Analysis
-
max time kernel
144s -
max time network
149s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
12-02-2022 10:47
Static task
static1
Behavioral task
behavioral1
Sample
061bb2dd43b34958dbb1105f5e867b9b6deee4c884f1126883828960c1a4e1f8.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
061bb2dd43b34958dbb1105f5e867b9b6deee4c884f1126883828960c1a4e1f8.exe
Resource
win10v2004-en-20220113
General
-
Target
061bb2dd43b34958dbb1105f5e867b9b6deee4c884f1126883828960c1a4e1f8.exe
-
Size
216KB
-
MD5
175d29472ce4a9911f393a9606ae8cb1
-
SHA1
82bc9c1bd599e26d742972a86831a44be5bf8a71
-
SHA256
061bb2dd43b34958dbb1105f5e867b9b6deee4c884f1126883828960c1a4e1f8
-
SHA512
ecf899200d9b91b82f6e68b0e3f5ef0f6f1e7dbff73e4190ef87e6fa9cf4f2019befb0839bd6b4eb31837c7f2622d3b81238e49b01c17d51d59a92fb83400546
Malware Config
Signatures
-
Sakula Payload 4 IoCs
Processes:
resource yara_rule \Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula behavioral1/memory/832-58-0x0000000000400000-0x0000000000420000-memory.dmp family_sakula behavioral1/memory/1860-59-0x0000000000400000-0x0000000000420000-memory.dmp family_sakula -
suricata: ET MALWARE SUSPICIOUS UA (iexplore)
suricata: ET MALWARE SUSPICIOUS UA (iexplore)
-
suricata: ET MALWARE Sakula/Mivast RAT CnC Beacon 1
suricata: ET MALWARE Sakula/Mivast RAT CnC Beacon 1
-
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 1860 MediaCenter.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 396 cmd.exe -
Loads dropped DLL 1 IoCs
Processes:
061bb2dd43b34958dbb1105f5e867b9b6deee4c884f1126883828960c1a4e1f8.exepid process 832 061bb2dd43b34958dbb1105f5e867b9b6deee4c884f1126883828960c1a4e1f8.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
061bb2dd43b34958dbb1105f5e867b9b6deee4c884f1126883828960c1a4e1f8.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 061bb2dd43b34958dbb1105f5e867b9b6deee4c884f1126883828960c1a4e1f8.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
061bb2dd43b34958dbb1105f5e867b9b6deee4c884f1126883828960c1a4e1f8.exedescription pid process Token: SeIncBasePriorityPrivilege 832 061bb2dd43b34958dbb1105f5e867b9b6deee4c884f1126883828960c1a4e1f8.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
061bb2dd43b34958dbb1105f5e867b9b6deee4c884f1126883828960c1a4e1f8.execmd.exedescription pid process target process PID 832 wrote to memory of 1860 832 061bb2dd43b34958dbb1105f5e867b9b6deee4c884f1126883828960c1a4e1f8.exe MediaCenter.exe PID 832 wrote to memory of 1860 832 061bb2dd43b34958dbb1105f5e867b9b6deee4c884f1126883828960c1a4e1f8.exe MediaCenter.exe PID 832 wrote to memory of 1860 832 061bb2dd43b34958dbb1105f5e867b9b6deee4c884f1126883828960c1a4e1f8.exe MediaCenter.exe PID 832 wrote to memory of 1860 832 061bb2dd43b34958dbb1105f5e867b9b6deee4c884f1126883828960c1a4e1f8.exe MediaCenter.exe PID 832 wrote to memory of 396 832 061bb2dd43b34958dbb1105f5e867b9b6deee4c884f1126883828960c1a4e1f8.exe cmd.exe PID 832 wrote to memory of 396 832 061bb2dd43b34958dbb1105f5e867b9b6deee4c884f1126883828960c1a4e1f8.exe cmd.exe PID 832 wrote to memory of 396 832 061bb2dd43b34958dbb1105f5e867b9b6deee4c884f1126883828960c1a4e1f8.exe cmd.exe PID 832 wrote to memory of 396 832 061bb2dd43b34958dbb1105f5e867b9b6deee4c884f1126883828960c1a4e1f8.exe cmd.exe PID 396 wrote to memory of 1992 396 cmd.exe PING.EXE PID 396 wrote to memory of 1992 396 cmd.exe PING.EXE PID 396 wrote to memory of 1992 396 cmd.exe PING.EXE PID 396 wrote to memory of 1992 396 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\061bb2dd43b34958dbb1105f5e867b9b6deee4c884f1126883828960c1a4e1f8.exe"C:\Users\Admin\AppData\Local\Temp\061bb2dd43b34958dbb1105f5e867b9b6deee4c884f1126883828960c1a4e1f8.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:832 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:1860 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\061bb2dd43b34958dbb1105f5e867b9b6deee4c884f1126883828960c1a4e1f8.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:396 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:1992
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
30c1081702df8a1b18d1b168cac3ab63
SHA1e0b899068c38418d283bce44a4d4ccbc66cf8f71
SHA256241c9e0bffabbb4bfd7f5da92015decd075eb251ade2401e44ec6031ddbdcadb
SHA512ef2ac731538e072677c4575a7702c90a91a9fb59a02cd43a4a33ae24ea6b10bed1c86b5bf2f235fe3476a18be090db0c759eb5d8680e34bdb16018a6831293b7
-
\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
30c1081702df8a1b18d1b168cac3ab63
SHA1e0b899068c38418d283bce44a4d4ccbc66cf8f71
SHA256241c9e0bffabbb4bfd7f5da92015decd075eb251ade2401e44ec6031ddbdcadb
SHA512ef2ac731538e072677c4575a7702c90a91a9fb59a02cd43a4a33ae24ea6b10bed1c86b5bf2f235fe3476a18be090db0c759eb5d8680e34bdb16018a6831293b7
-
memory/832-54-0x0000000075891000-0x0000000075893000-memory.dmpFilesize
8KB
-
memory/832-58-0x0000000000400000-0x0000000000420000-memory.dmpFilesize
128KB
-
memory/1860-59-0x0000000000400000-0x0000000000420000-memory.dmpFilesize
128KB