Analysis
-
max time kernel
153s -
max time network
167s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
12-02-2022 06:29
Static task
static1
Behavioral task
behavioral1
Sample
0fd48d559e9a58d681dea3df5dbe55005d2864258c391d2514ac232042e5cc2e.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
0fd48d559e9a58d681dea3df5dbe55005d2864258c391d2514ac232042e5cc2e.exe
Resource
win10v2004-en-20220112
General
-
Target
0fd48d559e9a58d681dea3df5dbe55005d2864258c391d2514ac232042e5cc2e.exe
-
Size
216KB
-
MD5
2443b30396b435cd5a356b1accead931
-
SHA1
2690cc86af2d62d96ef32e7efc8a132a5489c86e
-
SHA256
0fd48d559e9a58d681dea3df5dbe55005d2864258c391d2514ac232042e5cc2e
-
SHA512
d2ef09b6c7168fe8ceb1286aa4f103866845d7e0d701d4e9645018af72f72b078e5c91300411762280b5de89589201f95a2d5ff0f040867387c76219fb1abaa5
Malware Config
Signatures
-
Sakula Payload 4 IoCs
Processes:
resource yara_rule \Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula behavioral1/memory/1864-58-0x0000000000400000-0x0000000000420000-memory.dmp family_sakula behavioral1/memory/1816-60-0x0000000000400000-0x0000000000420000-memory.dmp family_sakula -
suricata: ET MALWARE SUSPICIOUS UA (iexplore)
suricata: ET MALWARE SUSPICIOUS UA (iexplore)
-
suricata: ET MALWARE Sakula/Mivast RAT CnC Beacon 1
suricata: ET MALWARE Sakula/Mivast RAT CnC Beacon 1
-
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 1816 MediaCenter.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 1988 cmd.exe -
Loads dropped DLL 1 IoCs
Processes:
0fd48d559e9a58d681dea3df5dbe55005d2864258c391d2514ac232042e5cc2e.exepid process 1864 0fd48d559e9a58d681dea3df5dbe55005d2864258c391d2514ac232042e5cc2e.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
0fd48d559e9a58d681dea3df5dbe55005d2864258c391d2514ac232042e5cc2e.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 0fd48d559e9a58d681dea3df5dbe55005d2864258c391d2514ac232042e5cc2e.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
0fd48d559e9a58d681dea3df5dbe55005d2864258c391d2514ac232042e5cc2e.exedescription pid process Token: SeIncBasePriorityPrivilege 1864 0fd48d559e9a58d681dea3df5dbe55005d2864258c391d2514ac232042e5cc2e.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
0fd48d559e9a58d681dea3df5dbe55005d2864258c391d2514ac232042e5cc2e.execmd.exedescription pid process target process PID 1864 wrote to memory of 1816 1864 0fd48d559e9a58d681dea3df5dbe55005d2864258c391d2514ac232042e5cc2e.exe MediaCenter.exe PID 1864 wrote to memory of 1816 1864 0fd48d559e9a58d681dea3df5dbe55005d2864258c391d2514ac232042e5cc2e.exe MediaCenter.exe PID 1864 wrote to memory of 1816 1864 0fd48d559e9a58d681dea3df5dbe55005d2864258c391d2514ac232042e5cc2e.exe MediaCenter.exe PID 1864 wrote to memory of 1816 1864 0fd48d559e9a58d681dea3df5dbe55005d2864258c391d2514ac232042e5cc2e.exe MediaCenter.exe PID 1864 wrote to memory of 1988 1864 0fd48d559e9a58d681dea3df5dbe55005d2864258c391d2514ac232042e5cc2e.exe cmd.exe PID 1864 wrote to memory of 1988 1864 0fd48d559e9a58d681dea3df5dbe55005d2864258c391d2514ac232042e5cc2e.exe cmd.exe PID 1864 wrote to memory of 1988 1864 0fd48d559e9a58d681dea3df5dbe55005d2864258c391d2514ac232042e5cc2e.exe cmd.exe PID 1864 wrote to memory of 1988 1864 0fd48d559e9a58d681dea3df5dbe55005d2864258c391d2514ac232042e5cc2e.exe cmd.exe PID 1988 wrote to memory of 2000 1988 cmd.exe PING.EXE PID 1988 wrote to memory of 2000 1988 cmd.exe PING.EXE PID 1988 wrote to memory of 2000 1988 cmd.exe PING.EXE PID 1988 wrote to memory of 2000 1988 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\0fd48d559e9a58d681dea3df5dbe55005d2864258c391d2514ac232042e5cc2e.exe"C:\Users\Admin\AppData\Local\Temp\0fd48d559e9a58d681dea3df5dbe55005d2864258c391d2514ac232042e5cc2e.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1864 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:1816 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\0fd48d559e9a58d681dea3df5dbe55005d2864258c391d2514ac232042e5cc2e.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:1988 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:2000
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
f51a9b306d4339543626e402b38e8863
SHA1b3b38a0e66a71c87074f35f3c9c211b2057deff0
SHA2566f7007a24a813c284c994cd1a795661699171570907068e6982983465cfc4bb9
SHA512a26e80fadc28723996e134eee2d43a998f7e712c073a562a3ef9986292bef2e41c1750c48b1550bacfa44ca76e54dd9bee706ed8c4a55bda4d4344847cbf36af
-
MD5
f51a9b306d4339543626e402b38e8863
SHA1b3b38a0e66a71c87074f35f3c9c211b2057deff0
SHA2566f7007a24a813c284c994cd1a795661699171570907068e6982983465cfc4bb9
SHA512a26e80fadc28723996e134eee2d43a998f7e712c073a562a3ef9986292bef2e41c1750c48b1550bacfa44ca76e54dd9bee706ed8c4a55bda4d4344847cbf36af