Analysis
-
max time kernel
135s -
max time network
150s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
12-02-2022 07:35
Static task
static1
Behavioral task
behavioral1
Sample
0d305031039d586cd70a31aaf7fa9c51bdd028ceaff9004846ec582f7ce41d57.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
0d305031039d586cd70a31aaf7fa9c51bdd028ceaff9004846ec582f7ce41d57.exe
Resource
win10v2004-en-20220113
General
-
Target
0d305031039d586cd70a31aaf7fa9c51bdd028ceaff9004846ec582f7ce41d57.exe
-
Size
216KB
-
MD5
737e53d8495c4dd62b39ca9e7ea717f0
-
SHA1
16b0d49e84b5c5bf5d067c5434f234ba7bacef5d
-
SHA256
0d305031039d586cd70a31aaf7fa9c51bdd028ceaff9004846ec582f7ce41d57
-
SHA512
93ad7cd333fad3edc398506ce02bd3994553450dbdd2758730cfcdbc3201fb1212dee16caef22333d5ba1fd04dc7c11dc5564182badf7599ced42efa3b1abcc6
Malware Config
Signatures
-
Sakula Payload 4 IoCs
Processes:
resource yara_rule \Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula behavioral1/memory/1600-58-0x0000000000400000-0x0000000000420000-memory.dmp family_sakula behavioral1/memory/1288-59-0x0000000000400000-0x0000000000420000-memory.dmp family_sakula -
suricata: ET MALWARE SUSPICIOUS UA (iexplore)
suricata: ET MALWARE SUSPICIOUS UA (iexplore)
-
suricata: ET MALWARE Sakula/Mivast RAT CnC Beacon 1
suricata: ET MALWARE Sakula/Mivast RAT CnC Beacon 1
-
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 1288 MediaCenter.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 1000 cmd.exe -
Loads dropped DLL 1 IoCs
Processes:
0d305031039d586cd70a31aaf7fa9c51bdd028ceaff9004846ec582f7ce41d57.exepid process 1600 0d305031039d586cd70a31aaf7fa9c51bdd028ceaff9004846ec582f7ce41d57.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
0d305031039d586cd70a31aaf7fa9c51bdd028ceaff9004846ec582f7ce41d57.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 0d305031039d586cd70a31aaf7fa9c51bdd028ceaff9004846ec582f7ce41d57.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
0d305031039d586cd70a31aaf7fa9c51bdd028ceaff9004846ec582f7ce41d57.exedescription pid process Token: SeIncBasePriorityPrivilege 1600 0d305031039d586cd70a31aaf7fa9c51bdd028ceaff9004846ec582f7ce41d57.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
0d305031039d586cd70a31aaf7fa9c51bdd028ceaff9004846ec582f7ce41d57.execmd.exedescription pid process target process PID 1600 wrote to memory of 1288 1600 0d305031039d586cd70a31aaf7fa9c51bdd028ceaff9004846ec582f7ce41d57.exe MediaCenter.exe PID 1600 wrote to memory of 1288 1600 0d305031039d586cd70a31aaf7fa9c51bdd028ceaff9004846ec582f7ce41d57.exe MediaCenter.exe PID 1600 wrote to memory of 1288 1600 0d305031039d586cd70a31aaf7fa9c51bdd028ceaff9004846ec582f7ce41d57.exe MediaCenter.exe PID 1600 wrote to memory of 1288 1600 0d305031039d586cd70a31aaf7fa9c51bdd028ceaff9004846ec582f7ce41d57.exe MediaCenter.exe PID 1600 wrote to memory of 1000 1600 0d305031039d586cd70a31aaf7fa9c51bdd028ceaff9004846ec582f7ce41d57.exe cmd.exe PID 1600 wrote to memory of 1000 1600 0d305031039d586cd70a31aaf7fa9c51bdd028ceaff9004846ec582f7ce41d57.exe cmd.exe PID 1600 wrote to memory of 1000 1600 0d305031039d586cd70a31aaf7fa9c51bdd028ceaff9004846ec582f7ce41d57.exe cmd.exe PID 1600 wrote to memory of 1000 1600 0d305031039d586cd70a31aaf7fa9c51bdd028ceaff9004846ec582f7ce41d57.exe cmd.exe PID 1000 wrote to memory of 1612 1000 cmd.exe PING.EXE PID 1000 wrote to memory of 1612 1000 cmd.exe PING.EXE PID 1000 wrote to memory of 1612 1000 cmd.exe PING.EXE PID 1000 wrote to memory of 1612 1000 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\0d305031039d586cd70a31aaf7fa9c51bdd028ceaff9004846ec582f7ce41d57.exe"C:\Users\Admin\AppData\Local\Temp\0d305031039d586cd70a31aaf7fa9c51bdd028ceaff9004846ec582f7ce41d57.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1600 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:1288 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\0d305031039d586cd70a31aaf7fa9c51bdd028ceaff9004846ec582f7ce41d57.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:1000 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:1612
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
af2f73e10cdce445f1ba34175df34f3d
SHA1583772533ae72c42471b40ce8628b72391c20ad3
SHA256d4a0186b7a0b51b01ce065905c30576c4407c453ad94ee9c2e2107935a4d1ee4
SHA512034ef4cbb678f0c95a2882201413a5054f2e5417b4704694da4481b2c18fcf7515b237811f9809b5c3e75740be5f6b3ccf83ec56e9ead83d60c3b75a1461f409
-
MD5
af2f73e10cdce445f1ba34175df34f3d
SHA1583772533ae72c42471b40ce8628b72391c20ad3
SHA256d4a0186b7a0b51b01ce065905c30576c4407c453ad94ee9c2e2107935a4d1ee4
SHA512034ef4cbb678f0c95a2882201413a5054f2e5417b4704694da4481b2c18fcf7515b237811f9809b5c3e75740be5f6b3ccf83ec56e9ead83d60c3b75a1461f409