Analysis
-
max time kernel
138s -
max time network
161s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
12-02-2022 06:44
Static task
static1
Behavioral task
behavioral1
Sample
0f1adcc8a84c28177f4a27bcc58448d5288a98bfef2202c9b57592e802d17d95.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
0f1adcc8a84c28177f4a27bcc58448d5288a98bfef2202c9b57592e802d17d95.exe
Resource
win10v2004-en-20220112
General
-
Target
0f1adcc8a84c28177f4a27bcc58448d5288a98bfef2202c9b57592e802d17d95.exe
-
Size
150KB
-
MD5
4b4c77aa80c63933f0efa7da06af1227
-
SHA1
3f3ebf459a4664ed98c83142f05563fd226ff792
-
SHA256
0f1adcc8a84c28177f4a27bcc58448d5288a98bfef2202c9b57592e802d17d95
-
SHA512
4d0e65aa43a306e86b8e378e5af1c74bd9458adf3dd6fbcbc330349578b89e69ed9d3c27c1fae39023b7bf874e8d45559dc8b44b69fc309c5838dc465affcb31
Malware Config
Signatures
-
Sakula Payload 2 IoCs
Processes:
resource yara_rule \Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula -
suricata: ET MALWARE SUSPICIOUS UA (iexplore)
suricata: ET MALWARE SUSPICIOUS UA (iexplore)
-
suricata: ET MALWARE Sakula/Mivast RAT CnC Beacon 1
suricata: ET MALWARE Sakula/Mivast RAT CnC Beacon 1
-
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 900 MediaCenter.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 1880 cmd.exe -
Loads dropped DLL 1 IoCs
Processes:
0f1adcc8a84c28177f4a27bcc58448d5288a98bfef2202c9b57592e802d17d95.exepid process 960 0f1adcc8a84c28177f4a27bcc58448d5288a98bfef2202c9b57592e802d17d95.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
0f1adcc8a84c28177f4a27bcc58448d5288a98bfef2202c9b57592e802d17d95.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 0f1adcc8a84c28177f4a27bcc58448d5288a98bfef2202c9b57592e802d17d95.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
0f1adcc8a84c28177f4a27bcc58448d5288a98bfef2202c9b57592e802d17d95.exedescription pid process Token: SeIncBasePriorityPrivilege 960 0f1adcc8a84c28177f4a27bcc58448d5288a98bfef2202c9b57592e802d17d95.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
0f1adcc8a84c28177f4a27bcc58448d5288a98bfef2202c9b57592e802d17d95.execmd.exedescription pid process target process PID 960 wrote to memory of 900 960 0f1adcc8a84c28177f4a27bcc58448d5288a98bfef2202c9b57592e802d17d95.exe MediaCenter.exe PID 960 wrote to memory of 900 960 0f1adcc8a84c28177f4a27bcc58448d5288a98bfef2202c9b57592e802d17d95.exe MediaCenter.exe PID 960 wrote to memory of 900 960 0f1adcc8a84c28177f4a27bcc58448d5288a98bfef2202c9b57592e802d17d95.exe MediaCenter.exe PID 960 wrote to memory of 900 960 0f1adcc8a84c28177f4a27bcc58448d5288a98bfef2202c9b57592e802d17d95.exe MediaCenter.exe PID 960 wrote to memory of 1880 960 0f1adcc8a84c28177f4a27bcc58448d5288a98bfef2202c9b57592e802d17d95.exe cmd.exe PID 960 wrote to memory of 1880 960 0f1adcc8a84c28177f4a27bcc58448d5288a98bfef2202c9b57592e802d17d95.exe cmd.exe PID 960 wrote to memory of 1880 960 0f1adcc8a84c28177f4a27bcc58448d5288a98bfef2202c9b57592e802d17d95.exe cmd.exe PID 960 wrote to memory of 1880 960 0f1adcc8a84c28177f4a27bcc58448d5288a98bfef2202c9b57592e802d17d95.exe cmd.exe PID 1880 wrote to memory of 1668 1880 cmd.exe PING.EXE PID 1880 wrote to memory of 1668 1880 cmd.exe PING.EXE PID 1880 wrote to memory of 1668 1880 cmd.exe PING.EXE PID 1880 wrote to memory of 1668 1880 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\0f1adcc8a84c28177f4a27bcc58448d5288a98bfef2202c9b57592e802d17d95.exe"C:\Users\Admin\AppData\Local\Temp\0f1adcc8a84c28177f4a27bcc58448d5288a98bfef2202c9b57592e802d17d95.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:960 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:900 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\0f1adcc8a84c28177f4a27bcc58448d5288a98bfef2202c9b57592e802d17d95.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:1880 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:1668
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
4c32fb38ff0c43b71c7b006ea1eeeef9
SHA1160c847b9e0e5c6dd19d0f810fbe63aae5f8b30b
SHA256643846597c6d3dd79d6760673d1572c544a84871287a63b774368c86be12e6b5
SHA5123f7afdde7f82bcc60579eead9396f105f5646b0b2617f9c2c25356af5b8de34280a4de0d6bc45b80b8d0fb6173daa1ed6e924da5facde83c95d4cdc059faaa92
-
MD5
4c32fb38ff0c43b71c7b006ea1eeeef9
SHA1160c847b9e0e5c6dd19d0f810fbe63aae5f8b30b
SHA256643846597c6d3dd79d6760673d1572c544a84871287a63b774368c86be12e6b5
SHA5123f7afdde7f82bcc60579eead9396f105f5646b0b2617f9c2c25356af5b8de34280a4de0d6bc45b80b8d0fb6173daa1ed6e924da5facde83c95d4cdc059faaa92