Analysis
-
max time kernel
141s -
max time network
155s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
12-02-2022 07:29
Static task
static1
Behavioral task
behavioral1
Sample
0d7621e4679f7badc6c53a41de6bf7ffd41b12eace63a34eeda8672fe24da202.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
0d7621e4679f7badc6c53a41de6bf7ffd41b12eace63a34eeda8672fe24da202.exe
Resource
win10v2004-en-20220113
General
-
Target
0d7621e4679f7badc6c53a41de6bf7ffd41b12eace63a34eeda8672fe24da202.exe
-
Size
116KB
-
MD5
c59a6f49ee75bcb4de30e5bc981c4cf6
-
SHA1
5f71113b9c6bda114f46d4e7a8a4ac45f8d4aa7c
-
SHA256
0d7621e4679f7badc6c53a41de6bf7ffd41b12eace63a34eeda8672fe24da202
-
SHA512
d252ada3fdcad5f6e3a983bfccce91ec9cf503451f8d91066b48129a037e65005eed3cea374f436ed6f5c7798b7b50580f39d0d3d8ff336d30786bc2dc2219fe
Malware Config
Signatures
-
Sakula Payload 4 IoCs
Processes:
resource yara_rule \Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula behavioral1/memory/1588-59-0x0000000000400000-0x0000000000420000-memory.dmp family_sakula behavioral1/memory/1280-60-0x0000000000400000-0x0000000000420000-memory.dmp family_sakula -
suricata: ET MALWARE SUSPICIOUS UA (iexplore)
suricata: ET MALWARE SUSPICIOUS UA (iexplore)
-
suricata: ET MALWARE Sakula/Mivast RAT CnC Beacon 1
suricata: ET MALWARE Sakula/Mivast RAT CnC Beacon 1
-
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 1280 MediaCenter.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 744 cmd.exe -
Loads dropped DLL 1 IoCs
Processes:
0d7621e4679f7badc6c53a41de6bf7ffd41b12eace63a34eeda8672fe24da202.exepid process 1588 0d7621e4679f7badc6c53a41de6bf7ffd41b12eace63a34eeda8672fe24da202.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
0d7621e4679f7badc6c53a41de6bf7ffd41b12eace63a34eeda8672fe24da202.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 0d7621e4679f7badc6c53a41de6bf7ffd41b12eace63a34eeda8672fe24da202.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
0d7621e4679f7badc6c53a41de6bf7ffd41b12eace63a34eeda8672fe24da202.exedescription pid process Token: SeIncBasePriorityPrivilege 1588 0d7621e4679f7badc6c53a41de6bf7ffd41b12eace63a34eeda8672fe24da202.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
0d7621e4679f7badc6c53a41de6bf7ffd41b12eace63a34eeda8672fe24da202.execmd.exedescription pid process target process PID 1588 wrote to memory of 1280 1588 0d7621e4679f7badc6c53a41de6bf7ffd41b12eace63a34eeda8672fe24da202.exe MediaCenter.exe PID 1588 wrote to memory of 1280 1588 0d7621e4679f7badc6c53a41de6bf7ffd41b12eace63a34eeda8672fe24da202.exe MediaCenter.exe PID 1588 wrote to memory of 1280 1588 0d7621e4679f7badc6c53a41de6bf7ffd41b12eace63a34eeda8672fe24da202.exe MediaCenter.exe PID 1588 wrote to memory of 1280 1588 0d7621e4679f7badc6c53a41de6bf7ffd41b12eace63a34eeda8672fe24da202.exe MediaCenter.exe PID 1588 wrote to memory of 744 1588 0d7621e4679f7badc6c53a41de6bf7ffd41b12eace63a34eeda8672fe24da202.exe cmd.exe PID 1588 wrote to memory of 744 1588 0d7621e4679f7badc6c53a41de6bf7ffd41b12eace63a34eeda8672fe24da202.exe cmd.exe PID 1588 wrote to memory of 744 1588 0d7621e4679f7badc6c53a41de6bf7ffd41b12eace63a34eeda8672fe24da202.exe cmd.exe PID 1588 wrote to memory of 744 1588 0d7621e4679f7badc6c53a41de6bf7ffd41b12eace63a34eeda8672fe24da202.exe cmd.exe PID 744 wrote to memory of 948 744 cmd.exe PING.EXE PID 744 wrote to memory of 948 744 cmd.exe PING.EXE PID 744 wrote to memory of 948 744 cmd.exe PING.EXE PID 744 wrote to memory of 948 744 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\0d7621e4679f7badc6c53a41de6bf7ffd41b12eace63a34eeda8672fe24da202.exe"C:\Users\Admin\AppData\Local\Temp\0d7621e4679f7badc6c53a41de6bf7ffd41b12eace63a34eeda8672fe24da202.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1588 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:1280 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\0d7621e4679f7badc6c53a41de6bf7ffd41b12eace63a34eeda8672fe24da202.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:744 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:948
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
c5149566c76c738ab4cdf511bf20cbbc
SHA1229dd2c8e23977ddac2722b303fcf26633076dc3
SHA2568ff77b2db1d4629f6af7073c054fb35b4cb7caa683a5dd459e45179df1085403
SHA5122181cff6ef83e34d7b85b18d6a72cbd5b6f66a81c8f7b06bb4176d711fa52b2b1d289a12446f2de15c42ff85f18e8286e399dc989839852659ff3db772fb7061
-
MD5
c5149566c76c738ab4cdf511bf20cbbc
SHA1229dd2c8e23977ddac2722b303fcf26633076dc3
SHA2568ff77b2db1d4629f6af7073c054fb35b4cb7caa683a5dd459e45179df1085403
SHA5122181cff6ef83e34d7b85b18d6a72cbd5b6f66a81c8f7b06bb4176d711fa52b2b1d289a12446f2de15c42ff85f18e8286e399dc989839852659ff3db772fb7061