Analysis
-
max time kernel
138s -
max time network
155s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
12-02-2022 11:19
Static task
static1
Behavioral task
behavioral1
Sample
04aecaa6bd2909c7cc700f0e0b6eb922d227b00409fd4cec9e3f54c49454342a.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
04aecaa6bd2909c7cc700f0e0b6eb922d227b00409fd4cec9e3f54c49454342a.exe
Resource
win10v2004-en-20220112
General
-
Target
04aecaa6bd2909c7cc700f0e0b6eb922d227b00409fd4cec9e3f54c49454342a.exe
-
Size
150KB
-
MD5
888e8e23f8091cb237feb652bc8652a0
-
SHA1
8cfde56bdb72810ea21cbbf21654faa745a8208d
-
SHA256
04aecaa6bd2909c7cc700f0e0b6eb922d227b00409fd4cec9e3f54c49454342a
-
SHA512
03e9153e17fef008304ebcf207ece03d128e5c250eb2b3980f74e3a26635edd90388884397ea14487173050e1129ba4d3bc26954ea799e8585fd955ec6717ff7
Malware Config
Signatures
-
Sakula Payload 2 IoCs
Processes:
resource yara_rule \Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula -
suricata: ET MALWARE SUSPICIOUS UA (iexplore)
suricata: ET MALWARE SUSPICIOUS UA (iexplore)
-
suricata: ET MALWARE Sakula/Mivast RAT CnC Beacon 1
suricata: ET MALWARE Sakula/Mivast RAT CnC Beacon 1
-
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 652 MediaCenter.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 812 cmd.exe -
Loads dropped DLL 1 IoCs
Processes:
04aecaa6bd2909c7cc700f0e0b6eb922d227b00409fd4cec9e3f54c49454342a.exepid process 1888 04aecaa6bd2909c7cc700f0e0b6eb922d227b00409fd4cec9e3f54c49454342a.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
04aecaa6bd2909c7cc700f0e0b6eb922d227b00409fd4cec9e3f54c49454342a.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 04aecaa6bd2909c7cc700f0e0b6eb922d227b00409fd4cec9e3f54c49454342a.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
04aecaa6bd2909c7cc700f0e0b6eb922d227b00409fd4cec9e3f54c49454342a.exedescription pid process Token: SeIncBasePriorityPrivilege 1888 04aecaa6bd2909c7cc700f0e0b6eb922d227b00409fd4cec9e3f54c49454342a.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
04aecaa6bd2909c7cc700f0e0b6eb922d227b00409fd4cec9e3f54c49454342a.execmd.exedescription pid process target process PID 1888 wrote to memory of 652 1888 04aecaa6bd2909c7cc700f0e0b6eb922d227b00409fd4cec9e3f54c49454342a.exe MediaCenter.exe PID 1888 wrote to memory of 652 1888 04aecaa6bd2909c7cc700f0e0b6eb922d227b00409fd4cec9e3f54c49454342a.exe MediaCenter.exe PID 1888 wrote to memory of 652 1888 04aecaa6bd2909c7cc700f0e0b6eb922d227b00409fd4cec9e3f54c49454342a.exe MediaCenter.exe PID 1888 wrote to memory of 652 1888 04aecaa6bd2909c7cc700f0e0b6eb922d227b00409fd4cec9e3f54c49454342a.exe MediaCenter.exe PID 1888 wrote to memory of 812 1888 04aecaa6bd2909c7cc700f0e0b6eb922d227b00409fd4cec9e3f54c49454342a.exe cmd.exe PID 1888 wrote to memory of 812 1888 04aecaa6bd2909c7cc700f0e0b6eb922d227b00409fd4cec9e3f54c49454342a.exe cmd.exe PID 1888 wrote to memory of 812 1888 04aecaa6bd2909c7cc700f0e0b6eb922d227b00409fd4cec9e3f54c49454342a.exe cmd.exe PID 1888 wrote to memory of 812 1888 04aecaa6bd2909c7cc700f0e0b6eb922d227b00409fd4cec9e3f54c49454342a.exe cmd.exe PID 812 wrote to memory of 1996 812 cmd.exe PING.EXE PID 812 wrote to memory of 1996 812 cmd.exe PING.EXE PID 812 wrote to memory of 1996 812 cmd.exe PING.EXE PID 812 wrote to memory of 1996 812 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\04aecaa6bd2909c7cc700f0e0b6eb922d227b00409fd4cec9e3f54c49454342a.exe"C:\Users\Admin\AppData\Local\Temp\04aecaa6bd2909c7cc700f0e0b6eb922d227b00409fd4cec9e3f54c49454342a.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1888 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:652 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\04aecaa6bd2909c7cc700f0e0b6eb922d227b00409fd4cec9e3f54c49454342a.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:812 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:1996
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
7bf478a2234f1d78831c221cd1dde46a
SHA1a55237a074168c53366b952587fb5565a5f15bc4
SHA256afcadb33d96efbd1b4492c12d6227984c0db7482d1586c2bd7f3e1bee8c6ef14
SHA512a206ecd4eb407a36fd84338db90ad86d3f82d5917e817533b68332733d5bd599e8231dc4345e9c132b3cc183080e30b7e405f69f4c47c593fa409992cbbf9964
-
\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
7bf478a2234f1d78831c221cd1dde46a
SHA1a55237a074168c53366b952587fb5565a5f15bc4
SHA256afcadb33d96efbd1b4492c12d6227984c0db7482d1586c2bd7f3e1bee8c6ef14
SHA512a206ecd4eb407a36fd84338db90ad86d3f82d5917e817533b68332733d5bd599e8231dc4345e9c132b3cc183080e30b7e405f69f4c47c593fa409992cbbf9964
-
memory/1888-54-0x0000000075D61000-0x0000000075D63000-memory.dmpFilesize
8KB