Analysis
-
max time kernel
144s -
max time network
160s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
12-02-2022 12:53
Static task
static1
Behavioral task
behavioral1
Sample
001588d2dc87594c54abf313af7cbe72b5138b16c253b7356038c9213a3f8a1a.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
001588d2dc87594c54abf313af7cbe72b5138b16c253b7356038c9213a3f8a1a.exe
Resource
win10v2004-en-20220113
General
-
Target
001588d2dc87594c54abf313af7cbe72b5138b16c253b7356038c9213a3f8a1a.exe
-
Size
116KB
-
MD5
de1ddc0a7cb7357a4f58f69eaad97863
-
SHA1
28409e3d498ed4fe183026a1c0c884ffaf1225bd
-
SHA256
001588d2dc87594c54abf313af7cbe72b5138b16c253b7356038c9213a3f8a1a
-
SHA512
a3008c2e5f507b0972cdc823c48379624bfd4a0dc29d1fa380b0745b4cb5186221f7af979debe82812f016e6ebcd99504ff090a4f57787ecaf16db8bb2287b3d
Malware Config
Signatures
-
Sakula Payload 4 IoCs
Processes:
resource yara_rule \Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula behavioral1/memory/1756-58-0x0000000000400000-0x0000000000420000-memory.dmp family_sakula behavioral1/memory/1192-59-0x0000000000400000-0x0000000000420000-memory.dmp family_sakula -
suricata: ET MALWARE SUSPICIOUS UA (iexplore)
suricata: ET MALWARE SUSPICIOUS UA (iexplore)
-
suricata: ET MALWARE Sakula/Mivast RAT CnC Beacon 1
suricata: ET MALWARE Sakula/Mivast RAT CnC Beacon 1
-
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 1192 MediaCenter.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 600 cmd.exe -
Loads dropped DLL 1 IoCs
Processes:
001588d2dc87594c54abf313af7cbe72b5138b16c253b7356038c9213a3f8a1a.exepid process 1756 001588d2dc87594c54abf313af7cbe72b5138b16c253b7356038c9213a3f8a1a.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
001588d2dc87594c54abf313af7cbe72b5138b16c253b7356038c9213a3f8a1a.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 001588d2dc87594c54abf313af7cbe72b5138b16c253b7356038c9213a3f8a1a.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
001588d2dc87594c54abf313af7cbe72b5138b16c253b7356038c9213a3f8a1a.exedescription pid process Token: SeIncBasePriorityPrivilege 1756 001588d2dc87594c54abf313af7cbe72b5138b16c253b7356038c9213a3f8a1a.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
001588d2dc87594c54abf313af7cbe72b5138b16c253b7356038c9213a3f8a1a.execmd.exedescription pid process target process PID 1756 wrote to memory of 1192 1756 001588d2dc87594c54abf313af7cbe72b5138b16c253b7356038c9213a3f8a1a.exe MediaCenter.exe PID 1756 wrote to memory of 1192 1756 001588d2dc87594c54abf313af7cbe72b5138b16c253b7356038c9213a3f8a1a.exe MediaCenter.exe PID 1756 wrote to memory of 1192 1756 001588d2dc87594c54abf313af7cbe72b5138b16c253b7356038c9213a3f8a1a.exe MediaCenter.exe PID 1756 wrote to memory of 1192 1756 001588d2dc87594c54abf313af7cbe72b5138b16c253b7356038c9213a3f8a1a.exe MediaCenter.exe PID 1756 wrote to memory of 600 1756 001588d2dc87594c54abf313af7cbe72b5138b16c253b7356038c9213a3f8a1a.exe cmd.exe PID 1756 wrote to memory of 600 1756 001588d2dc87594c54abf313af7cbe72b5138b16c253b7356038c9213a3f8a1a.exe cmd.exe PID 1756 wrote to memory of 600 1756 001588d2dc87594c54abf313af7cbe72b5138b16c253b7356038c9213a3f8a1a.exe cmd.exe PID 1756 wrote to memory of 600 1756 001588d2dc87594c54abf313af7cbe72b5138b16c253b7356038c9213a3f8a1a.exe cmd.exe PID 600 wrote to memory of 1056 600 cmd.exe PING.EXE PID 600 wrote to memory of 1056 600 cmd.exe PING.EXE PID 600 wrote to memory of 1056 600 cmd.exe PING.EXE PID 600 wrote to memory of 1056 600 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\001588d2dc87594c54abf313af7cbe72b5138b16c253b7356038c9213a3f8a1a.exe"C:\Users\Admin\AppData\Local\Temp\001588d2dc87594c54abf313af7cbe72b5138b16c253b7356038c9213a3f8a1a.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\001588d2dc87594c54abf313af7cbe72b5138b16c253b7356038c9213a3f8a1a.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
33d41e6837facb8cdaee8e8cc2ac07cf
SHA184c2db7181f45d6dd9692d06094163ad20a732e8
SHA2561b483cd6b95b5a7352b5e47a101969ad10652add80985a7530fa61bb2735a25d
SHA51270e3eedf54c61d3bdb6652c594d8426b21c2f255e9194b9674cfa4b35d8659782e1bcb6587b246cc0201f146051f7c2b10a0d08935b0664be1d7ed83e266a222
-
\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
33d41e6837facb8cdaee8e8cc2ac07cf
SHA184c2db7181f45d6dd9692d06094163ad20a732e8
SHA2561b483cd6b95b5a7352b5e47a101969ad10652add80985a7530fa61bb2735a25d
SHA51270e3eedf54c61d3bdb6652c594d8426b21c2f255e9194b9674cfa4b35d8659782e1bcb6587b246cc0201f146051f7c2b10a0d08935b0664be1d7ed83e266a222
-
memory/1192-59-0x0000000000400000-0x0000000000420000-memory.dmpFilesize
128KB
-
memory/1756-54-0x0000000076071000-0x0000000076073000-memory.dmpFilesize
8KB
-
memory/1756-58-0x0000000000400000-0x0000000000420000-memory.dmpFilesize
128KB