Analysis
-
max time kernel
139s -
max time network
158s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
12/02/2022, 06:38
Static task
static1
Behavioral task
behavioral1
Sample
0f65963f6c5025e68be3d0ee992f714b8b5431ffd5b2ace097175367050c812b.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
0f65963f6c5025e68be3d0ee992f714b8b5431ffd5b2ace097175367050c812b.exe
Resource
win10v2004-en-20220113
General
-
Target
0f65963f6c5025e68be3d0ee992f714b8b5431ffd5b2ace097175367050c812b.exe
-
Size
216KB
-
MD5
772e03d79983fd54ec91a07d06cf1d20
-
SHA1
98c670cb2cf4c8d12b803328c637f2a4da0920d7
-
SHA256
0f65963f6c5025e68be3d0ee992f714b8b5431ffd5b2ace097175367050c812b
-
SHA512
dbead2f26ca0b057c7a43569603d76f1d1724b48182b512beaff293eb5d8db1393510e384c9d515ffcbbd455e2acfbe3c019bd2a651e26c94756b23e4b56a755
Malware Config
Signatures
-
Sakula Payload 4 IoCs
resource yara_rule behavioral1/files/0x0007000000012604-56.dat family_sakula behavioral1/files/0x0007000000012604-57.dat family_sakula behavioral1/memory/1624-59-0x0000000000400000-0x0000000000420000-memory.dmp family_sakula behavioral1/memory/1548-60-0x0000000000400000-0x0000000000420000-memory.dmp family_sakula -
suricata: ET MALWARE SUSPICIOUS UA (iexplore)
suricata: ET MALWARE SUSPICIOUS UA (iexplore)
-
suricata: ET MALWARE Sakula/Mivast RAT CnC Beacon 1
suricata: ET MALWARE Sakula/Mivast RAT CnC Beacon 1
-
Executes dropped EXE 1 IoCs
pid Process 1548 MediaCenter.exe -
Deletes itself 1 IoCs
pid Process 432 cmd.exe -
Loads dropped DLL 1 IoCs
pid Process 1624 0f65963f6c5025e68be3d0ee992f714b8b5431ffd5b2ace097175367050c812b.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 0f65963f6c5025e68be3d0ee992f714b8b5431ffd5b2ace097175367050c812b.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
pid Process 1764 PING.EXE -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeIncBasePriorityPrivilege 1624 0f65963f6c5025e68be3d0ee992f714b8b5431ffd5b2ace097175367050c812b.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 1624 wrote to memory of 1548 1624 0f65963f6c5025e68be3d0ee992f714b8b5431ffd5b2ace097175367050c812b.exe 27 PID 1624 wrote to memory of 1548 1624 0f65963f6c5025e68be3d0ee992f714b8b5431ffd5b2ace097175367050c812b.exe 27 PID 1624 wrote to memory of 1548 1624 0f65963f6c5025e68be3d0ee992f714b8b5431ffd5b2ace097175367050c812b.exe 27 PID 1624 wrote to memory of 1548 1624 0f65963f6c5025e68be3d0ee992f714b8b5431ffd5b2ace097175367050c812b.exe 27 PID 1624 wrote to memory of 432 1624 0f65963f6c5025e68be3d0ee992f714b8b5431ffd5b2ace097175367050c812b.exe 30 PID 1624 wrote to memory of 432 1624 0f65963f6c5025e68be3d0ee992f714b8b5431ffd5b2ace097175367050c812b.exe 30 PID 1624 wrote to memory of 432 1624 0f65963f6c5025e68be3d0ee992f714b8b5431ffd5b2ace097175367050c812b.exe 30 PID 1624 wrote to memory of 432 1624 0f65963f6c5025e68be3d0ee992f714b8b5431ffd5b2ace097175367050c812b.exe 30 PID 432 wrote to memory of 1764 432 cmd.exe 32 PID 432 wrote to memory of 1764 432 cmd.exe 32 PID 432 wrote to memory of 1764 432 cmd.exe 32 PID 432 wrote to memory of 1764 432 cmd.exe 32
Processes
-
C:\Users\Admin\AppData\Local\Temp\0f65963f6c5025e68be3d0ee992f714b8b5431ffd5b2ace097175367050c812b.exe"C:\Users\Admin\AppData\Local\Temp\0f65963f6c5025e68be3d0ee992f714b8b5431ffd5b2ace097175367050c812b.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1624 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:1548
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\0f65963f6c5025e68be3d0ee992f714b8b5431ffd5b2ace097175367050c812b.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:432 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:1764
-
-