Analysis
-
max time kernel
145s -
max time network
160s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
12-02-2022 07:06
Static task
static1
Behavioral task
behavioral1
Sample
0e8ebb0f9d7e63f1f5a4dcc779ead9b30523112b0f875593a862c58f6e2d4272.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
0e8ebb0f9d7e63f1f5a4dcc779ead9b30523112b0f875593a862c58f6e2d4272.exe
Resource
win10v2004-en-20220112
General
-
Target
0e8ebb0f9d7e63f1f5a4dcc779ead9b30523112b0f875593a862c58f6e2d4272.exe
-
Size
89KB
-
MD5
29f3295ac7308a04aaf9d20631345cd6
-
SHA1
951abf34a260552b3682f205a01ff294180e4399
-
SHA256
0e8ebb0f9d7e63f1f5a4dcc779ead9b30523112b0f875593a862c58f6e2d4272
-
SHA512
b4309b58a0d53dc5b3a183ff3bc7bf76dfbd4ad1187aaa04f846e8f832adb41083899cc248b9da76371896c5a6d5838e2c495464779467ae3e3f4efdb91e92b2
Malware Config
Signatures
-
Sakula Payload 2 IoCs
Processes:
resource yara_rule \Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula -
suricata: ET MALWARE SUSPICIOUS UA (iexplore)
suricata: ET MALWARE SUSPICIOUS UA (iexplore)
-
suricata: ET MALWARE Sakula/Mivast RAT CnC Beacon 1
suricata: ET MALWARE Sakula/Mivast RAT CnC Beacon 1
-
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 524 MediaCenter.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 976 cmd.exe -
Loads dropped DLL 1 IoCs
Processes:
0e8ebb0f9d7e63f1f5a4dcc779ead9b30523112b0f875593a862c58f6e2d4272.exepid process 1680 0e8ebb0f9d7e63f1f5a4dcc779ead9b30523112b0f875593a862c58f6e2d4272.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
0e8ebb0f9d7e63f1f5a4dcc779ead9b30523112b0f875593a862c58f6e2d4272.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 0e8ebb0f9d7e63f1f5a4dcc779ead9b30523112b0f875593a862c58f6e2d4272.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
0e8ebb0f9d7e63f1f5a4dcc779ead9b30523112b0f875593a862c58f6e2d4272.exedescription pid process Token: SeIncBasePriorityPrivilege 1680 0e8ebb0f9d7e63f1f5a4dcc779ead9b30523112b0f875593a862c58f6e2d4272.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
0e8ebb0f9d7e63f1f5a4dcc779ead9b30523112b0f875593a862c58f6e2d4272.execmd.exedescription pid process target process PID 1680 wrote to memory of 524 1680 0e8ebb0f9d7e63f1f5a4dcc779ead9b30523112b0f875593a862c58f6e2d4272.exe MediaCenter.exe PID 1680 wrote to memory of 524 1680 0e8ebb0f9d7e63f1f5a4dcc779ead9b30523112b0f875593a862c58f6e2d4272.exe MediaCenter.exe PID 1680 wrote to memory of 524 1680 0e8ebb0f9d7e63f1f5a4dcc779ead9b30523112b0f875593a862c58f6e2d4272.exe MediaCenter.exe PID 1680 wrote to memory of 524 1680 0e8ebb0f9d7e63f1f5a4dcc779ead9b30523112b0f875593a862c58f6e2d4272.exe MediaCenter.exe PID 1680 wrote to memory of 976 1680 0e8ebb0f9d7e63f1f5a4dcc779ead9b30523112b0f875593a862c58f6e2d4272.exe cmd.exe PID 1680 wrote to memory of 976 1680 0e8ebb0f9d7e63f1f5a4dcc779ead9b30523112b0f875593a862c58f6e2d4272.exe cmd.exe PID 1680 wrote to memory of 976 1680 0e8ebb0f9d7e63f1f5a4dcc779ead9b30523112b0f875593a862c58f6e2d4272.exe cmd.exe PID 1680 wrote to memory of 976 1680 0e8ebb0f9d7e63f1f5a4dcc779ead9b30523112b0f875593a862c58f6e2d4272.exe cmd.exe PID 976 wrote to memory of 2020 976 cmd.exe PING.EXE PID 976 wrote to memory of 2020 976 cmd.exe PING.EXE PID 976 wrote to memory of 2020 976 cmd.exe PING.EXE PID 976 wrote to memory of 2020 976 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\0e8ebb0f9d7e63f1f5a4dcc779ead9b30523112b0f875593a862c58f6e2d4272.exe"C:\Users\Admin\AppData\Local\Temp\0e8ebb0f9d7e63f1f5a4dcc779ead9b30523112b0f875593a862c58f6e2d4272.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1680 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:524 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\0e8ebb0f9d7e63f1f5a4dcc779ead9b30523112b0f875593a862c58f6e2d4272.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:976 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:2020
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
8e0d5f33ee7b52251345096f212272ad
SHA1a4f38fb4282f3d15e980800cc4d5f7650be7fb81
SHA2562ce720e97f3ebc15b1bcb4fd63ddf92e0a097aac57ad4b58d49b754c51fac543
SHA512d71c16826c156d9aa8a62948177dd2b025203bd7a173cbaa207d27b76c297fab36522b0dbac5c22a9b06263ddddc7bcc670a6ee3b0c1ffce33f55aafd1f9bffc
-
MD5
8e0d5f33ee7b52251345096f212272ad
SHA1a4f38fb4282f3d15e980800cc4d5f7650be7fb81
SHA2562ce720e97f3ebc15b1bcb4fd63ddf92e0a097aac57ad4b58d49b754c51fac543
SHA512d71c16826c156d9aa8a62948177dd2b025203bd7a173cbaa207d27b76c297fab36522b0dbac5c22a9b06263ddddc7bcc670a6ee3b0c1ffce33f55aafd1f9bffc