Analysis
-
max time kernel
125s -
max time network
144s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
12-02-2022 06:59
Static task
static1
Behavioral task
behavioral1
Sample
0ee3a6999d625ea436fc1b8a0aaf11feb9e41ad94ef0bf4d13640e5a7354f45d.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
0ee3a6999d625ea436fc1b8a0aaf11feb9e41ad94ef0bf4d13640e5a7354f45d.exe
Resource
win10v2004-en-20220112
General
-
Target
0ee3a6999d625ea436fc1b8a0aaf11feb9e41ad94ef0bf4d13640e5a7354f45d.exe
-
Size
92KB
-
MD5
3f7a36cbd208f2e157d7153b641f3972
-
SHA1
554509ae9649498be4a3f8122400634e0c43b1ad
-
SHA256
0ee3a6999d625ea436fc1b8a0aaf11feb9e41ad94ef0bf4d13640e5a7354f45d
-
SHA512
51ebe69c49ba935c6dfa414ed05e799a7a00bb8f8f545cb2db7c901f3a1352d1f13389378d941036c28193f1697cbdcaa4d858a78b22aee968e401830b7448b5
Malware Config
Signatures
-
Sakula Payload 2 IoCs
Processes:
resource yara_rule \Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula -
suricata: ET MALWARE SUSPICIOUS UA (iexplore)
suricata: ET MALWARE SUSPICIOUS UA (iexplore)
-
suricata: ET MALWARE Sakula/Mivast RAT CnC Beacon 1
suricata: ET MALWARE Sakula/Mivast RAT CnC Beacon 1
-
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 520 MediaCenter.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 1040 cmd.exe -
Loads dropped DLL 1 IoCs
Processes:
0ee3a6999d625ea436fc1b8a0aaf11feb9e41ad94ef0bf4d13640e5a7354f45d.exepid process 1032 0ee3a6999d625ea436fc1b8a0aaf11feb9e41ad94ef0bf4d13640e5a7354f45d.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
0ee3a6999d625ea436fc1b8a0aaf11feb9e41ad94ef0bf4d13640e5a7354f45d.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 0ee3a6999d625ea436fc1b8a0aaf11feb9e41ad94ef0bf4d13640e5a7354f45d.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
0ee3a6999d625ea436fc1b8a0aaf11feb9e41ad94ef0bf4d13640e5a7354f45d.exedescription pid process Token: SeIncBasePriorityPrivilege 1032 0ee3a6999d625ea436fc1b8a0aaf11feb9e41ad94ef0bf4d13640e5a7354f45d.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
0ee3a6999d625ea436fc1b8a0aaf11feb9e41ad94ef0bf4d13640e5a7354f45d.execmd.exedescription pid process target process PID 1032 wrote to memory of 520 1032 0ee3a6999d625ea436fc1b8a0aaf11feb9e41ad94ef0bf4d13640e5a7354f45d.exe MediaCenter.exe PID 1032 wrote to memory of 520 1032 0ee3a6999d625ea436fc1b8a0aaf11feb9e41ad94ef0bf4d13640e5a7354f45d.exe MediaCenter.exe PID 1032 wrote to memory of 520 1032 0ee3a6999d625ea436fc1b8a0aaf11feb9e41ad94ef0bf4d13640e5a7354f45d.exe MediaCenter.exe PID 1032 wrote to memory of 520 1032 0ee3a6999d625ea436fc1b8a0aaf11feb9e41ad94ef0bf4d13640e5a7354f45d.exe MediaCenter.exe PID 1032 wrote to memory of 1040 1032 0ee3a6999d625ea436fc1b8a0aaf11feb9e41ad94ef0bf4d13640e5a7354f45d.exe cmd.exe PID 1032 wrote to memory of 1040 1032 0ee3a6999d625ea436fc1b8a0aaf11feb9e41ad94ef0bf4d13640e5a7354f45d.exe cmd.exe PID 1032 wrote to memory of 1040 1032 0ee3a6999d625ea436fc1b8a0aaf11feb9e41ad94ef0bf4d13640e5a7354f45d.exe cmd.exe PID 1032 wrote to memory of 1040 1032 0ee3a6999d625ea436fc1b8a0aaf11feb9e41ad94ef0bf4d13640e5a7354f45d.exe cmd.exe PID 1040 wrote to memory of 1504 1040 cmd.exe PING.EXE PID 1040 wrote to memory of 1504 1040 cmd.exe PING.EXE PID 1040 wrote to memory of 1504 1040 cmd.exe PING.EXE PID 1040 wrote to memory of 1504 1040 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\0ee3a6999d625ea436fc1b8a0aaf11feb9e41ad94ef0bf4d13640e5a7354f45d.exe"C:\Users\Admin\AppData\Local\Temp\0ee3a6999d625ea436fc1b8a0aaf11feb9e41ad94ef0bf4d13640e5a7354f45d.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1032 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:520 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\0ee3a6999d625ea436fc1b8a0aaf11feb9e41ad94ef0bf4d13640e5a7354f45d.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:1040 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:1504
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
b5355e2d1ac0644bd6b9d0de9f263ed9
SHA1d5606a8a4eaf9a7bcceb2e5c5d46bbb58c1aa83e
SHA256e794a865bc2d6b7337dd62ca46fff14ca9008377f2afc30b42d54cc4577c909d
SHA51242e20bfbbee067a3e2f3e90a1d4b3a09ae5e2f320da17a8f5f1df175f1fff0787f59ff5e1d0a51e87a23566cec1895ad9a006377af5b5368f99eebc454680168
-
MD5
b5355e2d1ac0644bd6b9d0de9f263ed9
SHA1d5606a8a4eaf9a7bcceb2e5c5d46bbb58c1aa83e
SHA256e794a865bc2d6b7337dd62ca46fff14ca9008377f2afc30b42d54cc4577c909d
SHA51242e20bfbbee067a3e2f3e90a1d4b3a09ae5e2f320da17a8f5f1df175f1fff0787f59ff5e1d0a51e87a23566cec1895ad9a006377af5b5368f99eebc454680168