Analysis
-
max time kernel
157s -
max time network
173s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
12-02-2022 11:30
Static task
static1
Behavioral task
behavioral1
Sample
0436c4f312b735d250ceadf94f4d7d694a80554dbc0ce9a5ab5c9f5bada43439.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
0436c4f312b735d250ceadf94f4d7d694a80554dbc0ce9a5ab5c9f5bada43439.exe
Resource
win10v2004-en-20220112
General
-
Target
0436c4f312b735d250ceadf94f4d7d694a80554dbc0ce9a5ab5c9f5bada43439.exe
-
Size
150KB
-
MD5
ac1f85e59d1c3c0c624d0fa7225d629a
-
SHA1
d1879b3f8b1432cd895a8f41e0f21fced5a97b78
-
SHA256
0436c4f312b735d250ceadf94f4d7d694a80554dbc0ce9a5ab5c9f5bada43439
-
SHA512
fbe3658c29d3f241f65479d4c6b6de17ebe6ec5c8033e885a8e9742c9ee01c1bd69025990d6bc467c489421f6130193b224957e9e4a34965732d6f81cb537de3
Malware Config
Signatures
-
Sakula Payload 2 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula \Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula -
suricata: ET MALWARE SUSPICIOUS UA (iexplore)
suricata: ET MALWARE SUSPICIOUS UA (iexplore)
-
suricata: ET MALWARE Sakula/Mivast RAT CnC Beacon 1
suricata: ET MALWARE Sakula/Mivast RAT CnC Beacon 1
-
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 1548 MediaCenter.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 1084 cmd.exe -
Loads dropped DLL 1 IoCs
Processes:
0436c4f312b735d250ceadf94f4d7d694a80554dbc0ce9a5ab5c9f5bada43439.exepid process 1164 0436c4f312b735d250ceadf94f4d7d694a80554dbc0ce9a5ab5c9f5bada43439.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
0436c4f312b735d250ceadf94f4d7d694a80554dbc0ce9a5ab5c9f5bada43439.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 0436c4f312b735d250ceadf94f4d7d694a80554dbc0ce9a5ab5c9f5bada43439.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
0436c4f312b735d250ceadf94f4d7d694a80554dbc0ce9a5ab5c9f5bada43439.exedescription pid process Token: SeIncBasePriorityPrivilege 1164 0436c4f312b735d250ceadf94f4d7d694a80554dbc0ce9a5ab5c9f5bada43439.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
0436c4f312b735d250ceadf94f4d7d694a80554dbc0ce9a5ab5c9f5bada43439.execmd.exedescription pid process target process PID 1164 wrote to memory of 1548 1164 0436c4f312b735d250ceadf94f4d7d694a80554dbc0ce9a5ab5c9f5bada43439.exe MediaCenter.exe PID 1164 wrote to memory of 1548 1164 0436c4f312b735d250ceadf94f4d7d694a80554dbc0ce9a5ab5c9f5bada43439.exe MediaCenter.exe PID 1164 wrote to memory of 1548 1164 0436c4f312b735d250ceadf94f4d7d694a80554dbc0ce9a5ab5c9f5bada43439.exe MediaCenter.exe PID 1164 wrote to memory of 1548 1164 0436c4f312b735d250ceadf94f4d7d694a80554dbc0ce9a5ab5c9f5bada43439.exe MediaCenter.exe PID 1164 wrote to memory of 1084 1164 0436c4f312b735d250ceadf94f4d7d694a80554dbc0ce9a5ab5c9f5bada43439.exe cmd.exe PID 1164 wrote to memory of 1084 1164 0436c4f312b735d250ceadf94f4d7d694a80554dbc0ce9a5ab5c9f5bada43439.exe cmd.exe PID 1164 wrote to memory of 1084 1164 0436c4f312b735d250ceadf94f4d7d694a80554dbc0ce9a5ab5c9f5bada43439.exe cmd.exe PID 1164 wrote to memory of 1084 1164 0436c4f312b735d250ceadf94f4d7d694a80554dbc0ce9a5ab5c9f5bada43439.exe cmd.exe PID 1084 wrote to memory of 1964 1084 cmd.exe PING.EXE PID 1084 wrote to memory of 1964 1084 cmd.exe PING.EXE PID 1084 wrote to memory of 1964 1084 cmd.exe PING.EXE PID 1084 wrote to memory of 1964 1084 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\0436c4f312b735d250ceadf94f4d7d694a80554dbc0ce9a5ab5c9f5bada43439.exe"C:\Users\Admin\AppData\Local\Temp\0436c4f312b735d250ceadf94f4d7d694a80554dbc0ce9a5ab5c9f5bada43439.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1164 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:1548 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\0436c4f312b735d250ceadf94f4d7d694a80554dbc0ce9a5ab5c9f5bada43439.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:1084 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:1964
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
aa04ed8d36fb97b6cb563ad40dea03a1
SHA1fabdf7068716d8b02d062192fef09a94e8f36d36
SHA256a23d2171d31df17dd99f79a05cfffb4f4f25aa0bc0886be11fc4dde8cb8a23b6
SHA512c276171d819e63105853aa57c6ca8e88c88928cb9f922acd997273dc65ff644b273235232839f2c2e9cec5feb1fdcda24fb07eeecfe7788ecd92e75193230ed5
-
\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
aa04ed8d36fb97b6cb563ad40dea03a1
SHA1fabdf7068716d8b02d062192fef09a94e8f36d36
SHA256a23d2171d31df17dd99f79a05cfffb4f4f25aa0bc0886be11fc4dde8cb8a23b6
SHA512c276171d819e63105853aa57c6ca8e88c88928cb9f922acd997273dc65ff644b273235232839f2c2e9cec5feb1fdcda24fb07eeecfe7788ecd92e75193230ed5
-
memory/1164-54-0x0000000076491000-0x0000000076493000-memory.dmpFilesize
8KB