Analysis
-
max time kernel
132s -
max time network
140s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
12-02-2022 11:43
Static task
static1
Behavioral task
behavioral1
Sample
0398c785e04f311acbee7249a466b42197530b0f6108c79c5a2ed2750596dcde.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
0398c785e04f311acbee7249a466b42197530b0f6108c79c5a2ed2750596dcde.exe
Resource
win10v2004-en-20220113
General
-
Target
0398c785e04f311acbee7249a466b42197530b0f6108c79c5a2ed2750596dcde.exe
-
Size
150KB
-
MD5
ae7a46e3ae6f9a3396c3843bd52d726c
-
SHA1
3cabbbd817c8a53c27011eb8538cd2f1bd22f848
-
SHA256
0398c785e04f311acbee7249a466b42197530b0f6108c79c5a2ed2750596dcde
-
SHA512
600a108effc7a7143a6bc99dcf7ef31be5b19c47da13c00bba7b0833e439c5a700208a21cf4a3a92acd16b058585c5b985cf199f6ee8fdf6a4d6816c12becf70
Malware Config
Signatures
-
Sakula Payload 2 IoCs
Processes:
resource yara_rule \Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula -
suricata: ET MALWARE SUSPICIOUS UA (iexplore)
suricata: ET MALWARE SUSPICIOUS UA (iexplore)
-
suricata: ET MALWARE Sakula/Mivast RAT CnC Beacon 1
suricata: ET MALWARE Sakula/Mivast RAT CnC Beacon 1
-
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 1092 MediaCenter.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 964 cmd.exe -
Loads dropped DLL 1 IoCs
Processes:
0398c785e04f311acbee7249a466b42197530b0f6108c79c5a2ed2750596dcde.exepid process 1624 0398c785e04f311acbee7249a466b42197530b0f6108c79c5a2ed2750596dcde.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
0398c785e04f311acbee7249a466b42197530b0f6108c79c5a2ed2750596dcde.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 0398c785e04f311acbee7249a466b42197530b0f6108c79c5a2ed2750596dcde.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
0398c785e04f311acbee7249a466b42197530b0f6108c79c5a2ed2750596dcde.exedescription pid process Token: SeIncBasePriorityPrivilege 1624 0398c785e04f311acbee7249a466b42197530b0f6108c79c5a2ed2750596dcde.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
0398c785e04f311acbee7249a466b42197530b0f6108c79c5a2ed2750596dcde.execmd.exedescription pid process target process PID 1624 wrote to memory of 1092 1624 0398c785e04f311acbee7249a466b42197530b0f6108c79c5a2ed2750596dcde.exe MediaCenter.exe PID 1624 wrote to memory of 1092 1624 0398c785e04f311acbee7249a466b42197530b0f6108c79c5a2ed2750596dcde.exe MediaCenter.exe PID 1624 wrote to memory of 1092 1624 0398c785e04f311acbee7249a466b42197530b0f6108c79c5a2ed2750596dcde.exe MediaCenter.exe PID 1624 wrote to memory of 1092 1624 0398c785e04f311acbee7249a466b42197530b0f6108c79c5a2ed2750596dcde.exe MediaCenter.exe PID 1624 wrote to memory of 964 1624 0398c785e04f311acbee7249a466b42197530b0f6108c79c5a2ed2750596dcde.exe cmd.exe PID 1624 wrote to memory of 964 1624 0398c785e04f311acbee7249a466b42197530b0f6108c79c5a2ed2750596dcde.exe cmd.exe PID 1624 wrote to memory of 964 1624 0398c785e04f311acbee7249a466b42197530b0f6108c79c5a2ed2750596dcde.exe cmd.exe PID 1624 wrote to memory of 964 1624 0398c785e04f311acbee7249a466b42197530b0f6108c79c5a2ed2750596dcde.exe cmd.exe PID 964 wrote to memory of 1824 964 cmd.exe PING.EXE PID 964 wrote to memory of 1824 964 cmd.exe PING.EXE PID 964 wrote to memory of 1824 964 cmd.exe PING.EXE PID 964 wrote to memory of 1824 964 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\0398c785e04f311acbee7249a466b42197530b0f6108c79c5a2ed2750596dcde.exe"C:\Users\Admin\AppData\Local\Temp\0398c785e04f311acbee7249a466b42197530b0f6108c79c5a2ed2750596dcde.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1624 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:1092 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\0398c785e04f311acbee7249a466b42197530b0f6108c79c5a2ed2750596dcde.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:964 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:1824
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
38db52cb6d5dff7c8d44503ac6907ad1
SHA1fcf55fa6cd07030cb01e4dd50b583b57c29966c7
SHA25698c290eb4fcdd35a0fe9d6c28b6eadef029889e681c7acc919f708fd6adea0f5
SHA512f28ce8b0ae85bc9c5a11f3dbe2bda0c33aaab66d6b3f523e3e2bea17cab680bdbb2dc843b265fc3a8e06c27fbffb1fe351f321ae75b0037f2f573d98d48056d8
-
\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
38db52cb6d5dff7c8d44503ac6907ad1
SHA1fcf55fa6cd07030cb01e4dd50b583b57c29966c7
SHA25698c290eb4fcdd35a0fe9d6c28b6eadef029889e681c7acc919f708fd6adea0f5
SHA512f28ce8b0ae85bc9c5a11f3dbe2bda0c33aaab66d6b3f523e3e2bea17cab680bdbb2dc843b265fc3a8e06c27fbffb1fe351f321ae75b0037f2f573d98d48056d8
-
memory/1624-54-0x0000000076121000-0x0000000076123000-memory.dmpFilesize
8KB