Analysis
-
max time kernel
149s -
max time network
167s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
12-02-2022 06:30
Static task
static1
Behavioral task
behavioral1
Sample
0fcd130df086cd9bdf6e2e74937ccb75915e93b873f934b895b38b714ba2230b.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
0fcd130df086cd9bdf6e2e74937ccb75915e93b873f934b895b38b714ba2230b.exe
Resource
win10v2004-en-20220112
General
-
Target
0fcd130df086cd9bdf6e2e74937ccb75915e93b873f934b895b38b714ba2230b.exe
-
Size
150KB
-
MD5
c74a9948687d6f8c74d235c1c00b79b6
-
SHA1
fbcbc71ae8e025f20b4e9cf4d1f58e005991d702
-
SHA256
0fcd130df086cd9bdf6e2e74937ccb75915e93b873f934b895b38b714ba2230b
-
SHA512
c5fa4f35c0271d32acf0c46f2c6352878249f7acb53bc5744228dbe81cdf954e78c8f22ad2638fc057613860e7e9a0d46d8b836b41a0838b40fe68030a7c44bb
Malware Config
Signatures
-
Sakula Payload 2 IoCs
Processes:
resource yara_rule \Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula -
suricata: ET MALWARE SUSPICIOUS UA (iexplore)
suricata: ET MALWARE SUSPICIOUS UA (iexplore)
-
suricata: ET MALWARE Sakula/Mivast RAT CnC Beacon 1
suricata: ET MALWARE Sakula/Mivast RAT CnC Beacon 1
-
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 1624 MediaCenter.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 916 cmd.exe -
Loads dropped DLL 1 IoCs
Processes:
0fcd130df086cd9bdf6e2e74937ccb75915e93b873f934b895b38b714ba2230b.exepid process 1664 0fcd130df086cd9bdf6e2e74937ccb75915e93b873f934b895b38b714ba2230b.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
0fcd130df086cd9bdf6e2e74937ccb75915e93b873f934b895b38b714ba2230b.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 0fcd130df086cd9bdf6e2e74937ccb75915e93b873f934b895b38b714ba2230b.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
0fcd130df086cd9bdf6e2e74937ccb75915e93b873f934b895b38b714ba2230b.exedescription pid process Token: SeIncBasePriorityPrivilege 1664 0fcd130df086cd9bdf6e2e74937ccb75915e93b873f934b895b38b714ba2230b.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
0fcd130df086cd9bdf6e2e74937ccb75915e93b873f934b895b38b714ba2230b.execmd.exedescription pid process target process PID 1664 wrote to memory of 1624 1664 0fcd130df086cd9bdf6e2e74937ccb75915e93b873f934b895b38b714ba2230b.exe MediaCenter.exe PID 1664 wrote to memory of 1624 1664 0fcd130df086cd9bdf6e2e74937ccb75915e93b873f934b895b38b714ba2230b.exe MediaCenter.exe PID 1664 wrote to memory of 1624 1664 0fcd130df086cd9bdf6e2e74937ccb75915e93b873f934b895b38b714ba2230b.exe MediaCenter.exe PID 1664 wrote to memory of 1624 1664 0fcd130df086cd9bdf6e2e74937ccb75915e93b873f934b895b38b714ba2230b.exe MediaCenter.exe PID 1664 wrote to memory of 916 1664 0fcd130df086cd9bdf6e2e74937ccb75915e93b873f934b895b38b714ba2230b.exe cmd.exe PID 1664 wrote to memory of 916 1664 0fcd130df086cd9bdf6e2e74937ccb75915e93b873f934b895b38b714ba2230b.exe cmd.exe PID 1664 wrote to memory of 916 1664 0fcd130df086cd9bdf6e2e74937ccb75915e93b873f934b895b38b714ba2230b.exe cmd.exe PID 1664 wrote to memory of 916 1664 0fcd130df086cd9bdf6e2e74937ccb75915e93b873f934b895b38b714ba2230b.exe cmd.exe PID 916 wrote to memory of 940 916 cmd.exe PING.EXE PID 916 wrote to memory of 940 916 cmd.exe PING.EXE PID 916 wrote to memory of 940 916 cmd.exe PING.EXE PID 916 wrote to memory of 940 916 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\0fcd130df086cd9bdf6e2e74937ccb75915e93b873f934b895b38b714ba2230b.exe"C:\Users\Admin\AppData\Local\Temp\0fcd130df086cd9bdf6e2e74937ccb75915e93b873f934b895b38b714ba2230b.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1664 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:1624 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\0fcd130df086cd9bdf6e2e74937ccb75915e93b873f934b895b38b714ba2230b.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:916 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:940
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
77ae17f2790067ab87ce3cd6fb25d15d
SHA11f801f6a23b7d012d3fe09901db076281434c285
SHA25610d3e55018a7b001667c01479a1a759c81c0d2ed80092d135e7d37ffee7730ed
SHA512d273eb282eeb89a17a3b6d9595f9631954facb5e102976a6434615a86b7cc743e6a7cec82147be9143e6f87fc3ecdbfe2c335cc20aad8c5cdc7d8d4942605985
-
MD5
77ae17f2790067ab87ce3cd6fb25d15d
SHA11f801f6a23b7d012d3fe09901db076281434c285
SHA25610d3e55018a7b001667c01479a1a759c81c0d2ed80092d135e7d37ffee7730ed
SHA512d273eb282eeb89a17a3b6d9595f9631954facb5e102976a6434615a86b7cc743e6a7cec82147be9143e6f87fc3ecdbfe2c335cc20aad8c5cdc7d8d4942605985