Analysis
-
max time kernel
142s -
max time network
157s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
12-02-2022 07:32
Static task
static1
Behavioral task
behavioral1
Sample
0d4ec3252d9957d176de1876abbb4415ca65324e73b46d632aff375fc0a5b617.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
0d4ec3252d9957d176de1876abbb4415ca65324e73b46d632aff375fc0a5b617.exe
Resource
win10v2004-en-20220112
General
-
Target
0d4ec3252d9957d176de1876abbb4415ca65324e73b46d632aff375fc0a5b617.exe
-
Size
176KB
-
MD5
0dc9db379ac71b75d7b2c8cab60bc422
-
SHA1
a297a2222d648e025c698ea6aed5294010414360
-
SHA256
0d4ec3252d9957d176de1876abbb4415ca65324e73b46d632aff375fc0a5b617
-
SHA512
f20e0017ab95da12ddb24637ef82a83a62886138eb64e3482ea8ca03e59fa2d139b7df50cc9308295c3df218ad0d95752a80cd575edf2c971c69fd0c7dad2641
Malware Config
Signatures
-
Sakula Payload 4 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula \Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula behavioral1/memory/1720-58-0x0000000000400000-0x0000000000420000-memory.dmp family_sakula behavioral1/memory/1888-59-0x0000000000400000-0x0000000000420000-memory.dmp family_sakula -
suricata: ET MALWARE SUSPICIOUS UA (iexplore)
suricata: ET MALWARE SUSPICIOUS UA (iexplore)
-
suricata: ET MALWARE Sakula/Mivast RAT CnC Beacon 1
suricata: ET MALWARE Sakula/Mivast RAT CnC Beacon 1
-
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 1888 MediaCenter.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 1944 cmd.exe -
Loads dropped DLL 1 IoCs
Processes:
0d4ec3252d9957d176de1876abbb4415ca65324e73b46d632aff375fc0a5b617.exepid process 1720 0d4ec3252d9957d176de1876abbb4415ca65324e73b46d632aff375fc0a5b617.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
0d4ec3252d9957d176de1876abbb4415ca65324e73b46d632aff375fc0a5b617.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 0d4ec3252d9957d176de1876abbb4415ca65324e73b46d632aff375fc0a5b617.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
0d4ec3252d9957d176de1876abbb4415ca65324e73b46d632aff375fc0a5b617.exedescription pid process Token: SeIncBasePriorityPrivilege 1720 0d4ec3252d9957d176de1876abbb4415ca65324e73b46d632aff375fc0a5b617.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
0d4ec3252d9957d176de1876abbb4415ca65324e73b46d632aff375fc0a5b617.execmd.exedescription pid process target process PID 1720 wrote to memory of 1888 1720 0d4ec3252d9957d176de1876abbb4415ca65324e73b46d632aff375fc0a5b617.exe MediaCenter.exe PID 1720 wrote to memory of 1888 1720 0d4ec3252d9957d176de1876abbb4415ca65324e73b46d632aff375fc0a5b617.exe MediaCenter.exe PID 1720 wrote to memory of 1888 1720 0d4ec3252d9957d176de1876abbb4415ca65324e73b46d632aff375fc0a5b617.exe MediaCenter.exe PID 1720 wrote to memory of 1888 1720 0d4ec3252d9957d176de1876abbb4415ca65324e73b46d632aff375fc0a5b617.exe MediaCenter.exe PID 1720 wrote to memory of 1944 1720 0d4ec3252d9957d176de1876abbb4415ca65324e73b46d632aff375fc0a5b617.exe cmd.exe PID 1720 wrote to memory of 1944 1720 0d4ec3252d9957d176de1876abbb4415ca65324e73b46d632aff375fc0a5b617.exe cmd.exe PID 1720 wrote to memory of 1944 1720 0d4ec3252d9957d176de1876abbb4415ca65324e73b46d632aff375fc0a5b617.exe cmd.exe PID 1720 wrote to memory of 1944 1720 0d4ec3252d9957d176de1876abbb4415ca65324e73b46d632aff375fc0a5b617.exe cmd.exe PID 1944 wrote to memory of 1128 1944 cmd.exe PING.EXE PID 1944 wrote to memory of 1128 1944 cmd.exe PING.EXE PID 1944 wrote to memory of 1128 1944 cmd.exe PING.EXE PID 1944 wrote to memory of 1128 1944 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\0d4ec3252d9957d176de1876abbb4415ca65324e73b46d632aff375fc0a5b617.exe"C:\Users\Admin\AppData\Local\Temp\0d4ec3252d9957d176de1876abbb4415ca65324e73b46d632aff375fc0a5b617.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1720 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:1888 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\0d4ec3252d9957d176de1876abbb4415ca65324e73b46d632aff375fc0a5b617.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:1944 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:1128
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
af4673c72633535b0c52f18a767610df
SHA13d25bca1f5f922ad87d9b67fab1645a1241c6c59
SHA256574e3e0e95bb4097598b3cca645da3f7c18ab2ec2ac03a74bcc926c6685e5509
SHA51251906ad87309ea2d553d854ae25c39df9d6c6f29c28475081b13d0fb62ed3abce8c1863aa581c2e55617fc1eecc6f35504b75dbb4ac69a304bb1eb0534c5956a
-
MD5
af4673c72633535b0c52f18a767610df
SHA13d25bca1f5f922ad87d9b67fab1645a1241c6c59
SHA256574e3e0e95bb4097598b3cca645da3f7c18ab2ec2ac03a74bcc926c6685e5509
SHA51251906ad87309ea2d553d854ae25c39df9d6c6f29c28475081b13d0fb62ed3abce8c1863aa581c2e55617fc1eecc6f35504b75dbb4ac69a304bb1eb0534c5956a