Analysis
-
max time kernel
147s -
max time network
152s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
12-02-2022 07:35
Static task
static1
Behavioral task
behavioral1
Sample
0d312c876e0e292ee273c53ff8c74d83d5f40379975e33639208b4e46b4b81bb.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
0d312c876e0e292ee273c53ff8c74d83d5f40379975e33639208b4e46b4b81bb.exe
Resource
win10v2004-en-20220112
General
-
Target
0d312c876e0e292ee273c53ff8c74d83d5f40379975e33639208b4e46b4b81bb.exe
-
Size
200KB
-
MD5
a631f4bfb8234a0f5cd5abad15da12d7
-
SHA1
13e39e483ea0bf12bfc7e0dcf43b187b8b920b13
-
SHA256
0d312c876e0e292ee273c53ff8c74d83d5f40379975e33639208b4e46b4b81bb
-
SHA512
60443e260c9448def5ef011e7c13d77c0c160e899cdde241b973fef8960f547c3eac642ad78ea3da2e7a62caac7606f2abd5c60c326cef8248ed11bcd836133f
Malware Config
Signatures
-
Sakula Payload 4 IoCs
Processes:
resource yara_rule \Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula behavioral1/memory/1720-58-0x0000000000400000-0x0000000000420000-memory.dmp family_sakula behavioral1/memory/1888-59-0x0000000000400000-0x0000000000420000-memory.dmp family_sakula -
suricata: ET MALWARE SUSPICIOUS UA (iexplore)
suricata: ET MALWARE SUSPICIOUS UA (iexplore)
-
suricata: ET MALWARE Sakula/Mivast RAT CnC Beacon 1
suricata: ET MALWARE Sakula/Mivast RAT CnC Beacon 1
-
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 1888 MediaCenter.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 820 cmd.exe -
Loads dropped DLL 1 IoCs
Processes:
0d312c876e0e292ee273c53ff8c74d83d5f40379975e33639208b4e46b4b81bb.exepid process 1720 0d312c876e0e292ee273c53ff8c74d83d5f40379975e33639208b4e46b4b81bb.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
0d312c876e0e292ee273c53ff8c74d83d5f40379975e33639208b4e46b4b81bb.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 0d312c876e0e292ee273c53ff8c74d83d5f40379975e33639208b4e46b4b81bb.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
0d312c876e0e292ee273c53ff8c74d83d5f40379975e33639208b4e46b4b81bb.exedescription pid process Token: SeIncBasePriorityPrivilege 1720 0d312c876e0e292ee273c53ff8c74d83d5f40379975e33639208b4e46b4b81bb.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
0d312c876e0e292ee273c53ff8c74d83d5f40379975e33639208b4e46b4b81bb.execmd.exedescription pid process target process PID 1720 wrote to memory of 1888 1720 0d312c876e0e292ee273c53ff8c74d83d5f40379975e33639208b4e46b4b81bb.exe MediaCenter.exe PID 1720 wrote to memory of 1888 1720 0d312c876e0e292ee273c53ff8c74d83d5f40379975e33639208b4e46b4b81bb.exe MediaCenter.exe PID 1720 wrote to memory of 1888 1720 0d312c876e0e292ee273c53ff8c74d83d5f40379975e33639208b4e46b4b81bb.exe MediaCenter.exe PID 1720 wrote to memory of 1888 1720 0d312c876e0e292ee273c53ff8c74d83d5f40379975e33639208b4e46b4b81bb.exe MediaCenter.exe PID 1720 wrote to memory of 820 1720 0d312c876e0e292ee273c53ff8c74d83d5f40379975e33639208b4e46b4b81bb.exe cmd.exe PID 1720 wrote to memory of 820 1720 0d312c876e0e292ee273c53ff8c74d83d5f40379975e33639208b4e46b4b81bb.exe cmd.exe PID 1720 wrote to memory of 820 1720 0d312c876e0e292ee273c53ff8c74d83d5f40379975e33639208b4e46b4b81bb.exe cmd.exe PID 1720 wrote to memory of 820 1720 0d312c876e0e292ee273c53ff8c74d83d5f40379975e33639208b4e46b4b81bb.exe cmd.exe PID 820 wrote to memory of 1820 820 cmd.exe PING.EXE PID 820 wrote to memory of 1820 820 cmd.exe PING.EXE PID 820 wrote to memory of 1820 820 cmd.exe PING.EXE PID 820 wrote to memory of 1820 820 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\0d312c876e0e292ee273c53ff8c74d83d5f40379975e33639208b4e46b4b81bb.exe"C:\Users\Admin\AppData\Local\Temp\0d312c876e0e292ee273c53ff8c74d83d5f40379975e33639208b4e46b4b81bb.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1720 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:1888 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\0d312c876e0e292ee273c53ff8c74d83d5f40379975e33639208b4e46b4b81bb.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:820 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:1820
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
476f999ca99bd961b0d13750b12b8006
SHA15e114348af358be877a31f400557da39db3ca8f3
SHA256dbe0fc4b8c4378975d59c0cd8616047170c6cd8994e77c5349c83af32cfc8d13
SHA5129aa62e0e8c07ac47e784a98d3aece07777c58fbb1348d639192d9e620fb307927d12b133e67756609889cfb342a25a3fe907ecab55f1b2aba046c8c5128a8552
-
MD5
476f999ca99bd961b0d13750b12b8006
SHA15e114348af358be877a31f400557da39db3ca8f3
SHA256dbe0fc4b8c4378975d59c0cd8616047170c6cd8994e77c5349c83af32cfc8d13
SHA5129aa62e0e8c07ac47e784a98d3aece07777c58fbb1348d639192d9e620fb307927d12b133e67756609889cfb342a25a3fe907ecab55f1b2aba046c8c5128a8552