Analysis
-
max time kernel
139s -
max time network
158s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
12-02-2022 06:38
Static task
static1
Behavioral task
behavioral1
Sample
0f65963f6c5025e68be3d0ee992f714b8b5431ffd5b2ace097175367050c812b.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
0f65963f6c5025e68be3d0ee992f714b8b5431ffd5b2ace097175367050c812b.exe
Resource
win10v2004-en-20220113
General
-
Target
0f65963f6c5025e68be3d0ee992f714b8b5431ffd5b2ace097175367050c812b.exe
-
Size
216KB
-
MD5
772e03d79983fd54ec91a07d06cf1d20
-
SHA1
98c670cb2cf4c8d12b803328c637f2a4da0920d7
-
SHA256
0f65963f6c5025e68be3d0ee992f714b8b5431ffd5b2ace097175367050c812b
-
SHA512
dbead2f26ca0b057c7a43569603d76f1d1724b48182b512beaff293eb5d8db1393510e384c9d515ffcbbd455e2acfbe3c019bd2a651e26c94756b23e4b56a755
Malware Config
Signatures
-
Sakula Payload 4 IoCs
Processes:
resource yara_rule \Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula behavioral1/memory/1624-59-0x0000000000400000-0x0000000000420000-memory.dmp family_sakula behavioral1/memory/1548-60-0x0000000000400000-0x0000000000420000-memory.dmp family_sakula -
suricata: ET MALWARE SUSPICIOUS UA (iexplore)
suricata: ET MALWARE SUSPICIOUS UA (iexplore)
-
suricata: ET MALWARE Sakula/Mivast RAT CnC Beacon 1
suricata: ET MALWARE Sakula/Mivast RAT CnC Beacon 1
-
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 1548 MediaCenter.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 432 cmd.exe -
Loads dropped DLL 1 IoCs
Processes:
0f65963f6c5025e68be3d0ee992f714b8b5431ffd5b2ace097175367050c812b.exepid process 1624 0f65963f6c5025e68be3d0ee992f714b8b5431ffd5b2ace097175367050c812b.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
0f65963f6c5025e68be3d0ee992f714b8b5431ffd5b2ace097175367050c812b.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 0f65963f6c5025e68be3d0ee992f714b8b5431ffd5b2ace097175367050c812b.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
0f65963f6c5025e68be3d0ee992f714b8b5431ffd5b2ace097175367050c812b.exedescription pid process Token: SeIncBasePriorityPrivilege 1624 0f65963f6c5025e68be3d0ee992f714b8b5431ffd5b2ace097175367050c812b.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
0f65963f6c5025e68be3d0ee992f714b8b5431ffd5b2ace097175367050c812b.execmd.exedescription pid process target process PID 1624 wrote to memory of 1548 1624 0f65963f6c5025e68be3d0ee992f714b8b5431ffd5b2ace097175367050c812b.exe MediaCenter.exe PID 1624 wrote to memory of 1548 1624 0f65963f6c5025e68be3d0ee992f714b8b5431ffd5b2ace097175367050c812b.exe MediaCenter.exe PID 1624 wrote to memory of 1548 1624 0f65963f6c5025e68be3d0ee992f714b8b5431ffd5b2ace097175367050c812b.exe MediaCenter.exe PID 1624 wrote to memory of 1548 1624 0f65963f6c5025e68be3d0ee992f714b8b5431ffd5b2ace097175367050c812b.exe MediaCenter.exe PID 1624 wrote to memory of 432 1624 0f65963f6c5025e68be3d0ee992f714b8b5431ffd5b2ace097175367050c812b.exe cmd.exe PID 1624 wrote to memory of 432 1624 0f65963f6c5025e68be3d0ee992f714b8b5431ffd5b2ace097175367050c812b.exe cmd.exe PID 1624 wrote to memory of 432 1624 0f65963f6c5025e68be3d0ee992f714b8b5431ffd5b2ace097175367050c812b.exe cmd.exe PID 1624 wrote to memory of 432 1624 0f65963f6c5025e68be3d0ee992f714b8b5431ffd5b2ace097175367050c812b.exe cmd.exe PID 432 wrote to memory of 1764 432 cmd.exe PING.EXE PID 432 wrote to memory of 1764 432 cmd.exe PING.EXE PID 432 wrote to memory of 1764 432 cmd.exe PING.EXE PID 432 wrote to memory of 1764 432 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\0f65963f6c5025e68be3d0ee992f714b8b5431ffd5b2ace097175367050c812b.exe"C:\Users\Admin\AppData\Local\Temp\0f65963f6c5025e68be3d0ee992f714b8b5431ffd5b2ace097175367050c812b.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1624 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:1548 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\0f65963f6c5025e68be3d0ee992f714b8b5431ffd5b2ace097175367050c812b.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:432 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:1764
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
8d12ba1a74878c8f17379ff93d635056
SHA144f4b2fd5efbf194997af268bf30a40e5da45da1
SHA256652fab1f6bbed4b2de094463df8b68e957e60dd976c810216fb4ffc47544ba62
SHA51217af178a44651f62f4c292b576e5083b65a5d289905aeb3dc91013bcab1cd61a252620373a83b53feab1411f0e118b74124aa9e84c060e340ca8829e26fa8d59
-
MD5
8d12ba1a74878c8f17379ff93d635056
SHA144f4b2fd5efbf194997af268bf30a40e5da45da1
SHA256652fab1f6bbed4b2de094463df8b68e957e60dd976c810216fb4ffc47544ba62
SHA51217af178a44651f62f4c292b576e5083b65a5d289905aeb3dc91013bcab1cd61a252620373a83b53feab1411f0e118b74124aa9e84c060e340ca8829e26fa8d59