Analysis
-
max time kernel
162s -
max time network
174s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
12-02-2022 11:13
Static task
static1
Behavioral task
behavioral1
Sample
04fce09c465c6b721fd2df7a04eb5d196ac1ea75dad2df581f5acdcd25dded24.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
04fce09c465c6b721fd2df7a04eb5d196ac1ea75dad2df581f5acdcd25dded24.exe
Resource
win10v2004-en-20220113
General
-
Target
04fce09c465c6b721fd2df7a04eb5d196ac1ea75dad2df581f5acdcd25dded24.exe
-
Size
176KB
-
MD5
9fe88552c156c205b66e829e5751642b
-
SHA1
de39ac170ebe7488f1a47a280cddec69668cd05f
-
SHA256
04fce09c465c6b721fd2df7a04eb5d196ac1ea75dad2df581f5acdcd25dded24
-
SHA512
b778df72d0a1ea252ee9d00d3c2813ff0d88eea46002922dfc3a50b8cb6b90f36580551a05ca72f99a08e339972833497f4c795a23ee19cccc72d3d0709d3da6
Malware Config
Signatures
-
Sakula Payload 4 IoCs
Processes:
resource yara_rule \Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula behavioral1/memory/1212-58-0x0000000000400000-0x0000000000420000-memory.dmp family_sakula behavioral1/memory/648-59-0x0000000000400000-0x0000000000420000-memory.dmp family_sakula -
suricata: ET MALWARE SUSPICIOUS UA (iexplore)
suricata: ET MALWARE SUSPICIOUS UA (iexplore)
-
suricata: ET MALWARE Sakula/Mivast RAT CnC Beacon 1
suricata: ET MALWARE Sakula/Mivast RAT CnC Beacon 1
-
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 648 MediaCenter.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 1668 cmd.exe -
Loads dropped DLL 1 IoCs
Processes:
04fce09c465c6b721fd2df7a04eb5d196ac1ea75dad2df581f5acdcd25dded24.exepid process 1212 04fce09c465c6b721fd2df7a04eb5d196ac1ea75dad2df581f5acdcd25dded24.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
04fce09c465c6b721fd2df7a04eb5d196ac1ea75dad2df581f5acdcd25dded24.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 04fce09c465c6b721fd2df7a04eb5d196ac1ea75dad2df581f5acdcd25dded24.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
04fce09c465c6b721fd2df7a04eb5d196ac1ea75dad2df581f5acdcd25dded24.exedescription pid process Token: SeIncBasePriorityPrivilege 1212 04fce09c465c6b721fd2df7a04eb5d196ac1ea75dad2df581f5acdcd25dded24.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
04fce09c465c6b721fd2df7a04eb5d196ac1ea75dad2df581f5acdcd25dded24.execmd.exedescription pid process target process PID 1212 wrote to memory of 648 1212 04fce09c465c6b721fd2df7a04eb5d196ac1ea75dad2df581f5acdcd25dded24.exe MediaCenter.exe PID 1212 wrote to memory of 648 1212 04fce09c465c6b721fd2df7a04eb5d196ac1ea75dad2df581f5acdcd25dded24.exe MediaCenter.exe PID 1212 wrote to memory of 648 1212 04fce09c465c6b721fd2df7a04eb5d196ac1ea75dad2df581f5acdcd25dded24.exe MediaCenter.exe PID 1212 wrote to memory of 648 1212 04fce09c465c6b721fd2df7a04eb5d196ac1ea75dad2df581f5acdcd25dded24.exe MediaCenter.exe PID 1212 wrote to memory of 1668 1212 04fce09c465c6b721fd2df7a04eb5d196ac1ea75dad2df581f5acdcd25dded24.exe cmd.exe PID 1212 wrote to memory of 1668 1212 04fce09c465c6b721fd2df7a04eb5d196ac1ea75dad2df581f5acdcd25dded24.exe cmd.exe PID 1212 wrote to memory of 1668 1212 04fce09c465c6b721fd2df7a04eb5d196ac1ea75dad2df581f5acdcd25dded24.exe cmd.exe PID 1212 wrote to memory of 1668 1212 04fce09c465c6b721fd2df7a04eb5d196ac1ea75dad2df581f5acdcd25dded24.exe cmd.exe PID 1668 wrote to memory of 1032 1668 cmd.exe PING.EXE PID 1668 wrote to memory of 1032 1668 cmd.exe PING.EXE PID 1668 wrote to memory of 1032 1668 cmd.exe PING.EXE PID 1668 wrote to memory of 1032 1668 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\04fce09c465c6b721fd2df7a04eb5d196ac1ea75dad2df581f5acdcd25dded24.exe"C:\Users\Admin\AppData\Local\Temp\04fce09c465c6b721fd2df7a04eb5d196ac1ea75dad2df581f5acdcd25dded24.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1212 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:648 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\04fce09c465c6b721fd2df7a04eb5d196ac1ea75dad2df581f5acdcd25dded24.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:1668 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:1032
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
6acef93d5365891d72c9228d149fcf9d
SHA1f1d8e337db9927a60f440fca13b80f7a0022a764
SHA256e4e1898abc3bac6c33a31fdae31942c65dd46e019a7da7ed95f60d0e33722278
SHA5120082bb6b365bebdd64ace48d86a1261d2215a463db4f9efa855ee4b8391dbf1670fb086982fad1dc84631621db666de394cddbc815a40948f6d7e8246b51b8dd
-
\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
6acef93d5365891d72c9228d149fcf9d
SHA1f1d8e337db9927a60f440fca13b80f7a0022a764
SHA256e4e1898abc3bac6c33a31fdae31942c65dd46e019a7da7ed95f60d0e33722278
SHA5120082bb6b365bebdd64ace48d86a1261d2215a463db4f9efa855ee4b8391dbf1670fb086982fad1dc84631621db666de394cddbc815a40948f6d7e8246b51b8dd
-
memory/648-59-0x0000000000400000-0x0000000000420000-memory.dmpFilesize
128KB
-
memory/1212-54-0x0000000075AB1000-0x0000000075AB3000-memory.dmpFilesize
8KB
-
memory/1212-58-0x0000000000400000-0x0000000000420000-memory.dmpFilesize
128KB