Analysis
-
max time kernel
144s -
max time network
161s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
12-02-2022 07:21
Static task
static1
Behavioral task
behavioral1
Sample
0dcc90d1fda582d73efa7d404869690a963e83c04d1f5496df9ac44f12fe7987.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
0dcc90d1fda582d73efa7d404869690a963e83c04d1f5496df9ac44f12fe7987.exe
Resource
win10v2004-en-20220113
General
-
Target
0dcc90d1fda582d73efa7d404869690a963e83c04d1f5496df9ac44f12fe7987.exe
-
Size
220KB
-
MD5
168530370de699589b5615f74712cc0e
-
SHA1
312864c10c5e983fc3c29a9cf8c62fa9830a2527
-
SHA256
0dcc90d1fda582d73efa7d404869690a963e83c04d1f5496df9ac44f12fe7987
-
SHA512
e6a125f5768f0dd6169313e04164d63f6e9ade43d36df137be09adaae824cdbdf2cab569bf15992995b5f0c87bb7258d8dbbd2800d835a554fbdf82ca6ba339d
Malware Config
Signatures
-
Sakula Payload 4 IoCs
Processes:
resource yara_rule \Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula behavioral1/memory/1632-59-0x0000000000400000-0x0000000000420000-memory.dmp family_sakula behavioral1/memory/780-60-0x0000000000400000-0x0000000000420000-memory.dmp family_sakula -
suricata: ET MALWARE SUSPICIOUS UA (iexplore)
suricata: ET MALWARE SUSPICIOUS UA (iexplore)
-
suricata: ET MALWARE Sakula/Mivast RAT CnC Beacon 1
suricata: ET MALWARE Sakula/Mivast RAT CnC Beacon 1
-
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 780 MediaCenter.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 1668 cmd.exe -
Loads dropped DLL 1 IoCs
Processes:
0dcc90d1fda582d73efa7d404869690a963e83c04d1f5496df9ac44f12fe7987.exepid process 1632 0dcc90d1fda582d73efa7d404869690a963e83c04d1f5496df9ac44f12fe7987.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
0dcc90d1fda582d73efa7d404869690a963e83c04d1f5496df9ac44f12fe7987.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 0dcc90d1fda582d73efa7d404869690a963e83c04d1f5496df9ac44f12fe7987.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
0dcc90d1fda582d73efa7d404869690a963e83c04d1f5496df9ac44f12fe7987.exedescription pid process Token: SeIncBasePriorityPrivilege 1632 0dcc90d1fda582d73efa7d404869690a963e83c04d1f5496df9ac44f12fe7987.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
0dcc90d1fda582d73efa7d404869690a963e83c04d1f5496df9ac44f12fe7987.execmd.exedescription pid process target process PID 1632 wrote to memory of 780 1632 0dcc90d1fda582d73efa7d404869690a963e83c04d1f5496df9ac44f12fe7987.exe MediaCenter.exe PID 1632 wrote to memory of 780 1632 0dcc90d1fda582d73efa7d404869690a963e83c04d1f5496df9ac44f12fe7987.exe MediaCenter.exe PID 1632 wrote to memory of 780 1632 0dcc90d1fda582d73efa7d404869690a963e83c04d1f5496df9ac44f12fe7987.exe MediaCenter.exe PID 1632 wrote to memory of 780 1632 0dcc90d1fda582d73efa7d404869690a963e83c04d1f5496df9ac44f12fe7987.exe MediaCenter.exe PID 1632 wrote to memory of 1668 1632 0dcc90d1fda582d73efa7d404869690a963e83c04d1f5496df9ac44f12fe7987.exe cmd.exe PID 1632 wrote to memory of 1668 1632 0dcc90d1fda582d73efa7d404869690a963e83c04d1f5496df9ac44f12fe7987.exe cmd.exe PID 1632 wrote to memory of 1668 1632 0dcc90d1fda582d73efa7d404869690a963e83c04d1f5496df9ac44f12fe7987.exe cmd.exe PID 1632 wrote to memory of 1668 1632 0dcc90d1fda582d73efa7d404869690a963e83c04d1f5496df9ac44f12fe7987.exe cmd.exe PID 1668 wrote to memory of 1152 1668 cmd.exe PING.EXE PID 1668 wrote to memory of 1152 1668 cmd.exe PING.EXE PID 1668 wrote to memory of 1152 1668 cmd.exe PING.EXE PID 1668 wrote to memory of 1152 1668 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\0dcc90d1fda582d73efa7d404869690a963e83c04d1f5496df9ac44f12fe7987.exe"C:\Users\Admin\AppData\Local\Temp\0dcc90d1fda582d73efa7d404869690a963e83c04d1f5496df9ac44f12fe7987.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1632 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:780 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\0dcc90d1fda582d73efa7d404869690a963e83c04d1f5496df9ac44f12fe7987.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:1668 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:1152
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
861727aef7c214b10c7806eddaa955fb
SHA15396befb221ff384c4edfbb1a51ff3657441f4d8
SHA2560d1929a6dcb17a301cc7bedc207dc0a4c3a55da106ab17b2120749da190794fe
SHA51255f0293df26ec9e261f6cc733559cf9e98c753f9f976d00a6227764658141ac382629834e52174ca67e5234e3e240be3d07fe5cb01da0b9bbcbcf85629a7139b
-
MD5
861727aef7c214b10c7806eddaa955fb
SHA15396befb221ff384c4edfbb1a51ff3657441f4d8
SHA2560d1929a6dcb17a301cc7bedc207dc0a4c3a55da106ab17b2120749da190794fe
SHA51255f0293df26ec9e261f6cc733559cf9e98c753f9f976d00a6227764658141ac382629834e52174ca67e5234e3e240be3d07fe5cb01da0b9bbcbcf85629a7139b