Analysis
-
max time kernel
141s -
max time network
157s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
12-02-2022 07:28
Static task
static1
Behavioral task
behavioral1
Sample
0d887f5ae411555f6d46c4b6eebeb01f186092c9183c7f680bfe8994c91b92ce.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
0d887f5ae411555f6d46c4b6eebeb01f186092c9183c7f680bfe8994c91b92ce.exe
Resource
win10v2004-en-20220113
General
-
Target
0d887f5ae411555f6d46c4b6eebeb01f186092c9183c7f680bfe8994c91b92ce.exe
-
Size
216KB
-
MD5
39d3045114638a4e17be87f1976873c9
-
SHA1
2f0720836c0c67890e271a06fa9a8a808d23301c
-
SHA256
0d887f5ae411555f6d46c4b6eebeb01f186092c9183c7f680bfe8994c91b92ce
-
SHA512
19b2e9da0f8d982a4179b2df41c4600459a1926e34606c4dc97e0fbd0c841672123286e6bfcd30cb1d1a597561f295e85cce266f60bcf08696c5fc10de3fef3a
Malware Config
Signatures
-
Sakula Payload 4 IoCs
Processes:
resource yara_rule \Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula behavioral1/memory/1144-58-0x0000000000400000-0x0000000000420000-memory.dmp family_sakula behavioral1/memory/1404-59-0x0000000000400000-0x0000000000420000-memory.dmp family_sakula -
suricata: ET MALWARE SUSPICIOUS UA (iexplore)
suricata: ET MALWARE SUSPICIOUS UA (iexplore)
-
suricata: ET MALWARE Sakula/Mivast RAT CnC Beacon 1
suricata: ET MALWARE Sakula/Mivast RAT CnC Beacon 1
-
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 1404 MediaCenter.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 1864 cmd.exe -
Loads dropped DLL 1 IoCs
Processes:
0d887f5ae411555f6d46c4b6eebeb01f186092c9183c7f680bfe8994c91b92ce.exepid process 1144 0d887f5ae411555f6d46c4b6eebeb01f186092c9183c7f680bfe8994c91b92ce.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
0d887f5ae411555f6d46c4b6eebeb01f186092c9183c7f680bfe8994c91b92ce.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 0d887f5ae411555f6d46c4b6eebeb01f186092c9183c7f680bfe8994c91b92ce.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
0d887f5ae411555f6d46c4b6eebeb01f186092c9183c7f680bfe8994c91b92ce.exedescription pid process Token: SeIncBasePriorityPrivilege 1144 0d887f5ae411555f6d46c4b6eebeb01f186092c9183c7f680bfe8994c91b92ce.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
0d887f5ae411555f6d46c4b6eebeb01f186092c9183c7f680bfe8994c91b92ce.execmd.exedescription pid process target process PID 1144 wrote to memory of 1404 1144 0d887f5ae411555f6d46c4b6eebeb01f186092c9183c7f680bfe8994c91b92ce.exe MediaCenter.exe PID 1144 wrote to memory of 1404 1144 0d887f5ae411555f6d46c4b6eebeb01f186092c9183c7f680bfe8994c91b92ce.exe MediaCenter.exe PID 1144 wrote to memory of 1404 1144 0d887f5ae411555f6d46c4b6eebeb01f186092c9183c7f680bfe8994c91b92ce.exe MediaCenter.exe PID 1144 wrote to memory of 1404 1144 0d887f5ae411555f6d46c4b6eebeb01f186092c9183c7f680bfe8994c91b92ce.exe MediaCenter.exe PID 1144 wrote to memory of 1864 1144 0d887f5ae411555f6d46c4b6eebeb01f186092c9183c7f680bfe8994c91b92ce.exe cmd.exe PID 1144 wrote to memory of 1864 1144 0d887f5ae411555f6d46c4b6eebeb01f186092c9183c7f680bfe8994c91b92ce.exe cmd.exe PID 1144 wrote to memory of 1864 1144 0d887f5ae411555f6d46c4b6eebeb01f186092c9183c7f680bfe8994c91b92ce.exe cmd.exe PID 1144 wrote to memory of 1864 1144 0d887f5ae411555f6d46c4b6eebeb01f186092c9183c7f680bfe8994c91b92ce.exe cmd.exe PID 1864 wrote to memory of 1836 1864 cmd.exe PING.EXE PID 1864 wrote to memory of 1836 1864 cmd.exe PING.EXE PID 1864 wrote to memory of 1836 1864 cmd.exe PING.EXE PID 1864 wrote to memory of 1836 1864 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\0d887f5ae411555f6d46c4b6eebeb01f186092c9183c7f680bfe8994c91b92ce.exe"C:\Users\Admin\AppData\Local\Temp\0d887f5ae411555f6d46c4b6eebeb01f186092c9183c7f680bfe8994c91b92ce.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1144 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:1404 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\0d887f5ae411555f6d46c4b6eebeb01f186092c9183c7f680bfe8994c91b92ce.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:1864 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:1836
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
c16090cc96d49bc8add763a0135c188a
SHA1d1163ecae04b2f25b56ca8f22bfc211b12de72f0
SHA25697f4490c03efe8260ea8f46f659222f1efb55de75fd52eb666293cce4a33d43e
SHA512c7cf1150d63fb9f3ffa3dab3e3698fef98ba49e10b13362feb5af3d1e2ce9e5ca4902423b9bdb770e8820d1d811c553c79d677102464829f3a364ba270e0eed8
-
MD5
c16090cc96d49bc8add763a0135c188a
SHA1d1163ecae04b2f25b56ca8f22bfc211b12de72f0
SHA25697f4490c03efe8260ea8f46f659222f1efb55de75fd52eb666293cce4a33d43e
SHA512c7cf1150d63fb9f3ffa3dab3e3698fef98ba49e10b13362feb5af3d1e2ce9e5ca4902423b9bdb770e8820d1d811c553c79d677102464829f3a364ba270e0eed8