Analysis
-
max time kernel
139s -
max time network
153s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
12-02-2022 08:21
Static task
static1
Behavioral task
behavioral1
Sample
0b3f986af972826dae148bef5bab014045e3befd85d4e55667996384d70f795f.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
0b3f986af972826dae148bef5bab014045e3befd85d4e55667996384d70f795f.exe
Resource
win10v2004-en-20220113
General
-
Target
0b3f986af972826dae148bef5bab014045e3befd85d4e55667996384d70f795f.exe
-
Size
216KB
-
MD5
a6ca73aecd63da58015f6d0a886fe4ad
-
SHA1
2b5f2b8039700cfef989b5a245d5695419af09dc
-
SHA256
0b3f986af972826dae148bef5bab014045e3befd85d4e55667996384d70f795f
-
SHA512
f104add0c0dc45d4b9a25fc7a1140472772918ad3137dfe5a5afdd928e1e25d4f521df41a1d5ee752a4b2274ac9e32286f01bdfd0e9733543e5bc27ba1da07b1
Malware Config
Signatures
-
Sakula Payload 4 IoCs
Processes:
resource yara_rule \Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula behavioral1/memory/1592-58-0x0000000000400000-0x0000000000420000-memory.dmp family_sakula behavioral1/memory/1448-59-0x0000000000400000-0x0000000000420000-memory.dmp family_sakula -
suricata: ET MALWARE SUSPICIOUS UA (iexplore)
suricata: ET MALWARE SUSPICIOUS UA (iexplore)
-
suricata: ET MALWARE Sakula/Mivast RAT CnC Beacon 1
suricata: ET MALWARE Sakula/Mivast RAT CnC Beacon 1
-
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 1448 MediaCenter.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 1796 cmd.exe -
Loads dropped DLL 1 IoCs
Processes:
0b3f986af972826dae148bef5bab014045e3befd85d4e55667996384d70f795f.exepid process 1592 0b3f986af972826dae148bef5bab014045e3befd85d4e55667996384d70f795f.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
0b3f986af972826dae148bef5bab014045e3befd85d4e55667996384d70f795f.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 0b3f986af972826dae148bef5bab014045e3befd85d4e55667996384d70f795f.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
0b3f986af972826dae148bef5bab014045e3befd85d4e55667996384d70f795f.exedescription pid process Token: SeIncBasePriorityPrivilege 1592 0b3f986af972826dae148bef5bab014045e3befd85d4e55667996384d70f795f.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
0b3f986af972826dae148bef5bab014045e3befd85d4e55667996384d70f795f.execmd.exedescription pid process target process PID 1592 wrote to memory of 1448 1592 0b3f986af972826dae148bef5bab014045e3befd85d4e55667996384d70f795f.exe MediaCenter.exe PID 1592 wrote to memory of 1448 1592 0b3f986af972826dae148bef5bab014045e3befd85d4e55667996384d70f795f.exe MediaCenter.exe PID 1592 wrote to memory of 1448 1592 0b3f986af972826dae148bef5bab014045e3befd85d4e55667996384d70f795f.exe MediaCenter.exe PID 1592 wrote to memory of 1448 1592 0b3f986af972826dae148bef5bab014045e3befd85d4e55667996384d70f795f.exe MediaCenter.exe PID 1592 wrote to memory of 1796 1592 0b3f986af972826dae148bef5bab014045e3befd85d4e55667996384d70f795f.exe cmd.exe PID 1592 wrote to memory of 1796 1592 0b3f986af972826dae148bef5bab014045e3befd85d4e55667996384d70f795f.exe cmd.exe PID 1592 wrote to memory of 1796 1592 0b3f986af972826dae148bef5bab014045e3befd85d4e55667996384d70f795f.exe cmd.exe PID 1592 wrote to memory of 1796 1592 0b3f986af972826dae148bef5bab014045e3befd85d4e55667996384d70f795f.exe cmd.exe PID 1796 wrote to memory of 1788 1796 cmd.exe PING.EXE PID 1796 wrote to memory of 1788 1796 cmd.exe PING.EXE PID 1796 wrote to memory of 1788 1796 cmd.exe PING.EXE PID 1796 wrote to memory of 1788 1796 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\0b3f986af972826dae148bef5bab014045e3befd85d4e55667996384d70f795f.exe"C:\Users\Admin\AppData\Local\Temp\0b3f986af972826dae148bef5bab014045e3befd85d4e55667996384d70f795f.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1592 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:1448 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\0b3f986af972826dae148bef5bab014045e3befd85d4e55667996384d70f795f.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:1796 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:1788
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
c6013e79350b093952648f02e342d8cd
SHA1829bec5764d8365f5a16a1948740fdfd9bd4b8d3
SHA256633533887f700242b49129a8b5d0436174c3ba2464dc5f913e5c2189e42b6e58
SHA5128041f023b912647df471cc1bb17c9a7656624c571f5c86cfcc035977224a4784785c6995237eda6c3cd951560174219c41f19b820989a2a69353b6731de3c593
-
MD5
c6013e79350b093952648f02e342d8cd
SHA1829bec5764d8365f5a16a1948740fdfd9bd4b8d3
SHA256633533887f700242b49129a8b5d0436174c3ba2464dc5f913e5c2189e42b6e58
SHA5128041f023b912647df471cc1bb17c9a7656624c571f5c86cfcc035977224a4784785c6995237eda6c3cd951560174219c41f19b820989a2a69353b6731de3c593