Analysis
-
max time kernel
141s -
max time network
168s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
12-02-2022 07:33
Static task
static1
Behavioral task
behavioral1
Sample
0d3dc0f31c68b87ae8891d52694b9171bd48c557dbd785e696a7fab5a2a518cd.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
0d3dc0f31c68b87ae8891d52694b9171bd48c557dbd785e696a7fab5a2a518cd.exe
Resource
win10v2004-en-20220113
General
-
Target
0d3dc0f31c68b87ae8891d52694b9171bd48c557dbd785e696a7fab5a2a518cd.exe
-
Size
89KB
-
MD5
5116649e839adad7548ffba8c19b8f53
-
SHA1
5f9992ce8c6fb976233bfe9618911c1ed7763bb5
-
SHA256
0d3dc0f31c68b87ae8891d52694b9171bd48c557dbd785e696a7fab5a2a518cd
-
SHA512
3d68ab8b31210a5d6b5531393b211db6c4a91fb9e09e52c1e2ca0171fb80f03fc21cf21f3109dd26e5bef85a021df51ae577ea6f9bbad016b9d483429ba78e77
Malware Config
Signatures
-
Sakula Payload 2 IoCs
Processes:
resource yara_rule \Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula -
suricata: ET MALWARE SUSPICIOUS UA (iexplore)
suricata: ET MALWARE SUSPICIOUS UA (iexplore)
-
suricata: ET MALWARE Sakula/Mivast RAT CnC Beacon 1
suricata: ET MALWARE Sakula/Mivast RAT CnC Beacon 1
-
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 1656 MediaCenter.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 400 cmd.exe -
Loads dropped DLL 1 IoCs
Processes:
0d3dc0f31c68b87ae8891d52694b9171bd48c557dbd785e696a7fab5a2a518cd.exepid process 1628 0d3dc0f31c68b87ae8891d52694b9171bd48c557dbd785e696a7fab5a2a518cd.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
0d3dc0f31c68b87ae8891d52694b9171bd48c557dbd785e696a7fab5a2a518cd.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 0d3dc0f31c68b87ae8891d52694b9171bd48c557dbd785e696a7fab5a2a518cd.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
0d3dc0f31c68b87ae8891d52694b9171bd48c557dbd785e696a7fab5a2a518cd.exedescription pid process Token: SeIncBasePriorityPrivilege 1628 0d3dc0f31c68b87ae8891d52694b9171bd48c557dbd785e696a7fab5a2a518cd.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
0d3dc0f31c68b87ae8891d52694b9171bd48c557dbd785e696a7fab5a2a518cd.execmd.exedescription pid process target process PID 1628 wrote to memory of 1656 1628 0d3dc0f31c68b87ae8891d52694b9171bd48c557dbd785e696a7fab5a2a518cd.exe MediaCenter.exe PID 1628 wrote to memory of 1656 1628 0d3dc0f31c68b87ae8891d52694b9171bd48c557dbd785e696a7fab5a2a518cd.exe MediaCenter.exe PID 1628 wrote to memory of 1656 1628 0d3dc0f31c68b87ae8891d52694b9171bd48c557dbd785e696a7fab5a2a518cd.exe MediaCenter.exe PID 1628 wrote to memory of 1656 1628 0d3dc0f31c68b87ae8891d52694b9171bd48c557dbd785e696a7fab5a2a518cd.exe MediaCenter.exe PID 1628 wrote to memory of 400 1628 0d3dc0f31c68b87ae8891d52694b9171bd48c557dbd785e696a7fab5a2a518cd.exe cmd.exe PID 1628 wrote to memory of 400 1628 0d3dc0f31c68b87ae8891d52694b9171bd48c557dbd785e696a7fab5a2a518cd.exe cmd.exe PID 1628 wrote to memory of 400 1628 0d3dc0f31c68b87ae8891d52694b9171bd48c557dbd785e696a7fab5a2a518cd.exe cmd.exe PID 1628 wrote to memory of 400 1628 0d3dc0f31c68b87ae8891d52694b9171bd48c557dbd785e696a7fab5a2a518cd.exe cmd.exe PID 400 wrote to memory of 740 400 cmd.exe PING.EXE PID 400 wrote to memory of 740 400 cmd.exe PING.EXE PID 400 wrote to memory of 740 400 cmd.exe PING.EXE PID 400 wrote to memory of 740 400 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\0d3dc0f31c68b87ae8891d52694b9171bd48c557dbd785e696a7fab5a2a518cd.exe"C:\Users\Admin\AppData\Local\Temp\0d3dc0f31c68b87ae8891d52694b9171bd48c557dbd785e696a7fab5a2a518cd.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1628 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:1656 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\0d3dc0f31c68b87ae8891d52694b9171bd48c557dbd785e696a7fab5a2a518cd.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:400 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:740
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
11a9f3c79c0f78b8a695dd1403215365
SHA14cb1c6aa7af11d007ba30ed512f6dfc494428080
SHA25626bc7342e64ef719d977bb32b3130aef9d71ae996375b207ef2da5ebbfd235c2
SHA5122b54e1d96100a6d6579b1bcd7a3341f9fd80eaa7454862817faa6622942b448ee9792ae0fcd946dbb44ad45583af3e62d5f687f4143e17c4951b74a811f29aa1
-
MD5
11a9f3c79c0f78b8a695dd1403215365
SHA14cb1c6aa7af11d007ba30ed512f6dfc494428080
SHA25626bc7342e64ef719d977bb32b3130aef9d71ae996375b207ef2da5ebbfd235c2
SHA5122b54e1d96100a6d6579b1bcd7a3341f9fd80eaa7454862817faa6622942b448ee9792ae0fcd946dbb44ad45583af3e62d5f687f4143e17c4951b74a811f29aa1