Analysis
-
max time kernel
150s -
max time network
170s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
12-02-2022 08:16
Static task
static1
Behavioral task
behavioral1
Sample
0b5cd16a1796a456f435bfe524bb4769d683068e2ae0ceb2ab31fb148a17e556.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
0b5cd16a1796a456f435bfe524bb4769d683068e2ae0ceb2ab31fb148a17e556.exe
Resource
win10v2004-en-20220113
General
-
Target
0b5cd16a1796a456f435bfe524bb4769d683068e2ae0ceb2ab31fb148a17e556.exe
-
Size
216KB
-
MD5
092deb5167ab589000bf2428ffdc4e0e
-
SHA1
5f635d549155a3de1761482d11c964ab4386a1ba
-
SHA256
0b5cd16a1796a456f435bfe524bb4769d683068e2ae0ceb2ab31fb148a17e556
-
SHA512
23df54662107fa9e2a72c72fe0e1fc2ce6c653f047f6ff3598a076faf5e008957c8b4b057556a57b7a6b4b5e4963af5d2d09193e111257e1d428d8fd43bce9e2
Malware Config
Signatures
-
Sakula Payload 4 IoCs
Processes:
resource yara_rule \Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula behavioral1/memory/1636-59-0x0000000000400000-0x0000000000420000-memory.dmp family_sakula behavioral1/memory/1588-60-0x0000000000400000-0x0000000000420000-memory.dmp family_sakula -
suricata: ET MALWARE SUSPICIOUS UA (iexplore)
suricata: ET MALWARE SUSPICIOUS UA (iexplore)
-
suricata: ET MALWARE Sakula/Mivast RAT CnC Beacon 1
suricata: ET MALWARE Sakula/Mivast RAT CnC Beacon 1
-
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 1588 MediaCenter.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 1156 cmd.exe -
Loads dropped DLL 1 IoCs
Processes:
0b5cd16a1796a456f435bfe524bb4769d683068e2ae0ceb2ab31fb148a17e556.exepid process 1636 0b5cd16a1796a456f435bfe524bb4769d683068e2ae0ceb2ab31fb148a17e556.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
0b5cd16a1796a456f435bfe524bb4769d683068e2ae0ceb2ab31fb148a17e556.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 0b5cd16a1796a456f435bfe524bb4769d683068e2ae0ceb2ab31fb148a17e556.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
0b5cd16a1796a456f435bfe524bb4769d683068e2ae0ceb2ab31fb148a17e556.exedescription pid process Token: SeIncBasePriorityPrivilege 1636 0b5cd16a1796a456f435bfe524bb4769d683068e2ae0ceb2ab31fb148a17e556.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
0b5cd16a1796a456f435bfe524bb4769d683068e2ae0ceb2ab31fb148a17e556.execmd.exedescription pid process target process PID 1636 wrote to memory of 1588 1636 0b5cd16a1796a456f435bfe524bb4769d683068e2ae0ceb2ab31fb148a17e556.exe MediaCenter.exe PID 1636 wrote to memory of 1588 1636 0b5cd16a1796a456f435bfe524bb4769d683068e2ae0ceb2ab31fb148a17e556.exe MediaCenter.exe PID 1636 wrote to memory of 1588 1636 0b5cd16a1796a456f435bfe524bb4769d683068e2ae0ceb2ab31fb148a17e556.exe MediaCenter.exe PID 1636 wrote to memory of 1588 1636 0b5cd16a1796a456f435bfe524bb4769d683068e2ae0ceb2ab31fb148a17e556.exe MediaCenter.exe PID 1636 wrote to memory of 1156 1636 0b5cd16a1796a456f435bfe524bb4769d683068e2ae0ceb2ab31fb148a17e556.exe cmd.exe PID 1636 wrote to memory of 1156 1636 0b5cd16a1796a456f435bfe524bb4769d683068e2ae0ceb2ab31fb148a17e556.exe cmd.exe PID 1636 wrote to memory of 1156 1636 0b5cd16a1796a456f435bfe524bb4769d683068e2ae0ceb2ab31fb148a17e556.exe cmd.exe PID 1636 wrote to memory of 1156 1636 0b5cd16a1796a456f435bfe524bb4769d683068e2ae0ceb2ab31fb148a17e556.exe cmd.exe PID 1156 wrote to memory of 960 1156 cmd.exe PING.EXE PID 1156 wrote to memory of 960 1156 cmd.exe PING.EXE PID 1156 wrote to memory of 960 1156 cmd.exe PING.EXE PID 1156 wrote to memory of 960 1156 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\0b5cd16a1796a456f435bfe524bb4769d683068e2ae0ceb2ab31fb148a17e556.exe"C:\Users\Admin\AppData\Local\Temp\0b5cd16a1796a456f435bfe524bb4769d683068e2ae0ceb2ab31fb148a17e556.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1636 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:1588 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\0b5cd16a1796a456f435bfe524bb4769d683068e2ae0ceb2ab31fb148a17e556.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:1156 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:960
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
e7cf083d38a89e4fc7b3c6a5ad9af053
SHA1389d36df43ac370e0355b244533c59e16610124e
SHA256ea94034f468c12b2d60ff16da9f6e43adc2a74795d579969efa37d45b1fce98b
SHA5123c7403ee3cbf1f3d4f7b7bdcb744fd11aa62ecc0c72672f634ef6954b140d6a1916054cb8e1307a5b4cbc53ac302e0aa703641919fc0f0dda67f7a987e9c92da
-
MD5
e7cf083d38a89e4fc7b3c6a5ad9af053
SHA1389d36df43ac370e0355b244533c59e16610124e
SHA256ea94034f468c12b2d60ff16da9f6e43adc2a74795d579969efa37d45b1fce98b
SHA5123c7403ee3cbf1f3d4f7b7bdcb744fd11aa62ecc0c72672f634ef6954b140d6a1916054cb8e1307a5b4cbc53ac302e0aa703641919fc0f0dda67f7a987e9c92da