Analysis
-
max time kernel
156s -
max time network
173s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
12-02-2022 06:41
Static task
static1
Behavioral task
behavioral1
Sample
0f3e52b4d07e90f23b356ed612c6a24d1435b7aef36c4bf804deb82acc65df13.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
0f3e52b4d07e90f23b356ed612c6a24d1435b7aef36c4bf804deb82acc65df13.exe
Resource
win10v2004-en-20220113
General
-
Target
0f3e52b4d07e90f23b356ed612c6a24d1435b7aef36c4bf804deb82acc65df13.exe
-
Size
89KB
-
MD5
eb6da7658c2d8835a3a5bfb49fa8f27e
-
SHA1
803d5712b2fb456a1cad682fb61fa3cbb276f917
-
SHA256
0f3e52b4d07e90f23b356ed612c6a24d1435b7aef36c4bf804deb82acc65df13
-
SHA512
fb6dc5f9a1c8de6ba361fb046e6a4e5bca3ec110846acaba4efb66570d63dfc42da2d349f60f89b54052d6a69450be168e204f696dba3b35b92796913ef6e8aa
Malware Config
Signatures
-
Sakula Payload 4 IoCs
Processes:
resource yara_rule \Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula behavioral1/memory/1564-59-0x0000000000400000-0x000000000041B000-memory.dmp family_sakula behavioral1/memory/1588-60-0x0000000000400000-0x000000000041B000-memory.dmp family_sakula -
suricata: ET MALWARE SUSPICIOUS UA (iexplore)
suricata: ET MALWARE SUSPICIOUS UA (iexplore)
-
suricata: ET MALWARE Sakula/Mivast RAT CnC Beacon 1
suricata: ET MALWARE Sakula/Mivast RAT CnC Beacon 1
-
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 1588 MediaCenter.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 432 cmd.exe -
Loads dropped DLL 1 IoCs
Processes:
0f3e52b4d07e90f23b356ed612c6a24d1435b7aef36c4bf804deb82acc65df13.exepid process 1564 0f3e52b4d07e90f23b356ed612c6a24d1435b7aef36c4bf804deb82acc65df13.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
0f3e52b4d07e90f23b356ed612c6a24d1435b7aef36c4bf804deb82acc65df13.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 0f3e52b4d07e90f23b356ed612c6a24d1435b7aef36c4bf804deb82acc65df13.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
0f3e52b4d07e90f23b356ed612c6a24d1435b7aef36c4bf804deb82acc65df13.exedescription pid process Token: SeIncBasePriorityPrivilege 1564 0f3e52b4d07e90f23b356ed612c6a24d1435b7aef36c4bf804deb82acc65df13.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
0f3e52b4d07e90f23b356ed612c6a24d1435b7aef36c4bf804deb82acc65df13.execmd.exedescription pid process target process PID 1564 wrote to memory of 1588 1564 0f3e52b4d07e90f23b356ed612c6a24d1435b7aef36c4bf804deb82acc65df13.exe MediaCenter.exe PID 1564 wrote to memory of 1588 1564 0f3e52b4d07e90f23b356ed612c6a24d1435b7aef36c4bf804deb82acc65df13.exe MediaCenter.exe PID 1564 wrote to memory of 1588 1564 0f3e52b4d07e90f23b356ed612c6a24d1435b7aef36c4bf804deb82acc65df13.exe MediaCenter.exe PID 1564 wrote to memory of 1588 1564 0f3e52b4d07e90f23b356ed612c6a24d1435b7aef36c4bf804deb82acc65df13.exe MediaCenter.exe PID 1564 wrote to memory of 432 1564 0f3e52b4d07e90f23b356ed612c6a24d1435b7aef36c4bf804deb82acc65df13.exe cmd.exe PID 1564 wrote to memory of 432 1564 0f3e52b4d07e90f23b356ed612c6a24d1435b7aef36c4bf804deb82acc65df13.exe cmd.exe PID 1564 wrote to memory of 432 1564 0f3e52b4d07e90f23b356ed612c6a24d1435b7aef36c4bf804deb82acc65df13.exe cmd.exe PID 1564 wrote to memory of 432 1564 0f3e52b4d07e90f23b356ed612c6a24d1435b7aef36c4bf804deb82acc65df13.exe cmd.exe PID 432 wrote to memory of 1760 432 cmd.exe PING.EXE PID 432 wrote to memory of 1760 432 cmd.exe PING.EXE PID 432 wrote to memory of 1760 432 cmd.exe PING.EXE PID 432 wrote to memory of 1760 432 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\0f3e52b4d07e90f23b356ed612c6a24d1435b7aef36c4bf804deb82acc65df13.exe"C:\Users\Admin\AppData\Local\Temp\0f3e52b4d07e90f23b356ed612c6a24d1435b7aef36c4bf804deb82acc65df13.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1564 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:1588 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\0f3e52b4d07e90f23b356ed612c6a24d1435b7aef36c4bf804deb82acc65df13.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:432 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:1760
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
8f188f16c4c6d18befe15ec3dcc88e19
SHA13271c9ef6adee8de3ecf5cdfc7658223578b35f1
SHA25633658cb58813200c59231c054e605e3e3614b963b64544b6eb7b678c222384c6
SHA51213ed9def89571e8fa04c620b5cad69dff9861040bbb8b0e1dfdaa60743fcccaf06cfbd493766d18287bea3e6d85c0cd76c8bea5dbb5ee4dd24cff45c425f04e6
-
MD5
8f188f16c4c6d18befe15ec3dcc88e19
SHA13271c9ef6adee8de3ecf5cdfc7658223578b35f1
SHA25633658cb58813200c59231c054e605e3e3614b963b64544b6eb7b678c222384c6
SHA51213ed9def89571e8fa04c620b5cad69dff9861040bbb8b0e1dfdaa60743fcccaf06cfbd493766d18287bea3e6d85c0cd76c8bea5dbb5ee4dd24cff45c425f04e6