Analysis
-
max time kernel
152s -
max time network
164s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
12-02-2022 11:54
Static task
static1
Behavioral task
behavioral1
Sample
03201d71f368b6b08b07b811ef877d62b28bb962e28788068017f8289aa47681.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
03201d71f368b6b08b07b811ef877d62b28bb962e28788068017f8289aa47681.exe
Resource
win10v2004-en-20220112
General
-
Target
03201d71f368b6b08b07b811ef877d62b28bb962e28788068017f8289aa47681.exe
-
Size
152KB
-
MD5
e451b73b7efb0a1a3a731fd0ff05e471
-
SHA1
9d689ce2b8cc14850adfab9f147f0d7cc5b2e6da
-
SHA256
03201d71f368b6b08b07b811ef877d62b28bb962e28788068017f8289aa47681
-
SHA512
9d5c28d2d5ee5a7d86e1b871b64810ab7d55adc82c8f10df28e962089452a8165e5dea97f63d7dffea4f6a57cf5fbc3ce2c8bb8898dfad739d4d030cad4d60c1
Malware Config
Signatures
-
Sakula Payload 2 IoCs
Processes:
resource yara_rule \Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula -
suricata: ET MALWARE SUSPICIOUS UA (iexplore)
suricata: ET MALWARE SUSPICIOUS UA (iexplore)
-
suricata: ET MALWARE Sakula/Mivast RAT CnC Beacon 1
suricata: ET MALWARE Sakula/Mivast RAT CnC Beacon 1
-
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 1360 MediaCenter.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 832 cmd.exe -
Loads dropped DLL 1 IoCs
Processes:
03201d71f368b6b08b07b811ef877d62b28bb962e28788068017f8289aa47681.exepid process 1728 03201d71f368b6b08b07b811ef877d62b28bb962e28788068017f8289aa47681.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
03201d71f368b6b08b07b811ef877d62b28bb962e28788068017f8289aa47681.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 03201d71f368b6b08b07b811ef877d62b28bb962e28788068017f8289aa47681.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
03201d71f368b6b08b07b811ef877d62b28bb962e28788068017f8289aa47681.exedescription pid process Token: SeIncBasePriorityPrivilege 1728 03201d71f368b6b08b07b811ef877d62b28bb962e28788068017f8289aa47681.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
03201d71f368b6b08b07b811ef877d62b28bb962e28788068017f8289aa47681.execmd.exedescription pid process target process PID 1728 wrote to memory of 1360 1728 03201d71f368b6b08b07b811ef877d62b28bb962e28788068017f8289aa47681.exe MediaCenter.exe PID 1728 wrote to memory of 1360 1728 03201d71f368b6b08b07b811ef877d62b28bb962e28788068017f8289aa47681.exe MediaCenter.exe PID 1728 wrote to memory of 1360 1728 03201d71f368b6b08b07b811ef877d62b28bb962e28788068017f8289aa47681.exe MediaCenter.exe PID 1728 wrote to memory of 1360 1728 03201d71f368b6b08b07b811ef877d62b28bb962e28788068017f8289aa47681.exe MediaCenter.exe PID 1728 wrote to memory of 832 1728 03201d71f368b6b08b07b811ef877d62b28bb962e28788068017f8289aa47681.exe cmd.exe PID 1728 wrote to memory of 832 1728 03201d71f368b6b08b07b811ef877d62b28bb962e28788068017f8289aa47681.exe cmd.exe PID 1728 wrote to memory of 832 1728 03201d71f368b6b08b07b811ef877d62b28bb962e28788068017f8289aa47681.exe cmd.exe PID 1728 wrote to memory of 832 1728 03201d71f368b6b08b07b811ef877d62b28bb962e28788068017f8289aa47681.exe cmd.exe PID 832 wrote to memory of 1796 832 cmd.exe PING.EXE PID 832 wrote to memory of 1796 832 cmd.exe PING.EXE PID 832 wrote to memory of 1796 832 cmd.exe PING.EXE PID 832 wrote to memory of 1796 832 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\03201d71f368b6b08b07b811ef877d62b28bb962e28788068017f8289aa47681.exe"C:\Users\Admin\AppData\Local\Temp\03201d71f368b6b08b07b811ef877d62b28bb962e28788068017f8289aa47681.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1728 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:1360 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\03201d71f368b6b08b07b811ef877d62b28bb962e28788068017f8289aa47681.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:832 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:1796
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
667479cf44b8f99081c42d81c44850ad
SHA16851ba57399ec97ca78a65be6baef291359e3b00
SHA256b1b5a46d3a4425c624a147ea0ffab9cd4040fc3c8ed0646588cba2d5bbf56011
SHA512653575b37e78a612824d9dd8c1acb38c63b6176470453c32d986d6b744c23776916bd0c30e6758a092ff96b6c85e7123a9ad289c02962e7b7c7df7bc774263e8
-
\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
667479cf44b8f99081c42d81c44850ad
SHA16851ba57399ec97ca78a65be6baef291359e3b00
SHA256b1b5a46d3a4425c624a147ea0ffab9cd4040fc3c8ed0646588cba2d5bbf56011
SHA512653575b37e78a612824d9dd8c1acb38c63b6176470453c32d986d6b744c23776916bd0c30e6758a092ff96b6c85e7123a9ad289c02962e7b7c7df7bc774263e8
-
memory/1728-55-0x0000000074F11000-0x0000000074F13000-memory.dmpFilesize
8KB