Analysis
-
max time kernel
132s -
max time network
139s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
12-02-2022 10:48
Static task
static1
Behavioral task
behavioral1
Sample
0610398fed04a39d7635832ce60b4c3d2f9b467b0a20b07393e52ff1adb3cedf.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
0610398fed04a39d7635832ce60b4c3d2f9b467b0a20b07393e52ff1adb3cedf.exe
Resource
win10v2004-en-20220112
General
-
Target
0610398fed04a39d7635832ce60b4c3d2f9b467b0a20b07393e52ff1adb3cedf.exe
-
Size
92KB
-
MD5
733cac2ce9d760a66bfdff24ee6ae7ba
-
SHA1
85414922f21253823d1192497caf3e171780c8aa
-
SHA256
0610398fed04a39d7635832ce60b4c3d2f9b467b0a20b07393e52ff1adb3cedf
-
SHA512
137863b41de45b9d60f0b4d80d669cafbea982d1d66ba475b373c38ba933669129213fe91a06ac388fecda31e72e5ccc67701cd63f7d23d9388cd7a7020b6b3f
Malware Config
Signatures
-
Sakula Payload 2 IoCs
Processes:
resource yara_rule \Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula -
suricata: ET MALWARE SUSPICIOUS UA (iexplore)
suricata: ET MALWARE SUSPICIOUS UA (iexplore)
-
suricata: ET MALWARE Sakula/Mivast RAT CnC Beacon 1
suricata: ET MALWARE Sakula/Mivast RAT CnC Beacon 1
-
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 1912 MediaCenter.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 988 cmd.exe -
Loads dropped DLL 1 IoCs
Processes:
0610398fed04a39d7635832ce60b4c3d2f9b467b0a20b07393e52ff1adb3cedf.exepid process 1788 0610398fed04a39d7635832ce60b4c3d2f9b467b0a20b07393e52ff1adb3cedf.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
0610398fed04a39d7635832ce60b4c3d2f9b467b0a20b07393e52ff1adb3cedf.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 0610398fed04a39d7635832ce60b4c3d2f9b467b0a20b07393e52ff1adb3cedf.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
0610398fed04a39d7635832ce60b4c3d2f9b467b0a20b07393e52ff1adb3cedf.exedescription pid process Token: SeIncBasePriorityPrivilege 1788 0610398fed04a39d7635832ce60b4c3d2f9b467b0a20b07393e52ff1adb3cedf.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
0610398fed04a39d7635832ce60b4c3d2f9b467b0a20b07393e52ff1adb3cedf.execmd.exedescription pid process target process PID 1788 wrote to memory of 1912 1788 0610398fed04a39d7635832ce60b4c3d2f9b467b0a20b07393e52ff1adb3cedf.exe MediaCenter.exe PID 1788 wrote to memory of 1912 1788 0610398fed04a39d7635832ce60b4c3d2f9b467b0a20b07393e52ff1adb3cedf.exe MediaCenter.exe PID 1788 wrote to memory of 1912 1788 0610398fed04a39d7635832ce60b4c3d2f9b467b0a20b07393e52ff1adb3cedf.exe MediaCenter.exe PID 1788 wrote to memory of 1912 1788 0610398fed04a39d7635832ce60b4c3d2f9b467b0a20b07393e52ff1adb3cedf.exe MediaCenter.exe PID 1788 wrote to memory of 988 1788 0610398fed04a39d7635832ce60b4c3d2f9b467b0a20b07393e52ff1adb3cedf.exe cmd.exe PID 1788 wrote to memory of 988 1788 0610398fed04a39d7635832ce60b4c3d2f9b467b0a20b07393e52ff1adb3cedf.exe cmd.exe PID 1788 wrote to memory of 988 1788 0610398fed04a39d7635832ce60b4c3d2f9b467b0a20b07393e52ff1adb3cedf.exe cmd.exe PID 1788 wrote to memory of 988 1788 0610398fed04a39d7635832ce60b4c3d2f9b467b0a20b07393e52ff1adb3cedf.exe cmd.exe PID 988 wrote to memory of 1480 988 cmd.exe PING.EXE PID 988 wrote to memory of 1480 988 cmd.exe PING.EXE PID 988 wrote to memory of 1480 988 cmd.exe PING.EXE PID 988 wrote to memory of 1480 988 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\0610398fed04a39d7635832ce60b4c3d2f9b467b0a20b07393e52ff1adb3cedf.exe"C:\Users\Admin\AppData\Local\Temp\0610398fed04a39d7635832ce60b4c3d2f9b467b0a20b07393e52ff1adb3cedf.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1788 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:1912 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\0610398fed04a39d7635832ce60b4c3d2f9b467b0a20b07393e52ff1adb3cedf.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:988 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:1480
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
dd78564add3291e342494b26ef6f8130
SHA11871856ef152ddcf00488659459a287ebcf0c39a
SHA25678772ea1cbdb6eb474ecbc545a41c6aaee89ce4ed7310beb94b7503013b19289
SHA5129abba901f7e52a774613eb2a8c2ef1d25cfebc4368457daed0e2c4c01741a93f00d66f49e22c02a4343610f29b41e7558e3f7d4faec93d755604bd10e0ca6e48
-
\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
dd78564add3291e342494b26ef6f8130
SHA11871856ef152ddcf00488659459a287ebcf0c39a
SHA25678772ea1cbdb6eb474ecbc545a41c6aaee89ce4ed7310beb94b7503013b19289
SHA5129abba901f7e52a774613eb2a8c2ef1d25cfebc4368457daed0e2c4c01741a93f00d66f49e22c02a4343610f29b41e7558e3f7d4faec93d755604bd10e0ca6e48
-
memory/1788-54-0x0000000075F21000-0x0000000075F23000-memory.dmpFilesize
8KB