Analysis
-
max time kernel
148s -
max time network
162s -
platform
windows10_x64 -
resource
win10-en-20211208 -
submitted
30-01-2022 18:51
Static task
static1
Behavioral task
behavioral1
Sample
0dca2c41d2e4c869660673f2097a1e66cace2cd9f7dad1c3fc6f75bbce5c564c.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
0dca2c41d2e4c869660673f2097a1e66cace2cd9f7dad1c3fc6f75bbce5c564c.exe
Resource
win10-en-20211208
General
-
Target
0dca2c41d2e4c869660673f2097a1e66cace2cd9f7dad1c3fc6f75bbce5c564c.exe
-
Size
89KB
-
MD5
55daa4271973bb71ad4548225675e389
-
SHA1
3d564bb416742c3f02d2196af2acbe830ce3a2c3
-
SHA256
0dca2c41d2e4c869660673f2097a1e66cace2cd9f7dad1c3fc6f75bbce5c564c
-
SHA512
f2cf7586075565eaea866937d242406e0d134d4d491a760b01ca419233066dc5824116e86d8eb14a7de326f3ac91269663473ccd23f470bc1d6454cec600837c
Malware Config
Signatures
-
Sakula Payload 2 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula -
suricata: ET MALWARE SUSPICIOUS UA (iexplore)
suricata: ET MALWARE SUSPICIOUS UA (iexplore)
-
suricata: ET MALWARE Sakula/Mivast RAT CnC Beacon 1
suricata: ET MALWARE Sakula/Mivast RAT CnC Beacon 1
-
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 2816 MediaCenter.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
0dca2c41d2e4c869660673f2097a1e66cace2cd9f7dad1c3fc6f75bbce5c564c.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 0dca2c41d2e4c869660673f2097a1e66cace2cd9f7dad1c3fc6f75bbce5c564c.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
0dca2c41d2e4c869660673f2097a1e66cace2cd9f7dad1c3fc6f75bbce5c564c.exedescription pid process Token: SeIncBasePriorityPrivilege 3792 0dca2c41d2e4c869660673f2097a1e66cace2cd9f7dad1c3fc6f75bbce5c564c.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
0dca2c41d2e4c869660673f2097a1e66cace2cd9f7dad1c3fc6f75bbce5c564c.execmd.exedescription pid process target process PID 3792 wrote to memory of 2816 3792 0dca2c41d2e4c869660673f2097a1e66cace2cd9f7dad1c3fc6f75bbce5c564c.exe MediaCenter.exe PID 3792 wrote to memory of 2816 3792 0dca2c41d2e4c869660673f2097a1e66cace2cd9f7dad1c3fc6f75bbce5c564c.exe MediaCenter.exe PID 3792 wrote to memory of 2816 3792 0dca2c41d2e4c869660673f2097a1e66cace2cd9f7dad1c3fc6f75bbce5c564c.exe MediaCenter.exe PID 3792 wrote to memory of 4316 3792 0dca2c41d2e4c869660673f2097a1e66cace2cd9f7dad1c3fc6f75bbce5c564c.exe cmd.exe PID 3792 wrote to memory of 4316 3792 0dca2c41d2e4c869660673f2097a1e66cace2cd9f7dad1c3fc6f75bbce5c564c.exe cmd.exe PID 3792 wrote to memory of 4316 3792 0dca2c41d2e4c869660673f2097a1e66cace2cd9f7dad1c3fc6f75bbce5c564c.exe cmd.exe PID 4316 wrote to memory of 1736 4316 cmd.exe PING.EXE PID 4316 wrote to memory of 1736 4316 cmd.exe PING.EXE PID 4316 wrote to memory of 1736 4316 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\0dca2c41d2e4c869660673f2097a1e66cace2cd9f7dad1c3fc6f75bbce5c564c.exe"C:\Users\Admin\AppData\Local\Temp\0dca2c41d2e4c869660673f2097a1e66cace2cd9f7dad1c3fc6f75bbce5c564c.exe"1⤵
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3792 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:2816 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\0dca2c41d2e4c869660673f2097a1e66cace2cd9f7dad1c3fc6f75bbce5c564c.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:4316 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:1736
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
ab845d546bfbce916c80f18125253fc6
SHA1c839f7b945c4c476af717c29eab5817f9fed21fd
SHA256463fae22a0b2a407ae95a6faa098fd6e71b5bef2564d169e6ca367e2be70d1f8
SHA5129d723aa0e575a14d6e2b74018c93d9836011eb8a0c72226dae1c8ffbb1e70bdd18d29e6e2247f76b7ebea989245e866af8136d96663ad0afd3ed0fdd217c0c0c
-
MD5
ab845d546bfbce916c80f18125253fc6
SHA1c839f7b945c4c476af717c29eab5817f9fed21fd
SHA256463fae22a0b2a407ae95a6faa098fd6e71b5bef2564d169e6ca367e2be70d1f8
SHA5129d723aa0e575a14d6e2b74018c93d9836011eb8a0c72226dae1c8ffbb1e70bdd18d29e6e2247f76b7ebea989245e866af8136d96663ad0afd3ed0fdd217c0c0c