Analysis
-
max time kernel
149s -
max time network
165s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
12-02-2022 06:37
Static task
static1
Behavioral task
behavioral1
Sample
0f7a4fad417a7f3e6c4f0f1cf0e59305310a627db5a45c281004249a78fba903.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
0f7a4fad417a7f3e6c4f0f1cf0e59305310a627db5a45c281004249a78fba903.exe
Resource
win10v2004-en-20220113
General
-
Target
0f7a4fad417a7f3e6c4f0f1cf0e59305310a627db5a45c281004249a78fba903.exe
-
Size
176KB
-
MD5
8f34f58bd28f86f971f2ca9503a63483
-
SHA1
1318bd9adb8129f3a9ab3ac3e1dce96c4098e7f5
-
SHA256
0f7a4fad417a7f3e6c4f0f1cf0e59305310a627db5a45c281004249a78fba903
-
SHA512
b54f198e81d4c781cdd1c639128cfcd8fbf913050733f092d706584d64323583430da7fe2e2ac4323674222ae363eee60feee1dbc709fa0ed0ab5d124ef98c17
Malware Config
Signatures
-
Sakula Payload 4 IoCs
Processes:
resource yara_rule \Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula behavioral1/memory/1628-59-0x0000000000400000-0x0000000000420000-memory.dmp family_sakula behavioral1/memory/1372-60-0x0000000000400000-0x0000000000420000-memory.dmp family_sakula -
suricata: ET MALWARE SUSPICIOUS UA (iexplore)
suricata: ET MALWARE SUSPICIOUS UA (iexplore)
-
suricata: ET MALWARE Sakula/Mivast RAT CnC Beacon 1
suricata: ET MALWARE Sakula/Mivast RAT CnC Beacon 1
-
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 1372 MediaCenter.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 1684 cmd.exe -
Loads dropped DLL 1 IoCs
Processes:
0f7a4fad417a7f3e6c4f0f1cf0e59305310a627db5a45c281004249a78fba903.exepid process 1628 0f7a4fad417a7f3e6c4f0f1cf0e59305310a627db5a45c281004249a78fba903.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
0f7a4fad417a7f3e6c4f0f1cf0e59305310a627db5a45c281004249a78fba903.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 0f7a4fad417a7f3e6c4f0f1cf0e59305310a627db5a45c281004249a78fba903.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
0f7a4fad417a7f3e6c4f0f1cf0e59305310a627db5a45c281004249a78fba903.exedescription pid process Token: SeIncBasePriorityPrivilege 1628 0f7a4fad417a7f3e6c4f0f1cf0e59305310a627db5a45c281004249a78fba903.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
0f7a4fad417a7f3e6c4f0f1cf0e59305310a627db5a45c281004249a78fba903.execmd.exedescription pid process target process PID 1628 wrote to memory of 1372 1628 0f7a4fad417a7f3e6c4f0f1cf0e59305310a627db5a45c281004249a78fba903.exe MediaCenter.exe PID 1628 wrote to memory of 1372 1628 0f7a4fad417a7f3e6c4f0f1cf0e59305310a627db5a45c281004249a78fba903.exe MediaCenter.exe PID 1628 wrote to memory of 1372 1628 0f7a4fad417a7f3e6c4f0f1cf0e59305310a627db5a45c281004249a78fba903.exe MediaCenter.exe PID 1628 wrote to memory of 1372 1628 0f7a4fad417a7f3e6c4f0f1cf0e59305310a627db5a45c281004249a78fba903.exe MediaCenter.exe PID 1628 wrote to memory of 1684 1628 0f7a4fad417a7f3e6c4f0f1cf0e59305310a627db5a45c281004249a78fba903.exe cmd.exe PID 1628 wrote to memory of 1684 1628 0f7a4fad417a7f3e6c4f0f1cf0e59305310a627db5a45c281004249a78fba903.exe cmd.exe PID 1628 wrote to memory of 1684 1628 0f7a4fad417a7f3e6c4f0f1cf0e59305310a627db5a45c281004249a78fba903.exe cmd.exe PID 1628 wrote to memory of 1684 1628 0f7a4fad417a7f3e6c4f0f1cf0e59305310a627db5a45c281004249a78fba903.exe cmd.exe PID 1684 wrote to memory of 808 1684 cmd.exe PING.EXE PID 1684 wrote to memory of 808 1684 cmd.exe PING.EXE PID 1684 wrote to memory of 808 1684 cmd.exe PING.EXE PID 1684 wrote to memory of 808 1684 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\0f7a4fad417a7f3e6c4f0f1cf0e59305310a627db5a45c281004249a78fba903.exe"C:\Users\Admin\AppData\Local\Temp\0f7a4fad417a7f3e6c4f0f1cf0e59305310a627db5a45c281004249a78fba903.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1628 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:1372 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\0f7a4fad417a7f3e6c4f0f1cf0e59305310a627db5a45c281004249a78fba903.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:1684 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:808
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
801504517bc7165e485a0f1baee45302
SHA196c6abb5a4723f7c5fa8fd25580be3d158da44d6
SHA256fcd8a11503c5e3de1e7e7c40dabc8aa7018e10c89398cb6bbb75c310dfcff92d
SHA51224fd7c3275f1431347e687690fd441e34784b0b6aef02dd4f4ae2b47d8d88c44679845c03f84fa8720eb3d8194a40f379ff2674320ee6b080f63b8494e894a4e
-
MD5
801504517bc7165e485a0f1baee45302
SHA196c6abb5a4723f7c5fa8fd25580be3d158da44d6
SHA256fcd8a11503c5e3de1e7e7c40dabc8aa7018e10c89398cb6bbb75c310dfcff92d
SHA51224fd7c3275f1431347e687690fd441e34784b0b6aef02dd4f4ae2b47d8d88c44679845c03f84fa8720eb3d8194a40f379ff2674320ee6b080f63b8494e894a4e