Analysis
-
max time kernel
158s -
max time network
171s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
12-02-2022 07:12
Static task
static1
Behavioral task
behavioral1
Sample
0e3809c74a58f955dddace7c724c94f0e1e572f319fc002333f26ad29a3cfb27.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
0e3809c74a58f955dddace7c724c94f0e1e572f319fc002333f26ad29a3cfb27.exe
Resource
win10v2004-en-20220113
General
-
Target
0e3809c74a58f955dddace7c724c94f0e1e572f319fc002333f26ad29a3cfb27.exe
-
Size
216KB
-
MD5
2fe39cd9f42e48b6c2b672b01dd46036
-
SHA1
6e8f14b2c097ddb7dfd3509dd181f24cea1fa169
-
SHA256
0e3809c74a58f955dddace7c724c94f0e1e572f319fc002333f26ad29a3cfb27
-
SHA512
b5b40d0961ef451b7644c24c88a3cdec2e5b98e20b16be518794c0aa62131516f3463b35b50f8d6dac4090bfea0d5bef84229e3ef067d1fd9d4377b763c72339
Malware Config
Signatures
-
Sakula Payload 4 IoCs
Processes:
resource yara_rule \Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula behavioral1/memory/1680-58-0x0000000000400000-0x0000000000420000-memory.dmp family_sakula behavioral1/memory/524-59-0x0000000000400000-0x0000000000420000-memory.dmp family_sakula -
suricata: ET MALWARE SUSPICIOUS UA (iexplore)
suricata: ET MALWARE SUSPICIOUS UA (iexplore)
-
suricata: ET MALWARE Sakula/Mivast RAT CnC Beacon 1
suricata: ET MALWARE Sakula/Mivast RAT CnC Beacon 1
-
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 524 MediaCenter.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 976 cmd.exe -
Loads dropped DLL 1 IoCs
Processes:
0e3809c74a58f955dddace7c724c94f0e1e572f319fc002333f26ad29a3cfb27.exepid process 1680 0e3809c74a58f955dddace7c724c94f0e1e572f319fc002333f26ad29a3cfb27.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
0e3809c74a58f955dddace7c724c94f0e1e572f319fc002333f26ad29a3cfb27.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 0e3809c74a58f955dddace7c724c94f0e1e572f319fc002333f26ad29a3cfb27.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
0e3809c74a58f955dddace7c724c94f0e1e572f319fc002333f26ad29a3cfb27.exedescription pid process Token: SeIncBasePriorityPrivilege 1680 0e3809c74a58f955dddace7c724c94f0e1e572f319fc002333f26ad29a3cfb27.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
0e3809c74a58f955dddace7c724c94f0e1e572f319fc002333f26ad29a3cfb27.execmd.exedescription pid process target process PID 1680 wrote to memory of 524 1680 0e3809c74a58f955dddace7c724c94f0e1e572f319fc002333f26ad29a3cfb27.exe MediaCenter.exe PID 1680 wrote to memory of 524 1680 0e3809c74a58f955dddace7c724c94f0e1e572f319fc002333f26ad29a3cfb27.exe MediaCenter.exe PID 1680 wrote to memory of 524 1680 0e3809c74a58f955dddace7c724c94f0e1e572f319fc002333f26ad29a3cfb27.exe MediaCenter.exe PID 1680 wrote to memory of 524 1680 0e3809c74a58f955dddace7c724c94f0e1e572f319fc002333f26ad29a3cfb27.exe MediaCenter.exe PID 1680 wrote to memory of 976 1680 0e3809c74a58f955dddace7c724c94f0e1e572f319fc002333f26ad29a3cfb27.exe cmd.exe PID 1680 wrote to memory of 976 1680 0e3809c74a58f955dddace7c724c94f0e1e572f319fc002333f26ad29a3cfb27.exe cmd.exe PID 1680 wrote to memory of 976 1680 0e3809c74a58f955dddace7c724c94f0e1e572f319fc002333f26ad29a3cfb27.exe cmd.exe PID 1680 wrote to memory of 976 1680 0e3809c74a58f955dddace7c724c94f0e1e572f319fc002333f26ad29a3cfb27.exe cmd.exe PID 976 wrote to memory of 2000 976 cmd.exe PING.EXE PID 976 wrote to memory of 2000 976 cmd.exe PING.EXE PID 976 wrote to memory of 2000 976 cmd.exe PING.EXE PID 976 wrote to memory of 2000 976 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\0e3809c74a58f955dddace7c724c94f0e1e572f319fc002333f26ad29a3cfb27.exe"C:\Users\Admin\AppData\Local\Temp\0e3809c74a58f955dddace7c724c94f0e1e572f319fc002333f26ad29a3cfb27.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1680 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:524 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\0e3809c74a58f955dddace7c724c94f0e1e572f319fc002333f26ad29a3cfb27.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:976 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:2000
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
526ac739ed2222f049d22cd3b9dad664
SHA14a9775445bf2d29202f3ed39721facf341818456
SHA2569e855410c30612020058da36614df41c563bb3223b2c9c1d6c6b2b00dfda625d
SHA512ecc1b65a6017b746d02590fdbb1cf57502f5e334fb5812135ce51981e4d01ea80c51bcd2f46122409eeab97aef729f962e71014448d71be3bdd115d1b728db22
-
MD5
526ac739ed2222f049d22cd3b9dad664
SHA14a9775445bf2d29202f3ed39721facf341818456
SHA2569e855410c30612020058da36614df41c563bb3223b2c9c1d6c6b2b00dfda625d
SHA512ecc1b65a6017b746d02590fdbb1cf57502f5e334fb5812135ce51981e4d01ea80c51bcd2f46122409eeab97aef729f962e71014448d71be3bdd115d1b728db22