Analysis
-
max time kernel
147s -
max time network
171s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
12-02-2022 06:27
Static task
static1
Behavioral task
behavioral1
Sample
0ff210133a0ced32e71ceae2736dbeebd4017578bb31f803443790c9a2fb6885.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
0ff210133a0ced32e71ceae2736dbeebd4017578bb31f803443790c9a2fb6885.exe
Resource
win10v2004-en-20220113
General
-
Target
0ff210133a0ced32e71ceae2736dbeebd4017578bb31f803443790c9a2fb6885.exe
-
Size
216KB
-
MD5
39d5f725284d06a60a5efc77be8c17ee
-
SHA1
a493aec501a3d0e45fc625f6d230f82e2e26b4bb
-
SHA256
0ff210133a0ced32e71ceae2736dbeebd4017578bb31f803443790c9a2fb6885
-
SHA512
13b7c3eea0733a7e5b1ce93846f0651c49264eab51d5094f7a3a88ca1e5cdf34d026613e6aef191d759e9002db47ff1c285058662107f9ca12f693d442bdfaef
Malware Config
Signatures
-
Sakula Payload 4 IoCs
Processes:
resource yara_rule \Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula behavioral1/memory/740-59-0x0000000000400000-0x0000000000420000-memory.dmp family_sakula behavioral1/memory/1672-60-0x0000000000400000-0x0000000000420000-memory.dmp family_sakula -
suricata: ET MALWARE SUSPICIOUS UA (iexplore)
suricata: ET MALWARE SUSPICIOUS UA (iexplore)
-
suricata: ET MALWARE Sakula/Mivast RAT CnC Beacon 1
suricata: ET MALWARE Sakula/Mivast RAT CnC Beacon 1
-
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 1672 MediaCenter.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 1612 cmd.exe -
Loads dropped DLL 1 IoCs
Processes:
0ff210133a0ced32e71ceae2736dbeebd4017578bb31f803443790c9a2fb6885.exepid process 740 0ff210133a0ced32e71ceae2736dbeebd4017578bb31f803443790c9a2fb6885.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
0ff210133a0ced32e71ceae2736dbeebd4017578bb31f803443790c9a2fb6885.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 0ff210133a0ced32e71ceae2736dbeebd4017578bb31f803443790c9a2fb6885.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
0ff210133a0ced32e71ceae2736dbeebd4017578bb31f803443790c9a2fb6885.exedescription pid process Token: SeIncBasePriorityPrivilege 740 0ff210133a0ced32e71ceae2736dbeebd4017578bb31f803443790c9a2fb6885.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
0ff210133a0ced32e71ceae2736dbeebd4017578bb31f803443790c9a2fb6885.execmd.exedescription pid process target process PID 740 wrote to memory of 1672 740 0ff210133a0ced32e71ceae2736dbeebd4017578bb31f803443790c9a2fb6885.exe MediaCenter.exe PID 740 wrote to memory of 1672 740 0ff210133a0ced32e71ceae2736dbeebd4017578bb31f803443790c9a2fb6885.exe MediaCenter.exe PID 740 wrote to memory of 1672 740 0ff210133a0ced32e71ceae2736dbeebd4017578bb31f803443790c9a2fb6885.exe MediaCenter.exe PID 740 wrote to memory of 1672 740 0ff210133a0ced32e71ceae2736dbeebd4017578bb31f803443790c9a2fb6885.exe MediaCenter.exe PID 740 wrote to memory of 1612 740 0ff210133a0ced32e71ceae2736dbeebd4017578bb31f803443790c9a2fb6885.exe cmd.exe PID 740 wrote to memory of 1612 740 0ff210133a0ced32e71ceae2736dbeebd4017578bb31f803443790c9a2fb6885.exe cmd.exe PID 740 wrote to memory of 1612 740 0ff210133a0ced32e71ceae2736dbeebd4017578bb31f803443790c9a2fb6885.exe cmd.exe PID 740 wrote to memory of 1612 740 0ff210133a0ced32e71ceae2736dbeebd4017578bb31f803443790c9a2fb6885.exe cmd.exe PID 1612 wrote to memory of 1132 1612 cmd.exe PING.EXE PID 1612 wrote to memory of 1132 1612 cmd.exe PING.EXE PID 1612 wrote to memory of 1132 1612 cmd.exe PING.EXE PID 1612 wrote to memory of 1132 1612 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\0ff210133a0ced32e71ceae2736dbeebd4017578bb31f803443790c9a2fb6885.exe"C:\Users\Admin\AppData\Local\Temp\0ff210133a0ced32e71ceae2736dbeebd4017578bb31f803443790c9a2fb6885.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:740 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:1672 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\0ff210133a0ced32e71ceae2736dbeebd4017578bb31f803443790c9a2fb6885.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:1612 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:1132
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
86536ccef05c96ccd258b907434d0323
SHA10324b4acb4fd90537afa23ca2616e3b6ca420fa0
SHA2567f1c96f8e363fcfa7c54d7ab0e0a4b4569a0e51108034173fe61621d3adaecdc
SHA51225d73be0048f9b2d6daee9c97592c5367f11adc05ee91954418b33ac5428afde2919812b2b855005670142d3b866962cbd55f86f7ef3a3c1647d0e573a369ae7
-
MD5
86536ccef05c96ccd258b907434d0323
SHA10324b4acb4fd90537afa23ca2616e3b6ca420fa0
SHA2567f1c96f8e363fcfa7c54d7ab0e0a4b4569a0e51108034173fe61621d3adaecdc
SHA51225d73be0048f9b2d6daee9c97592c5367f11adc05ee91954418b33ac5428afde2919812b2b855005670142d3b866962cbd55f86f7ef3a3c1647d0e573a369ae7