Analysis
-
max time kernel
146s -
max time network
160s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
12-02-2022 11:16
Static task
static1
Behavioral task
behavioral1
Sample
04c89ed64019e3835b44157a97e63c614744527bfe294c7d0c775551c7b99441.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
04c89ed64019e3835b44157a97e63c614744527bfe294c7d0c775551c7b99441.exe
Resource
win10v2004-en-20220113
General
-
Target
04c89ed64019e3835b44157a97e63c614744527bfe294c7d0c775551c7b99441.exe
-
Size
216KB
-
MD5
302d599e42b91c11e2be761923e2a619
-
SHA1
c4e3f91cd0e3b2a94ac25769a1a182e850615444
-
SHA256
04c89ed64019e3835b44157a97e63c614744527bfe294c7d0c775551c7b99441
-
SHA512
300bc552240a70de253f0309230453b604b2268facf22d5f955c9f0298c7171e5e57eb5e8d97a9f6fb90de7ea2425aad286ba70724e9d0fe779a618855005b70
Malware Config
Signatures
-
Sakula Payload 4 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula \Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula behavioral1/memory/1864-58-0x0000000000400000-0x0000000000420000-memory.dmp family_sakula behavioral1/memory/1816-59-0x0000000000400000-0x0000000000420000-memory.dmp family_sakula -
suricata: ET MALWARE SUSPICIOUS UA (iexplore)
suricata: ET MALWARE SUSPICIOUS UA (iexplore)
-
suricata: ET MALWARE Sakula/Mivast RAT CnC Beacon 1
suricata: ET MALWARE Sakula/Mivast RAT CnC Beacon 1
-
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 1816 MediaCenter.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 812 cmd.exe -
Loads dropped DLL 1 IoCs
Processes:
04c89ed64019e3835b44157a97e63c614744527bfe294c7d0c775551c7b99441.exepid process 1864 04c89ed64019e3835b44157a97e63c614744527bfe294c7d0c775551c7b99441.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
04c89ed64019e3835b44157a97e63c614744527bfe294c7d0c775551c7b99441.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 04c89ed64019e3835b44157a97e63c614744527bfe294c7d0c775551c7b99441.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
04c89ed64019e3835b44157a97e63c614744527bfe294c7d0c775551c7b99441.exedescription pid process Token: SeIncBasePriorityPrivilege 1864 04c89ed64019e3835b44157a97e63c614744527bfe294c7d0c775551c7b99441.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
04c89ed64019e3835b44157a97e63c614744527bfe294c7d0c775551c7b99441.execmd.exedescription pid process target process PID 1864 wrote to memory of 1816 1864 04c89ed64019e3835b44157a97e63c614744527bfe294c7d0c775551c7b99441.exe MediaCenter.exe PID 1864 wrote to memory of 1816 1864 04c89ed64019e3835b44157a97e63c614744527bfe294c7d0c775551c7b99441.exe MediaCenter.exe PID 1864 wrote to memory of 1816 1864 04c89ed64019e3835b44157a97e63c614744527bfe294c7d0c775551c7b99441.exe MediaCenter.exe PID 1864 wrote to memory of 1816 1864 04c89ed64019e3835b44157a97e63c614744527bfe294c7d0c775551c7b99441.exe MediaCenter.exe PID 1864 wrote to memory of 812 1864 04c89ed64019e3835b44157a97e63c614744527bfe294c7d0c775551c7b99441.exe cmd.exe PID 1864 wrote to memory of 812 1864 04c89ed64019e3835b44157a97e63c614744527bfe294c7d0c775551c7b99441.exe cmd.exe PID 1864 wrote to memory of 812 1864 04c89ed64019e3835b44157a97e63c614744527bfe294c7d0c775551c7b99441.exe cmd.exe PID 1864 wrote to memory of 812 1864 04c89ed64019e3835b44157a97e63c614744527bfe294c7d0c775551c7b99441.exe cmd.exe PID 812 wrote to memory of 1980 812 cmd.exe PING.EXE PID 812 wrote to memory of 1980 812 cmd.exe PING.EXE PID 812 wrote to memory of 1980 812 cmd.exe PING.EXE PID 812 wrote to memory of 1980 812 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\04c89ed64019e3835b44157a97e63c614744527bfe294c7d0c775551c7b99441.exe"C:\Users\Admin\AppData\Local\Temp\04c89ed64019e3835b44157a97e63c614744527bfe294c7d0c775551c7b99441.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1864 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:1816 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\04c89ed64019e3835b44157a97e63c614744527bfe294c7d0c775551c7b99441.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:812 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:1980
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
32bd2c4d3e339acc56593a765197e658
SHA1ef318041243a08b1a9ad1a1cb0b5ced0032d0b7f
SHA256da13de54ecf4d3b973c59e46e17b514076059691f32345b4e5445458a62eaf01
SHA5120ada0e741f2cda24b3d6756a87096e8dc7d5bcbd0bdd935b1db38082ab9c89d2937d380d1ac6fa02a80596b7ce2b3ca8549aafe3cce048c61392bc0e3cf43efc
-
\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
32bd2c4d3e339acc56593a765197e658
SHA1ef318041243a08b1a9ad1a1cb0b5ced0032d0b7f
SHA256da13de54ecf4d3b973c59e46e17b514076059691f32345b4e5445458a62eaf01
SHA5120ada0e741f2cda24b3d6756a87096e8dc7d5bcbd0bdd935b1db38082ab9c89d2937d380d1ac6fa02a80596b7ce2b3ca8549aafe3cce048c61392bc0e3cf43efc
-
memory/1816-59-0x0000000000400000-0x0000000000420000-memory.dmpFilesize
128KB
-
memory/1864-54-0x0000000076041000-0x0000000076043000-memory.dmpFilesize
8KB
-
memory/1864-58-0x0000000000400000-0x0000000000420000-memory.dmpFilesize
128KB