Analysis
-
max time kernel
149s -
max time network
165s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
12/02/2022, 06:37
Static task
static1
Behavioral task
behavioral1
Sample
0f7a4fad417a7f3e6c4f0f1cf0e59305310a627db5a45c281004249a78fba903.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
0f7a4fad417a7f3e6c4f0f1cf0e59305310a627db5a45c281004249a78fba903.exe
Resource
win10v2004-en-20220113
General
-
Target
0f7a4fad417a7f3e6c4f0f1cf0e59305310a627db5a45c281004249a78fba903.exe
-
Size
176KB
-
MD5
8f34f58bd28f86f971f2ca9503a63483
-
SHA1
1318bd9adb8129f3a9ab3ac3e1dce96c4098e7f5
-
SHA256
0f7a4fad417a7f3e6c4f0f1cf0e59305310a627db5a45c281004249a78fba903
-
SHA512
b54f198e81d4c781cdd1c639128cfcd8fbf913050733f092d706584d64323583430da7fe2e2ac4323674222ae363eee60feee1dbc709fa0ed0ab5d124ef98c17
Malware Config
Signatures
-
Sakula Payload 4 IoCs
resource yara_rule behavioral1/files/0x00080000000121f5-56.dat family_sakula behavioral1/files/0x00080000000121f5-57.dat family_sakula behavioral1/memory/1628-59-0x0000000000400000-0x0000000000420000-memory.dmp family_sakula behavioral1/memory/1372-60-0x0000000000400000-0x0000000000420000-memory.dmp family_sakula -
suricata: ET MALWARE SUSPICIOUS UA (iexplore)
suricata: ET MALWARE SUSPICIOUS UA (iexplore)
-
suricata: ET MALWARE Sakula/Mivast RAT CnC Beacon 1
suricata: ET MALWARE Sakula/Mivast RAT CnC Beacon 1
-
Executes dropped EXE 1 IoCs
pid Process 1372 MediaCenter.exe -
Deletes itself 1 IoCs
pid Process 1684 cmd.exe -
Loads dropped DLL 1 IoCs
pid Process 1628 0f7a4fad417a7f3e6c4f0f1cf0e59305310a627db5a45c281004249a78fba903.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 0f7a4fad417a7f3e6c4f0f1cf0e59305310a627db5a45c281004249a78fba903.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
pid Process 808 PING.EXE -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeIncBasePriorityPrivilege 1628 0f7a4fad417a7f3e6c4f0f1cf0e59305310a627db5a45c281004249a78fba903.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 1628 wrote to memory of 1372 1628 0f7a4fad417a7f3e6c4f0f1cf0e59305310a627db5a45c281004249a78fba903.exe 27 PID 1628 wrote to memory of 1372 1628 0f7a4fad417a7f3e6c4f0f1cf0e59305310a627db5a45c281004249a78fba903.exe 27 PID 1628 wrote to memory of 1372 1628 0f7a4fad417a7f3e6c4f0f1cf0e59305310a627db5a45c281004249a78fba903.exe 27 PID 1628 wrote to memory of 1372 1628 0f7a4fad417a7f3e6c4f0f1cf0e59305310a627db5a45c281004249a78fba903.exe 27 PID 1628 wrote to memory of 1684 1628 0f7a4fad417a7f3e6c4f0f1cf0e59305310a627db5a45c281004249a78fba903.exe 30 PID 1628 wrote to memory of 1684 1628 0f7a4fad417a7f3e6c4f0f1cf0e59305310a627db5a45c281004249a78fba903.exe 30 PID 1628 wrote to memory of 1684 1628 0f7a4fad417a7f3e6c4f0f1cf0e59305310a627db5a45c281004249a78fba903.exe 30 PID 1628 wrote to memory of 1684 1628 0f7a4fad417a7f3e6c4f0f1cf0e59305310a627db5a45c281004249a78fba903.exe 30 PID 1684 wrote to memory of 808 1684 cmd.exe 32 PID 1684 wrote to memory of 808 1684 cmd.exe 32 PID 1684 wrote to memory of 808 1684 cmd.exe 32 PID 1684 wrote to memory of 808 1684 cmd.exe 32
Processes
-
C:\Users\Admin\AppData\Local\Temp\0f7a4fad417a7f3e6c4f0f1cf0e59305310a627db5a45c281004249a78fba903.exe"C:\Users\Admin\AppData\Local\Temp\0f7a4fad417a7f3e6c4f0f1cf0e59305310a627db5a45c281004249a78fba903.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1628 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:1372
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\0f7a4fad417a7f3e6c4f0f1cf0e59305310a627db5a45c281004249a78fba903.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:1684 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:808
-
-