Analysis
-
max time kernel
145s -
max time network
166s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
12-02-2022 07:21
Static task
static1
Behavioral task
behavioral1
Sample
0dd60c5de9511d318bd72d18e79c97c0d14545287326e908bfd9f1915b524fb3.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
0dd60c5de9511d318bd72d18e79c97c0d14545287326e908bfd9f1915b524fb3.exe
Resource
win10v2004-en-20220113
General
-
Target
0dd60c5de9511d318bd72d18e79c97c0d14545287326e908bfd9f1915b524fb3.exe
-
Size
176KB
-
MD5
4c1c0a406d0a9883b049938bd23ee50e
-
SHA1
ed8895a0f2c77c7ae31a929e050ade56c2a38ea6
-
SHA256
0dd60c5de9511d318bd72d18e79c97c0d14545287326e908bfd9f1915b524fb3
-
SHA512
c310df8088baa304cd257fb7f2017089bfbe9b40fff448679fe1a1b66a563a081c5fc57fd90570d9d4f9eb69520b9a2d252879d786db91ae7df3940967abfc0d
Malware Config
Signatures
-
Sakula Payload 4 IoCs
Processes:
resource yara_rule \Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula behavioral1/memory/1648-59-0x0000000000400000-0x0000000000420000-memory.dmp family_sakula behavioral1/memory/1380-60-0x0000000000400000-0x0000000000420000-memory.dmp family_sakula -
suricata: ET MALWARE SUSPICIOUS UA (iexplore)
suricata: ET MALWARE SUSPICIOUS UA (iexplore)
-
suricata: ET MALWARE Sakula/Mivast RAT CnC Beacon 1
suricata: ET MALWARE Sakula/Mivast RAT CnC Beacon 1
-
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 1380 MediaCenter.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 1556 cmd.exe -
Loads dropped DLL 1 IoCs
Processes:
0dd60c5de9511d318bd72d18e79c97c0d14545287326e908bfd9f1915b524fb3.exepid process 1648 0dd60c5de9511d318bd72d18e79c97c0d14545287326e908bfd9f1915b524fb3.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
0dd60c5de9511d318bd72d18e79c97c0d14545287326e908bfd9f1915b524fb3.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 0dd60c5de9511d318bd72d18e79c97c0d14545287326e908bfd9f1915b524fb3.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
0dd60c5de9511d318bd72d18e79c97c0d14545287326e908bfd9f1915b524fb3.exedescription pid process Token: SeIncBasePriorityPrivilege 1648 0dd60c5de9511d318bd72d18e79c97c0d14545287326e908bfd9f1915b524fb3.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
0dd60c5de9511d318bd72d18e79c97c0d14545287326e908bfd9f1915b524fb3.execmd.exedescription pid process target process PID 1648 wrote to memory of 1380 1648 0dd60c5de9511d318bd72d18e79c97c0d14545287326e908bfd9f1915b524fb3.exe MediaCenter.exe PID 1648 wrote to memory of 1380 1648 0dd60c5de9511d318bd72d18e79c97c0d14545287326e908bfd9f1915b524fb3.exe MediaCenter.exe PID 1648 wrote to memory of 1380 1648 0dd60c5de9511d318bd72d18e79c97c0d14545287326e908bfd9f1915b524fb3.exe MediaCenter.exe PID 1648 wrote to memory of 1380 1648 0dd60c5de9511d318bd72d18e79c97c0d14545287326e908bfd9f1915b524fb3.exe MediaCenter.exe PID 1648 wrote to memory of 1556 1648 0dd60c5de9511d318bd72d18e79c97c0d14545287326e908bfd9f1915b524fb3.exe cmd.exe PID 1648 wrote to memory of 1556 1648 0dd60c5de9511d318bd72d18e79c97c0d14545287326e908bfd9f1915b524fb3.exe cmd.exe PID 1648 wrote to memory of 1556 1648 0dd60c5de9511d318bd72d18e79c97c0d14545287326e908bfd9f1915b524fb3.exe cmd.exe PID 1648 wrote to memory of 1556 1648 0dd60c5de9511d318bd72d18e79c97c0d14545287326e908bfd9f1915b524fb3.exe cmd.exe PID 1556 wrote to memory of 1056 1556 cmd.exe PING.EXE PID 1556 wrote to memory of 1056 1556 cmd.exe PING.EXE PID 1556 wrote to memory of 1056 1556 cmd.exe PING.EXE PID 1556 wrote to memory of 1056 1556 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\0dd60c5de9511d318bd72d18e79c97c0d14545287326e908bfd9f1915b524fb3.exe"C:\Users\Admin\AppData\Local\Temp\0dd60c5de9511d318bd72d18e79c97c0d14545287326e908bfd9f1915b524fb3.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1648 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:1380 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\0dd60c5de9511d318bd72d18e79c97c0d14545287326e908bfd9f1915b524fb3.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:1556 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:1056
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
97ce25d7e66c285ad0bbdbd886672890
SHA1dc544feaf3f474fdc354cd2b588c533fe3b5ea0f
SHA256c2f01db643c998382867524da27abb7ac63a7b2070a32f1e48afc461783bd0eb
SHA5124a9c0b23a74bd5a98bc85537cd92e653f413bf31a65a743f24102ebc4e84818f82aebd93372a252d21a1c56e7164f00654b15e034982d89f55bd3500d43b0657
-
MD5
97ce25d7e66c285ad0bbdbd886672890
SHA1dc544feaf3f474fdc354cd2b588c533fe3b5ea0f
SHA256c2f01db643c998382867524da27abb7ac63a7b2070a32f1e48afc461783bd0eb
SHA5124a9c0b23a74bd5a98bc85537cd92e653f413bf31a65a743f24102ebc4e84818f82aebd93372a252d21a1c56e7164f00654b15e034982d89f55bd3500d43b0657