Analysis
-
max time kernel
150s -
max time network
171s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
12-02-2022 11:14
Static task
static1
Behavioral task
behavioral1
Sample
04ea9fea1499708c74164e4dd15c7ac318d42310cd3644a390c200ee8a4b0244.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
04ea9fea1499708c74164e4dd15c7ac318d42310cd3644a390c200ee8a4b0244.exe
Resource
win10v2004-en-20220113
General
-
Target
04ea9fea1499708c74164e4dd15c7ac318d42310cd3644a390c200ee8a4b0244.exe
-
Size
150KB
-
MD5
f463627940b19d5419411a4bb290024b
-
SHA1
00086d89d4086157f0c4f3b32b8b99e8f2b7428f
-
SHA256
04ea9fea1499708c74164e4dd15c7ac318d42310cd3644a390c200ee8a4b0244
-
SHA512
50d07f4c57bf82be2c6d713c7db72b11559045086a32da2a6a48281589f59d2d2d06704c71613734d44b8bdabb18fe81d3a04f3011d5c0a7a6311fb594160e65
Malware Config
Signatures
-
Sakula Payload 2 IoCs
Processes:
resource yara_rule \Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula -
suricata: ET MALWARE SUSPICIOUS UA (iexplore)
suricata: ET MALWARE SUSPICIOUS UA (iexplore)
-
suricata: ET MALWARE Sakula/Mivast RAT CnC Beacon 1
suricata: ET MALWARE Sakula/Mivast RAT CnC Beacon 1
-
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 1760 MediaCenter.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 932 cmd.exe -
Loads dropped DLL 1 IoCs
Processes:
04ea9fea1499708c74164e4dd15c7ac318d42310cd3644a390c200ee8a4b0244.exepid process 1088 04ea9fea1499708c74164e4dd15c7ac318d42310cd3644a390c200ee8a4b0244.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
04ea9fea1499708c74164e4dd15c7ac318d42310cd3644a390c200ee8a4b0244.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 04ea9fea1499708c74164e4dd15c7ac318d42310cd3644a390c200ee8a4b0244.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
04ea9fea1499708c74164e4dd15c7ac318d42310cd3644a390c200ee8a4b0244.exedescription pid process Token: SeIncBasePriorityPrivilege 1088 04ea9fea1499708c74164e4dd15c7ac318d42310cd3644a390c200ee8a4b0244.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
04ea9fea1499708c74164e4dd15c7ac318d42310cd3644a390c200ee8a4b0244.execmd.exedescription pid process target process PID 1088 wrote to memory of 1760 1088 04ea9fea1499708c74164e4dd15c7ac318d42310cd3644a390c200ee8a4b0244.exe MediaCenter.exe PID 1088 wrote to memory of 1760 1088 04ea9fea1499708c74164e4dd15c7ac318d42310cd3644a390c200ee8a4b0244.exe MediaCenter.exe PID 1088 wrote to memory of 1760 1088 04ea9fea1499708c74164e4dd15c7ac318d42310cd3644a390c200ee8a4b0244.exe MediaCenter.exe PID 1088 wrote to memory of 1760 1088 04ea9fea1499708c74164e4dd15c7ac318d42310cd3644a390c200ee8a4b0244.exe MediaCenter.exe PID 1088 wrote to memory of 932 1088 04ea9fea1499708c74164e4dd15c7ac318d42310cd3644a390c200ee8a4b0244.exe cmd.exe PID 1088 wrote to memory of 932 1088 04ea9fea1499708c74164e4dd15c7ac318d42310cd3644a390c200ee8a4b0244.exe cmd.exe PID 1088 wrote to memory of 932 1088 04ea9fea1499708c74164e4dd15c7ac318d42310cd3644a390c200ee8a4b0244.exe cmd.exe PID 1088 wrote to memory of 932 1088 04ea9fea1499708c74164e4dd15c7ac318d42310cd3644a390c200ee8a4b0244.exe cmd.exe PID 932 wrote to memory of 1980 932 cmd.exe PING.EXE PID 932 wrote to memory of 1980 932 cmd.exe PING.EXE PID 932 wrote to memory of 1980 932 cmd.exe PING.EXE PID 932 wrote to memory of 1980 932 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\04ea9fea1499708c74164e4dd15c7ac318d42310cd3644a390c200ee8a4b0244.exe"C:\Users\Admin\AppData\Local\Temp\04ea9fea1499708c74164e4dd15c7ac318d42310cd3644a390c200ee8a4b0244.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1088 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:1760 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\04ea9fea1499708c74164e4dd15c7ac318d42310cd3644a390c200ee8a4b0244.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:932 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:1980
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
1a90b498bce4ae13b316f512c1bdd788
SHA1ddf8dfce05df14a4e4f9cec5ad0963bebe1b6c72
SHA256e4f4924727cbf1c33921a99cf24940591bc18bac360b9002728748409bb8c5ae
SHA512f55b96d3d4ea09f58873e0031442a6dbdc113b4356035e8e34a4967d5e3b9acd4a6bd01e44c57022b368823cd97726b9f71637bdcbf383811b5097e4d88fe5a2
-
\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
1a90b498bce4ae13b316f512c1bdd788
SHA1ddf8dfce05df14a4e4f9cec5ad0963bebe1b6c72
SHA256e4f4924727cbf1c33921a99cf24940591bc18bac360b9002728748409bb8c5ae
SHA512f55b96d3d4ea09f58873e0031442a6dbdc113b4356035e8e34a4967d5e3b9acd4a6bd01e44c57022b368823cd97726b9f71637bdcbf383811b5097e4d88fe5a2
-
memory/1088-54-0x0000000075341000-0x0000000075343000-memory.dmpFilesize
8KB