Analysis
-
max time kernel
153s -
max time network
153s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
30-01-2022 18:51
Static task
static1
Behavioral task
behavioral1
Sample
0dca2c41d2e4c869660673f2097a1e66cace2cd9f7dad1c3fc6f75bbce5c564c.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
0dca2c41d2e4c869660673f2097a1e66cace2cd9f7dad1c3fc6f75bbce5c564c.exe
Resource
win10-en-20211208
General
-
Target
0dca2c41d2e4c869660673f2097a1e66cace2cd9f7dad1c3fc6f75bbce5c564c.exe
-
Size
89KB
-
MD5
55daa4271973bb71ad4548225675e389
-
SHA1
3d564bb416742c3f02d2196af2acbe830ce3a2c3
-
SHA256
0dca2c41d2e4c869660673f2097a1e66cace2cd9f7dad1c3fc6f75bbce5c564c
-
SHA512
f2cf7586075565eaea866937d242406e0d134d4d491a760b01ca419233066dc5824116e86d8eb14a7de326f3ac91269663473ccd23f470bc1d6454cec600837c
Malware Config
Signatures
-
Sakula Payload 2 IoCs
Processes:
resource yara_rule \Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula -
suricata: ET MALWARE SUSPICIOUS UA (iexplore)
suricata: ET MALWARE SUSPICIOUS UA (iexplore)
-
suricata: ET MALWARE Sakula/Mivast RAT CnC Beacon 1
suricata: ET MALWARE Sakula/Mivast RAT CnC Beacon 1
-
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 1616 MediaCenter.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 1816 cmd.exe -
Loads dropped DLL 1 IoCs
Processes:
0dca2c41d2e4c869660673f2097a1e66cace2cd9f7dad1c3fc6f75bbce5c564c.exepid process 1608 0dca2c41d2e4c869660673f2097a1e66cace2cd9f7dad1c3fc6f75bbce5c564c.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
0dca2c41d2e4c869660673f2097a1e66cace2cd9f7dad1c3fc6f75bbce5c564c.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 0dca2c41d2e4c869660673f2097a1e66cace2cd9f7dad1c3fc6f75bbce5c564c.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
0dca2c41d2e4c869660673f2097a1e66cace2cd9f7dad1c3fc6f75bbce5c564c.exedescription pid process Token: SeIncBasePriorityPrivilege 1608 0dca2c41d2e4c869660673f2097a1e66cace2cd9f7dad1c3fc6f75bbce5c564c.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
0dca2c41d2e4c869660673f2097a1e66cace2cd9f7dad1c3fc6f75bbce5c564c.execmd.exedescription pid process target process PID 1608 wrote to memory of 1616 1608 0dca2c41d2e4c869660673f2097a1e66cace2cd9f7dad1c3fc6f75bbce5c564c.exe MediaCenter.exe PID 1608 wrote to memory of 1616 1608 0dca2c41d2e4c869660673f2097a1e66cace2cd9f7dad1c3fc6f75bbce5c564c.exe MediaCenter.exe PID 1608 wrote to memory of 1616 1608 0dca2c41d2e4c869660673f2097a1e66cace2cd9f7dad1c3fc6f75bbce5c564c.exe MediaCenter.exe PID 1608 wrote to memory of 1616 1608 0dca2c41d2e4c869660673f2097a1e66cace2cd9f7dad1c3fc6f75bbce5c564c.exe MediaCenter.exe PID 1608 wrote to memory of 1816 1608 0dca2c41d2e4c869660673f2097a1e66cace2cd9f7dad1c3fc6f75bbce5c564c.exe cmd.exe PID 1608 wrote to memory of 1816 1608 0dca2c41d2e4c869660673f2097a1e66cace2cd9f7dad1c3fc6f75bbce5c564c.exe cmd.exe PID 1608 wrote to memory of 1816 1608 0dca2c41d2e4c869660673f2097a1e66cace2cd9f7dad1c3fc6f75bbce5c564c.exe cmd.exe PID 1608 wrote to memory of 1816 1608 0dca2c41d2e4c869660673f2097a1e66cace2cd9f7dad1c3fc6f75bbce5c564c.exe cmd.exe PID 1816 wrote to memory of 956 1816 cmd.exe PING.EXE PID 1816 wrote to memory of 956 1816 cmd.exe PING.EXE PID 1816 wrote to memory of 956 1816 cmd.exe PING.EXE PID 1816 wrote to memory of 956 1816 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\0dca2c41d2e4c869660673f2097a1e66cace2cd9f7dad1c3fc6f75bbce5c564c.exe"C:\Users\Admin\AppData\Local\Temp\0dca2c41d2e4c869660673f2097a1e66cace2cd9f7dad1c3fc6f75bbce5c564c.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1608 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:1616 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\0dca2c41d2e4c869660673f2097a1e66cace2cd9f7dad1c3fc6f75bbce5c564c.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:1816 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:956
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
97f67589a43f9a23cd19ddaaf65f6044
SHA1bcb40f29ba510df66576865fd3a0c36305b74417
SHA2563d130d7f1b90040a266ebb31d72449334c0e3d5c271f3946fc301837e8c9ed48
SHA51296e7c1511b61d648cfd06e956da2a46fb0bd817980d81b1b0bf6f8ce71da2e0caa279547ef9341f6f5ccd8dd890a38d868c8ee01225958fbb20b13948a4bc3ef
-
MD5
97f67589a43f9a23cd19ddaaf65f6044
SHA1bcb40f29ba510df66576865fd3a0c36305b74417
SHA2563d130d7f1b90040a266ebb31d72449334c0e3d5c271f3946fc301837e8c9ed48
SHA51296e7c1511b61d648cfd06e956da2a46fb0bd817980d81b1b0bf6f8ce71da2e0caa279547ef9341f6f5ccd8dd890a38d868c8ee01225958fbb20b13948a4bc3ef