Analysis
-
max time kernel
161s -
max time network
173s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
12-02-2022 11:09
Static task
static1
Behavioral task
behavioral1
Sample
052d285b43fa67a95e17aa19d0bd9d00eeb36051d7d1298b6d0d1ac49dd05b46.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
052d285b43fa67a95e17aa19d0bd9d00eeb36051d7d1298b6d0d1ac49dd05b46.exe
Resource
win10v2004-en-20220112
General
-
Target
052d285b43fa67a95e17aa19d0bd9d00eeb36051d7d1298b6d0d1ac49dd05b46.exe
-
Size
112KB
-
MD5
3fabeed2ebde29436fe1ec892a6a1cf7
-
SHA1
8247ede14dd40c44a98a992af13781de61ae380e
-
SHA256
052d285b43fa67a95e17aa19d0bd9d00eeb36051d7d1298b6d0d1ac49dd05b46
-
SHA512
ca1095e064c205844dcb26c53dfa8ebe49ae888da9c489f51077145dce8f1e7fce838c8e8798756feb8fa4bef87231e523835c3abc3355ec070d678fadf9ed6e
Malware Config
Signatures
-
Sakula Payload 4 IoCs
Processes:
resource yara_rule \Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula behavioral1/memory/836-59-0x0000000000400000-0x0000000000420000-memory.dmp family_sakula behavioral1/memory/1684-60-0x0000000000400000-0x0000000000420000-memory.dmp family_sakula -
suricata: ET MALWARE SUSPICIOUS UA (iexplore)
suricata: ET MALWARE SUSPICIOUS UA (iexplore)
-
suricata: ET MALWARE Sakula/Mivast RAT CnC Beacon 1
suricata: ET MALWARE Sakula/Mivast RAT CnC Beacon 1
-
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 1684 MediaCenter.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 520 cmd.exe -
Loads dropped DLL 1 IoCs
Processes:
052d285b43fa67a95e17aa19d0bd9d00eeb36051d7d1298b6d0d1ac49dd05b46.exepid process 836 052d285b43fa67a95e17aa19d0bd9d00eeb36051d7d1298b6d0d1ac49dd05b46.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
052d285b43fa67a95e17aa19d0bd9d00eeb36051d7d1298b6d0d1ac49dd05b46.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 052d285b43fa67a95e17aa19d0bd9d00eeb36051d7d1298b6d0d1ac49dd05b46.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
052d285b43fa67a95e17aa19d0bd9d00eeb36051d7d1298b6d0d1ac49dd05b46.exedescription pid process Token: SeIncBasePriorityPrivilege 836 052d285b43fa67a95e17aa19d0bd9d00eeb36051d7d1298b6d0d1ac49dd05b46.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
052d285b43fa67a95e17aa19d0bd9d00eeb36051d7d1298b6d0d1ac49dd05b46.execmd.exedescription pid process target process PID 836 wrote to memory of 1684 836 052d285b43fa67a95e17aa19d0bd9d00eeb36051d7d1298b6d0d1ac49dd05b46.exe MediaCenter.exe PID 836 wrote to memory of 1684 836 052d285b43fa67a95e17aa19d0bd9d00eeb36051d7d1298b6d0d1ac49dd05b46.exe MediaCenter.exe PID 836 wrote to memory of 1684 836 052d285b43fa67a95e17aa19d0bd9d00eeb36051d7d1298b6d0d1ac49dd05b46.exe MediaCenter.exe PID 836 wrote to memory of 1684 836 052d285b43fa67a95e17aa19d0bd9d00eeb36051d7d1298b6d0d1ac49dd05b46.exe MediaCenter.exe PID 836 wrote to memory of 520 836 052d285b43fa67a95e17aa19d0bd9d00eeb36051d7d1298b6d0d1ac49dd05b46.exe cmd.exe PID 836 wrote to memory of 520 836 052d285b43fa67a95e17aa19d0bd9d00eeb36051d7d1298b6d0d1ac49dd05b46.exe cmd.exe PID 836 wrote to memory of 520 836 052d285b43fa67a95e17aa19d0bd9d00eeb36051d7d1298b6d0d1ac49dd05b46.exe cmd.exe PID 836 wrote to memory of 520 836 052d285b43fa67a95e17aa19d0bd9d00eeb36051d7d1298b6d0d1ac49dd05b46.exe cmd.exe PID 520 wrote to memory of 940 520 cmd.exe PING.EXE PID 520 wrote to memory of 940 520 cmd.exe PING.EXE PID 520 wrote to memory of 940 520 cmd.exe PING.EXE PID 520 wrote to memory of 940 520 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\052d285b43fa67a95e17aa19d0bd9d00eeb36051d7d1298b6d0d1ac49dd05b46.exe"C:\Users\Admin\AppData\Local\Temp\052d285b43fa67a95e17aa19d0bd9d00eeb36051d7d1298b6d0d1ac49dd05b46.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:836 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:1684 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\052d285b43fa67a95e17aa19d0bd9d00eeb36051d7d1298b6d0d1ac49dd05b46.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:520 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:940
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
1ece6b8e29f25fffcd66652a7c6b7102
SHA15bdad4541e127bcc17c64352582b2c9a80d7003b
SHA2560da0587ebbbb5dff1c5d0b6e507569009c4ce4f899eb0bf596464638ad07d124
SHA5120f9d726052092fffb0b0cedd5aa4df9a8849e4732816d9a3e0025879bdf42351fe0a0d0d6185833d3d6cb45529dd62b8910eaef087a09902b9e0cad48181fa72
-
\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
1ece6b8e29f25fffcd66652a7c6b7102
SHA15bdad4541e127bcc17c64352582b2c9a80d7003b
SHA2560da0587ebbbb5dff1c5d0b6e507569009c4ce4f899eb0bf596464638ad07d124
SHA5120f9d726052092fffb0b0cedd5aa4df9a8849e4732816d9a3e0025879bdf42351fe0a0d0d6185833d3d6cb45529dd62b8910eaef087a09902b9e0cad48181fa72
-
memory/836-55-0x0000000076641000-0x0000000076643000-memory.dmpFilesize
8KB
-
memory/836-59-0x0000000000400000-0x0000000000420000-memory.dmpFilesize
128KB
-
memory/1684-60-0x0000000000400000-0x0000000000420000-memory.dmpFilesize
128KB