3a579da923c9
SHA512fa169be9ee5f9fa0695fccf9de4d073025cd0a1114fce4a8de2b9c920fdacd24c613815e7697807a5afbc51c3483b03479a519c463462200d6639615cbae6a69
-
memory/804-59-0x0000000000400000-0x0000000000420000-memory.dmpFilesize
128KB
-
memory/964-54-0x0000000075341000-0x0000000075343000-memory.dmpFilesize
8KB
-
memory/964-58-0x0000000000400000-0x0000000000420000-memory.dmpFilesize
128KB