Analysis
-
max time kernel
145s -
max time network
168s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
12-02-2022 07:19
Static task
static1
Behavioral task
behavioral1
Sample
0de4955308fa5a3bb198bc882fad7f0a5eb8f56fc30f63fa2b9e716127e9cdfe.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
0de4955308fa5a3bb198bc882fad7f0a5eb8f56fc30f63fa2b9e716127e9cdfe.exe
Resource
win10v2004-en-20220112
General
-
Target
0de4955308fa5a3bb198bc882fad7f0a5eb8f56fc30f63fa2b9e716127e9cdfe.exe
-
Size
150KB
-
MD5
5b73bdd86657baa55489d3f6021b7004
-
SHA1
c0bab416e1cccc68d85cfee21af9bdd918ede0b6
-
SHA256
0de4955308fa5a3bb198bc882fad7f0a5eb8f56fc30f63fa2b9e716127e9cdfe
-
SHA512
4712e2efde963ff22e8d6fbf1171af39e303d0e3021e240240afa64d9aecded975864342abfea22bb5489b69252471b67e4ca1f8aa76861401920af08614ba34
Malware Config
Signatures
-
Sakula Payload 2 IoCs
Processes:
resource yara_rule \Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula -
suricata: ET MALWARE SUSPICIOUS UA (iexplore)
suricata: ET MALWARE SUSPICIOUS UA (iexplore)
-
suricata: ET MALWARE Sakula/Mivast RAT CnC Beacon 1
suricata: ET MALWARE Sakula/Mivast RAT CnC Beacon 1
-
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 840 MediaCenter.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 1072 cmd.exe -
Loads dropped DLL 1 IoCs
Processes:
0de4955308fa5a3bb198bc882fad7f0a5eb8f56fc30f63fa2b9e716127e9cdfe.exepid process 1660 0de4955308fa5a3bb198bc882fad7f0a5eb8f56fc30f63fa2b9e716127e9cdfe.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
0de4955308fa5a3bb198bc882fad7f0a5eb8f56fc30f63fa2b9e716127e9cdfe.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 0de4955308fa5a3bb198bc882fad7f0a5eb8f56fc30f63fa2b9e716127e9cdfe.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
0de4955308fa5a3bb198bc882fad7f0a5eb8f56fc30f63fa2b9e716127e9cdfe.exedescription pid process Token: SeIncBasePriorityPrivilege 1660 0de4955308fa5a3bb198bc882fad7f0a5eb8f56fc30f63fa2b9e716127e9cdfe.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
0de4955308fa5a3bb198bc882fad7f0a5eb8f56fc30f63fa2b9e716127e9cdfe.execmd.exedescription pid process target process PID 1660 wrote to memory of 840 1660 0de4955308fa5a3bb198bc882fad7f0a5eb8f56fc30f63fa2b9e716127e9cdfe.exe MediaCenter.exe PID 1660 wrote to memory of 840 1660 0de4955308fa5a3bb198bc882fad7f0a5eb8f56fc30f63fa2b9e716127e9cdfe.exe MediaCenter.exe PID 1660 wrote to memory of 840 1660 0de4955308fa5a3bb198bc882fad7f0a5eb8f56fc30f63fa2b9e716127e9cdfe.exe MediaCenter.exe PID 1660 wrote to memory of 840 1660 0de4955308fa5a3bb198bc882fad7f0a5eb8f56fc30f63fa2b9e716127e9cdfe.exe MediaCenter.exe PID 1660 wrote to memory of 1072 1660 0de4955308fa5a3bb198bc882fad7f0a5eb8f56fc30f63fa2b9e716127e9cdfe.exe cmd.exe PID 1660 wrote to memory of 1072 1660 0de4955308fa5a3bb198bc882fad7f0a5eb8f56fc30f63fa2b9e716127e9cdfe.exe cmd.exe PID 1660 wrote to memory of 1072 1660 0de4955308fa5a3bb198bc882fad7f0a5eb8f56fc30f63fa2b9e716127e9cdfe.exe cmd.exe PID 1660 wrote to memory of 1072 1660 0de4955308fa5a3bb198bc882fad7f0a5eb8f56fc30f63fa2b9e716127e9cdfe.exe cmd.exe PID 1072 wrote to memory of 556 1072 cmd.exe PING.EXE PID 1072 wrote to memory of 556 1072 cmd.exe PING.EXE PID 1072 wrote to memory of 556 1072 cmd.exe PING.EXE PID 1072 wrote to memory of 556 1072 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\0de4955308fa5a3bb198bc882fad7f0a5eb8f56fc30f63fa2b9e716127e9cdfe.exe"C:\Users\Admin\AppData\Local\Temp\0de4955308fa5a3bb198bc882fad7f0a5eb8f56fc30f63fa2b9e716127e9cdfe.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1660 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:840 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\0de4955308fa5a3bb198bc882fad7f0a5eb8f56fc30f63fa2b9e716127e9cdfe.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:1072 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:556
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
2f7ba7e1f340f2e0eb32da2205d53214
SHA1eb276518fd84e4062b07c2f76b840d3b877c7c70
SHA256cf9f15b3b0a9bb05daf4205caf7b966556aae3ec0bea49a66e7aab7ed0807706
SHA5121730d89d356d87efcc5ec199b386c940395a68c8de5c6b4b5172022f9ccb6314cf5a080ceb631620d6747128cdc4c1d4b4c7df76b9ce1c6e1793069915eb8f7b
-
MD5
2f7ba7e1f340f2e0eb32da2205d53214
SHA1eb276518fd84e4062b07c2f76b840d3b877c7c70
SHA256cf9f15b3b0a9bb05daf4205caf7b966556aae3ec0bea49a66e7aab7ed0807706
SHA5121730d89d356d87efcc5ec199b386c940395a68c8de5c6b4b5172022f9ccb6314cf5a080ceb631620d6747128cdc4c1d4b4c7df76b9ce1c6e1793069915eb8f7b