Analysis
-
max time kernel
155s -
max time network
167s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
12-02-2022 10:43
Static task
static1
Behavioral task
behavioral1
Sample
06486575c1c6905449157011a92a56332f44abd24d1a1ecf8c0f86114f88cb5d.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
06486575c1c6905449157011a92a56332f44abd24d1a1ecf8c0f86114f88cb5d.exe
Resource
win10v2004-en-20220113
General
-
Target
06486575c1c6905449157011a92a56332f44abd24d1a1ecf8c0f86114f88cb5d.exe
-
Size
216KB
-
MD5
1e50c02f29adf6d9f56efbf169d1b597
-
SHA1
23f818b81b9a6829959bb2f7a54a42dd85fd5ab3
-
SHA256
06486575c1c6905449157011a92a56332f44abd24d1a1ecf8c0f86114f88cb5d
-
SHA512
dea239a77dc8805957c35ddddeda5509d40aefaf3317a7b3d67e774e27de36c576e476066f59159e3cb99c0e53b79a5bf660bd50c7ed9fa49bffc26cabc9af63
Malware Config
Signatures
-
Sakula Payload 4 IoCs
Processes:
resource yara_rule \Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula behavioral1/memory/1656-58-0x0000000000400000-0x0000000000420000-memory.dmp family_sakula behavioral1/memory/1764-59-0x0000000000400000-0x0000000000420000-memory.dmp family_sakula -
suricata: ET MALWARE SUSPICIOUS UA (iexplore)
suricata: ET MALWARE SUSPICIOUS UA (iexplore)
-
suricata: ET MALWARE Sakula/Mivast RAT CnC Beacon 1
suricata: ET MALWARE Sakula/Mivast RAT CnC Beacon 1
-
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 1764 MediaCenter.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 856 cmd.exe -
Loads dropped DLL 1 IoCs
Processes:
06486575c1c6905449157011a92a56332f44abd24d1a1ecf8c0f86114f88cb5d.exepid process 1656 06486575c1c6905449157011a92a56332f44abd24d1a1ecf8c0f86114f88cb5d.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
06486575c1c6905449157011a92a56332f44abd24d1a1ecf8c0f86114f88cb5d.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 06486575c1c6905449157011a92a56332f44abd24d1a1ecf8c0f86114f88cb5d.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
06486575c1c6905449157011a92a56332f44abd24d1a1ecf8c0f86114f88cb5d.exedescription pid process Token: SeIncBasePriorityPrivilege 1656 06486575c1c6905449157011a92a56332f44abd24d1a1ecf8c0f86114f88cb5d.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
06486575c1c6905449157011a92a56332f44abd24d1a1ecf8c0f86114f88cb5d.execmd.exedescription pid process target process PID 1656 wrote to memory of 1764 1656 06486575c1c6905449157011a92a56332f44abd24d1a1ecf8c0f86114f88cb5d.exe MediaCenter.exe PID 1656 wrote to memory of 1764 1656 06486575c1c6905449157011a92a56332f44abd24d1a1ecf8c0f86114f88cb5d.exe MediaCenter.exe PID 1656 wrote to memory of 1764 1656 06486575c1c6905449157011a92a56332f44abd24d1a1ecf8c0f86114f88cb5d.exe MediaCenter.exe PID 1656 wrote to memory of 1764 1656 06486575c1c6905449157011a92a56332f44abd24d1a1ecf8c0f86114f88cb5d.exe MediaCenter.exe PID 1656 wrote to memory of 856 1656 06486575c1c6905449157011a92a56332f44abd24d1a1ecf8c0f86114f88cb5d.exe cmd.exe PID 1656 wrote to memory of 856 1656 06486575c1c6905449157011a92a56332f44abd24d1a1ecf8c0f86114f88cb5d.exe cmd.exe PID 1656 wrote to memory of 856 1656 06486575c1c6905449157011a92a56332f44abd24d1a1ecf8c0f86114f88cb5d.exe cmd.exe PID 1656 wrote to memory of 856 1656 06486575c1c6905449157011a92a56332f44abd24d1a1ecf8c0f86114f88cb5d.exe cmd.exe PID 856 wrote to memory of 1552 856 cmd.exe PING.EXE PID 856 wrote to memory of 1552 856 cmd.exe PING.EXE PID 856 wrote to memory of 1552 856 cmd.exe PING.EXE PID 856 wrote to memory of 1552 856 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\06486575c1c6905449157011a92a56332f44abd24d1a1ecf8c0f86114f88cb5d.exe"C:\Users\Admin\AppData\Local\Temp\06486575c1c6905449157011a92a56332f44abd24d1a1ecf8c0f86114f88cb5d.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1656 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:1764 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\06486575c1c6905449157011a92a56332f44abd24d1a1ecf8c0f86114f88cb5d.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:856 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:1552
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
fa54614716518e17153be12400aeede2
SHA1442f97afcbb395017749ffd526ff76d4f9c45f9e
SHA25686a090300af6580ab9c05adac619cfcc0799b4591cfcc62d6f6f603c37256b57
SHA512aa62e9243a07caa9000462292d36de17413c44262bc5a3107b6f9f8f7f50af47f7a35f80388eb202d0dedbf5fd54de28949466b9a369388fedfc0ae2795465ea
-
\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
fa54614716518e17153be12400aeede2
SHA1442f97afcbb395017749ffd526ff76d4f9c45f9e
SHA25686a090300af6580ab9c05adac619cfcc0799b4591cfcc62d6f6f603c37256b57
SHA512aa62e9243a07caa9000462292d36de17413c44262bc5a3107b6f9f8f7f50af47f7a35f80388eb202d0dedbf5fd54de28949466b9a369388fedfc0ae2795465ea
-
memory/1656-54-0x0000000075D51000-0x0000000075D53000-memory.dmpFilesize
8KB
-
memory/1656-58-0x0000000000400000-0x0000000000420000-memory.dmpFilesize
128KB
-
memory/1764-59-0x0000000000400000-0x0000000000420000-memory.dmpFilesize
128KB