Analysis
-
max time kernel
154s -
max time network
170s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
12-02-2022 06:44
Static task
static1
Behavioral task
behavioral1
Sample
0f1034c593e725dfe5a968d0fdecf2cdd141b6bfd658c4e6b524f14a2ff6f5af.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
0f1034c593e725dfe5a968d0fdecf2cdd141b6bfd658c4e6b524f14a2ff6f5af.exe
Resource
win10v2004-en-20220112
General
-
Target
0f1034c593e725dfe5a968d0fdecf2cdd141b6bfd658c4e6b524f14a2ff6f5af.exe
-
Size
216KB
-
MD5
8fd1a05274ceb5ff2350e8ecb15a2e52
-
SHA1
f5ccb96df914caaf640aadcc78090db2e87c344f
-
SHA256
0f1034c593e725dfe5a968d0fdecf2cdd141b6bfd658c4e6b524f14a2ff6f5af
-
SHA512
bf192af6d0ede66e2d18cabea06b03fbf603df1852dcceb58ba5c4e89a4564357a1aae8b23f14dade1ae83c9a7143d52727efd39c6d9045b1c4ae6691a5c4071
Malware Config
Signatures
-
Sakula Payload 4 IoCs
Processes:
resource yara_rule \Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula behavioral1/memory/956-58-0x0000000000400000-0x0000000000420000-memory.dmp family_sakula behavioral1/memory/516-59-0x0000000000400000-0x0000000000420000-memory.dmp family_sakula -
suricata: ET MALWARE SUSPICIOUS UA (iexplore)
suricata: ET MALWARE SUSPICIOUS UA (iexplore)
-
suricata: ET MALWARE Sakula/Mivast RAT CnC Beacon 1
suricata: ET MALWARE Sakula/Mivast RAT CnC Beacon 1
-
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 516 MediaCenter.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 1176 cmd.exe -
Loads dropped DLL 1 IoCs
Processes:
0f1034c593e725dfe5a968d0fdecf2cdd141b6bfd658c4e6b524f14a2ff6f5af.exepid process 956 0f1034c593e725dfe5a968d0fdecf2cdd141b6bfd658c4e6b524f14a2ff6f5af.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
0f1034c593e725dfe5a968d0fdecf2cdd141b6bfd658c4e6b524f14a2ff6f5af.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 0f1034c593e725dfe5a968d0fdecf2cdd141b6bfd658c4e6b524f14a2ff6f5af.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
0f1034c593e725dfe5a968d0fdecf2cdd141b6bfd658c4e6b524f14a2ff6f5af.exedescription pid process Token: SeIncBasePriorityPrivilege 956 0f1034c593e725dfe5a968d0fdecf2cdd141b6bfd658c4e6b524f14a2ff6f5af.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
0f1034c593e725dfe5a968d0fdecf2cdd141b6bfd658c4e6b524f14a2ff6f5af.execmd.exedescription pid process target process PID 956 wrote to memory of 516 956 0f1034c593e725dfe5a968d0fdecf2cdd141b6bfd658c4e6b524f14a2ff6f5af.exe MediaCenter.exe PID 956 wrote to memory of 516 956 0f1034c593e725dfe5a968d0fdecf2cdd141b6bfd658c4e6b524f14a2ff6f5af.exe MediaCenter.exe PID 956 wrote to memory of 516 956 0f1034c593e725dfe5a968d0fdecf2cdd141b6bfd658c4e6b524f14a2ff6f5af.exe MediaCenter.exe PID 956 wrote to memory of 516 956 0f1034c593e725dfe5a968d0fdecf2cdd141b6bfd658c4e6b524f14a2ff6f5af.exe MediaCenter.exe PID 956 wrote to memory of 1176 956 0f1034c593e725dfe5a968d0fdecf2cdd141b6bfd658c4e6b524f14a2ff6f5af.exe cmd.exe PID 956 wrote to memory of 1176 956 0f1034c593e725dfe5a968d0fdecf2cdd141b6bfd658c4e6b524f14a2ff6f5af.exe cmd.exe PID 956 wrote to memory of 1176 956 0f1034c593e725dfe5a968d0fdecf2cdd141b6bfd658c4e6b524f14a2ff6f5af.exe cmd.exe PID 956 wrote to memory of 1176 956 0f1034c593e725dfe5a968d0fdecf2cdd141b6bfd658c4e6b524f14a2ff6f5af.exe cmd.exe PID 1176 wrote to memory of 1204 1176 cmd.exe PING.EXE PID 1176 wrote to memory of 1204 1176 cmd.exe PING.EXE PID 1176 wrote to memory of 1204 1176 cmd.exe PING.EXE PID 1176 wrote to memory of 1204 1176 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\0f1034c593e725dfe5a968d0fdecf2cdd141b6bfd658c4e6b524f14a2ff6f5af.exe"C:\Users\Admin\AppData\Local\Temp\0f1034c593e725dfe5a968d0fdecf2cdd141b6bfd658c4e6b524f14a2ff6f5af.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:956 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:516 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\0f1034c593e725dfe5a968d0fdecf2cdd141b6bfd658c4e6b524f14a2ff6f5af.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:1176 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:1204
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
a920f5316fce24d9386a670bb0656d54
SHA124fae2f0ee38faf3124fb2f071bde37e02fc57ef
SHA2563ad6493cee1336290ad4a6bcc55f0e34ba72e0e3fa37edca9702fbcae310b65e
SHA512f0adc9bebd7388356f5781224272657349f3f830858230516463c1ed617e26257b33e682dd283f41eea05633da16fc52312dead968d7b4709590c3b8460b489c
-
MD5
a920f5316fce24d9386a670bb0656d54
SHA124fae2f0ee38faf3124fb2f071bde37e02fc57ef
SHA2563ad6493cee1336290ad4a6bcc55f0e34ba72e0e3fa37edca9702fbcae310b65e
SHA512f0adc9bebd7388356f5781224272657349f3f830858230516463c1ed617e26257b33e682dd283f41eea05633da16fc52312dead968d7b4709590c3b8460b489c