Analysis
-
max time kernel
146s -
max time network
158s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
12-02-2022 11:07
Static task
static1
Behavioral task
behavioral1
Sample
054da2f418bb87af187f2d105ded5580673ca92533cbb26ed5294cdcea15c373.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
054da2f418bb87af187f2d105ded5580673ca92533cbb26ed5294cdcea15c373.exe
Resource
win10v2004-en-20220112
General
-
Target
054da2f418bb87af187f2d105ded5580673ca92533cbb26ed5294cdcea15c373.exe
-
Size
89KB
-
MD5
3b1cd8d8e099dfad0e8df6ab23cfbc19
-
SHA1
3351275bc1b46615efa48f27682b83dafdb68318
-
SHA256
054da2f418bb87af187f2d105ded5580673ca92533cbb26ed5294cdcea15c373
-
SHA512
ab0d85f402cae97673fb95f660d92a287a1d5260004f1cc16d10e849d3d5b7de5c94d375049d97f7b6b3ff5f7301e30efa14c1f35f40c03b6f6739eef52c95bd
Malware Config
Signatures
-
Sakula Payload 2 IoCs
Processes:
resource yara_rule \Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula -
suricata: ET MALWARE SUSPICIOUS UA (iexplore)
suricata: ET MALWARE SUSPICIOUS UA (iexplore)
-
suricata: ET MALWARE Sakula/Mivast RAT CnC Beacon 1
suricata: ET MALWARE Sakula/Mivast RAT CnC Beacon 1
-
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 1528 MediaCenter.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 1072 cmd.exe -
Loads dropped DLL 1 IoCs
Processes:
054da2f418bb87af187f2d105ded5580673ca92533cbb26ed5294cdcea15c373.exepid process 1552 054da2f418bb87af187f2d105ded5580673ca92533cbb26ed5294cdcea15c373.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
054da2f418bb87af187f2d105ded5580673ca92533cbb26ed5294cdcea15c373.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 054da2f418bb87af187f2d105ded5580673ca92533cbb26ed5294cdcea15c373.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
054da2f418bb87af187f2d105ded5580673ca92533cbb26ed5294cdcea15c373.exedescription pid process Token: SeIncBasePriorityPrivilege 1552 054da2f418bb87af187f2d105ded5580673ca92533cbb26ed5294cdcea15c373.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
054da2f418bb87af187f2d105ded5580673ca92533cbb26ed5294cdcea15c373.execmd.exedescription pid process target process PID 1552 wrote to memory of 1528 1552 054da2f418bb87af187f2d105ded5580673ca92533cbb26ed5294cdcea15c373.exe MediaCenter.exe PID 1552 wrote to memory of 1528 1552 054da2f418bb87af187f2d105ded5580673ca92533cbb26ed5294cdcea15c373.exe MediaCenter.exe PID 1552 wrote to memory of 1528 1552 054da2f418bb87af187f2d105ded5580673ca92533cbb26ed5294cdcea15c373.exe MediaCenter.exe PID 1552 wrote to memory of 1528 1552 054da2f418bb87af187f2d105ded5580673ca92533cbb26ed5294cdcea15c373.exe MediaCenter.exe PID 1552 wrote to memory of 1072 1552 054da2f418bb87af187f2d105ded5580673ca92533cbb26ed5294cdcea15c373.exe cmd.exe PID 1552 wrote to memory of 1072 1552 054da2f418bb87af187f2d105ded5580673ca92533cbb26ed5294cdcea15c373.exe cmd.exe PID 1552 wrote to memory of 1072 1552 054da2f418bb87af187f2d105ded5580673ca92533cbb26ed5294cdcea15c373.exe cmd.exe PID 1552 wrote to memory of 1072 1552 054da2f418bb87af187f2d105ded5580673ca92533cbb26ed5294cdcea15c373.exe cmd.exe PID 1072 wrote to memory of 1056 1072 cmd.exe PING.EXE PID 1072 wrote to memory of 1056 1072 cmd.exe PING.EXE PID 1072 wrote to memory of 1056 1072 cmd.exe PING.EXE PID 1072 wrote to memory of 1056 1072 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\054da2f418bb87af187f2d105ded5580673ca92533cbb26ed5294cdcea15c373.exe"C:\Users\Admin\AppData\Local\Temp\054da2f418bb87af187f2d105ded5580673ca92533cbb26ed5294cdcea15c373.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1552 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:1528 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\054da2f418bb87af187f2d105ded5580673ca92533cbb26ed5294cdcea15c373.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:1072 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:1056
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
8995cf9fe420feaf77aeb236f6bfc1b3
SHA1819af32fd5c6b961d7810a99467a47b411a41cc4
SHA25688cd16893451a0cc7a09ce7b82259ff2979b40d0c5c24ea216c45b9a55624fcb
SHA512f2e783319666279bc375102827b381e7ea232f6d14f88dae6c7d7144c9c799f0fdd850197d2832651bd3deb651572cc4b72e314c07445e4e171025eee1d6f23d
-
\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
8995cf9fe420feaf77aeb236f6bfc1b3
SHA1819af32fd5c6b961d7810a99467a47b411a41cc4
SHA25688cd16893451a0cc7a09ce7b82259ff2979b40d0c5c24ea216c45b9a55624fcb
SHA512f2e783319666279bc375102827b381e7ea232f6d14f88dae6c7d7144c9c799f0fdd850197d2832651bd3deb651572cc4b72e314c07445e4e171025eee1d6f23d
-
memory/1552-55-0x0000000075B11000-0x0000000075B13000-memory.dmpFilesize
8KB