Analysis
-
max time kernel
156s -
max time network
169s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
12-02-2022 10:50
Static task
static1
Behavioral task
behavioral1
Sample
060326aec18f158619212b766da47e6d9e31c9ad5b67b973a9d72397efe2e5ac.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
060326aec18f158619212b766da47e6d9e31c9ad5b67b973a9d72397efe2e5ac.exe
Resource
win10v2004-en-20220113
General
-
Target
060326aec18f158619212b766da47e6d9e31c9ad5b67b973a9d72397efe2e5ac.exe
-
Size
150KB
-
MD5
f90d3efa5e2d613c7f70fc0d11b34922
-
SHA1
ae870155cc590d983a11a88fe8d2757fb6d93e4b
-
SHA256
060326aec18f158619212b766da47e6d9e31c9ad5b67b973a9d72397efe2e5ac
-
SHA512
3c4cdbe7a6b0f4e2f8bc2de2ee4a994370d7f2d9d4ef347f7faa7119b100bd3d0cf2bc09e1ee7486e9e9f6079daad603839d64a5ce1c6703d4d9be246b25a07d
Malware Config
Signatures
-
Sakula Payload 2 IoCs
Processes:
resource yara_rule \Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula -
suricata: ET MALWARE SUSPICIOUS UA (iexplore)
suricata: ET MALWARE SUSPICIOUS UA (iexplore)
-
suricata: ET MALWARE Sakula/Mivast RAT CnC Beacon 1
suricata: ET MALWARE Sakula/Mivast RAT CnC Beacon 1
-
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 1620 MediaCenter.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 812 cmd.exe -
Loads dropped DLL 1 IoCs
Processes:
060326aec18f158619212b766da47e6d9e31c9ad5b67b973a9d72397efe2e5ac.exepid process 1652 060326aec18f158619212b766da47e6d9e31c9ad5b67b973a9d72397efe2e5ac.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
060326aec18f158619212b766da47e6d9e31c9ad5b67b973a9d72397efe2e5ac.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 060326aec18f158619212b766da47e6d9e31c9ad5b67b973a9d72397efe2e5ac.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
060326aec18f158619212b766da47e6d9e31c9ad5b67b973a9d72397efe2e5ac.exedescription pid process Token: SeIncBasePriorityPrivilege 1652 060326aec18f158619212b766da47e6d9e31c9ad5b67b973a9d72397efe2e5ac.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
060326aec18f158619212b766da47e6d9e31c9ad5b67b973a9d72397efe2e5ac.execmd.exedescription pid process target process PID 1652 wrote to memory of 1620 1652 060326aec18f158619212b766da47e6d9e31c9ad5b67b973a9d72397efe2e5ac.exe MediaCenter.exe PID 1652 wrote to memory of 1620 1652 060326aec18f158619212b766da47e6d9e31c9ad5b67b973a9d72397efe2e5ac.exe MediaCenter.exe PID 1652 wrote to memory of 1620 1652 060326aec18f158619212b766da47e6d9e31c9ad5b67b973a9d72397efe2e5ac.exe MediaCenter.exe PID 1652 wrote to memory of 1620 1652 060326aec18f158619212b766da47e6d9e31c9ad5b67b973a9d72397efe2e5ac.exe MediaCenter.exe PID 1652 wrote to memory of 812 1652 060326aec18f158619212b766da47e6d9e31c9ad5b67b973a9d72397efe2e5ac.exe cmd.exe PID 1652 wrote to memory of 812 1652 060326aec18f158619212b766da47e6d9e31c9ad5b67b973a9d72397efe2e5ac.exe cmd.exe PID 1652 wrote to memory of 812 1652 060326aec18f158619212b766da47e6d9e31c9ad5b67b973a9d72397efe2e5ac.exe cmd.exe PID 1652 wrote to memory of 812 1652 060326aec18f158619212b766da47e6d9e31c9ad5b67b973a9d72397efe2e5ac.exe cmd.exe PID 812 wrote to memory of 1768 812 cmd.exe PING.EXE PID 812 wrote to memory of 1768 812 cmd.exe PING.EXE PID 812 wrote to memory of 1768 812 cmd.exe PING.EXE PID 812 wrote to memory of 1768 812 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\060326aec18f158619212b766da47e6d9e31c9ad5b67b973a9d72397efe2e5ac.exe"C:\Users\Admin\AppData\Local\Temp\060326aec18f158619212b766da47e6d9e31c9ad5b67b973a9d72397efe2e5ac.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1652 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:1620 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\060326aec18f158619212b766da47e6d9e31c9ad5b67b973a9d72397efe2e5ac.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:812 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:1768
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
0be4827f5ba1da97559c041892f1671b
SHA1c17f540ca1d9c9b67fe6c4ea67a55d4704b6aa30
SHA2567178602e8ff52bb818432a316cd0e1c32ebf832f8f34f8f11f157457d21ae57f
SHA5122d994781e686c01cf9b4e843214a83c9a5b48148bd6646aefbf2d28e3283e2cad8fa8d8bf1f797819ef53f7f4d6c88d308660d547102eee1097ba8e2461f3ada
-
\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
0be4827f5ba1da97559c041892f1671b
SHA1c17f540ca1d9c9b67fe6c4ea67a55d4704b6aa30
SHA2567178602e8ff52bb818432a316cd0e1c32ebf832f8f34f8f11f157457d21ae57f
SHA5122d994781e686c01cf9b4e843214a83c9a5b48148bd6646aefbf2d28e3283e2cad8fa8d8bf1f797819ef53f7f4d6c88d308660d547102eee1097ba8e2461f3ada
-
memory/1652-55-0x0000000076641000-0x0000000076643000-memory.dmpFilesize
8KB