Analysis
-
max time kernel
138s -
max time network
160s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
12-02-2022 07:27
Static task
static1
Behavioral task
behavioral1
Sample
0d8d238d64d116a32f4f49cc1b9274dd6445d39235bbb6f2790a6b54ca4b30b7.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
0d8d238d64d116a32f4f49cc1b9274dd6445d39235bbb6f2790a6b54ca4b30b7.exe
Resource
win10v2004-en-20220113
General
-
Target
0d8d238d64d116a32f4f49cc1b9274dd6445d39235bbb6f2790a6b54ca4b30b7.exe
-
Size
216KB
-
MD5
86646705120d79fb205aacccba759b3e
-
SHA1
2c617df93b7a3417c4a05d1cca1d585599a0064f
-
SHA256
0d8d238d64d116a32f4f49cc1b9274dd6445d39235bbb6f2790a6b54ca4b30b7
-
SHA512
e8ee9ba1733443aae7892603e31572581ad8bb531c4b75cd29ac1b10679f1ad49dbd73433aeae6f6f3b92688fd646f5bb296961ec316570738f94f3ff446e9bd
Malware Config
Signatures
-
Sakula Payload 4 IoCs
Processes:
resource yara_rule \Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula behavioral1/memory/1088-58-0x0000000000400000-0x0000000000420000-memory.dmp family_sakula behavioral1/memory/1760-59-0x0000000000400000-0x0000000000420000-memory.dmp family_sakula -
suricata: ET MALWARE SUSPICIOUS UA (iexplore)
suricata: ET MALWARE SUSPICIOUS UA (iexplore)
-
suricata: ET MALWARE Sakula/Mivast RAT CnC Beacon 1
suricata: ET MALWARE Sakula/Mivast RAT CnC Beacon 1
-
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 1760 MediaCenter.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 1324 cmd.exe -
Loads dropped DLL 1 IoCs
Processes:
0d8d238d64d116a32f4f49cc1b9274dd6445d39235bbb6f2790a6b54ca4b30b7.exepid process 1088 0d8d238d64d116a32f4f49cc1b9274dd6445d39235bbb6f2790a6b54ca4b30b7.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
0d8d238d64d116a32f4f49cc1b9274dd6445d39235bbb6f2790a6b54ca4b30b7.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 0d8d238d64d116a32f4f49cc1b9274dd6445d39235bbb6f2790a6b54ca4b30b7.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
0d8d238d64d116a32f4f49cc1b9274dd6445d39235bbb6f2790a6b54ca4b30b7.exedescription pid process Token: SeIncBasePriorityPrivilege 1088 0d8d238d64d116a32f4f49cc1b9274dd6445d39235bbb6f2790a6b54ca4b30b7.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
0d8d238d64d116a32f4f49cc1b9274dd6445d39235bbb6f2790a6b54ca4b30b7.execmd.exedescription pid process target process PID 1088 wrote to memory of 1760 1088 0d8d238d64d116a32f4f49cc1b9274dd6445d39235bbb6f2790a6b54ca4b30b7.exe MediaCenter.exe PID 1088 wrote to memory of 1760 1088 0d8d238d64d116a32f4f49cc1b9274dd6445d39235bbb6f2790a6b54ca4b30b7.exe MediaCenter.exe PID 1088 wrote to memory of 1760 1088 0d8d238d64d116a32f4f49cc1b9274dd6445d39235bbb6f2790a6b54ca4b30b7.exe MediaCenter.exe PID 1088 wrote to memory of 1760 1088 0d8d238d64d116a32f4f49cc1b9274dd6445d39235bbb6f2790a6b54ca4b30b7.exe MediaCenter.exe PID 1088 wrote to memory of 1324 1088 0d8d238d64d116a32f4f49cc1b9274dd6445d39235bbb6f2790a6b54ca4b30b7.exe cmd.exe PID 1088 wrote to memory of 1324 1088 0d8d238d64d116a32f4f49cc1b9274dd6445d39235bbb6f2790a6b54ca4b30b7.exe cmd.exe PID 1088 wrote to memory of 1324 1088 0d8d238d64d116a32f4f49cc1b9274dd6445d39235bbb6f2790a6b54ca4b30b7.exe cmd.exe PID 1088 wrote to memory of 1324 1088 0d8d238d64d116a32f4f49cc1b9274dd6445d39235bbb6f2790a6b54ca4b30b7.exe cmd.exe PID 1324 wrote to memory of 1980 1324 cmd.exe PING.EXE PID 1324 wrote to memory of 1980 1324 cmd.exe PING.EXE PID 1324 wrote to memory of 1980 1324 cmd.exe PING.EXE PID 1324 wrote to memory of 1980 1324 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\0d8d238d64d116a32f4f49cc1b9274dd6445d39235bbb6f2790a6b54ca4b30b7.exe"C:\Users\Admin\AppData\Local\Temp\0d8d238d64d116a32f4f49cc1b9274dd6445d39235bbb6f2790a6b54ca4b30b7.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1088 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:1760 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\0d8d238d64d116a32f4f49cc1b9274dd6445d39235bbb6f2790a6b54ca4b30b7.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:1324 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:1980
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
b669dda1f2fbf1ce316385aabac9f87e
SHA1e98f1d890c8b329d2e3b9a1d5c74e80382e19e51
SHA256b6444913e760171b668afadf18754485b4ce538d0bf567bebaa652b64b6116e1
SHA51290e040243e2566030ad559796ea6e99056657d9446fc1aac32d2a28ba1bade806753a1d2524438c0f9cbe756d9465adc2849e384526d124abcd11992639edf01
-
MD5
b669dda1f2fbf1ce316385aabac9f87e
SHA1e98f1d890c8b329d2e3b9a1d5c74e80382e19e51
SHA256b6444913e760171b668afadf18754485b4ce538d0bf567bebaa652b64b6116e1
SHA51290e040243e2566030ad559796ea6e99056657d9446fc1aac32d2a28ba1bade806753a1d2524438c0f9cbe756d9465adc2849e384526d124abcd11992639edf01