Analysis
-
max time kernel
131s -
max time network
144s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
12-02-2022 07:36
Static task
static1
Behavioral task
behavioral1
Sample
0d2715efc8cdb25925e7d7d1f58514f0b62f999100fe892793c0e4e83c620a30.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
0d2715efc8cdb25925e7d7d1f58514f0b62f999100fe892793c0e4e83c620a30.exe
Resource
win10v2004-en-20220113
General
-
Target
0d2715efc8cdb25925e7d7d1f58514f0b62f999100fe892793c0e4e83c620a30.exe
-
Size
89KB
-
MD5
573c7955eecf5030dc9ca385f1927a32
-
SHA1
f29e8d30a126b197ac0c8185ec0e3c21e18a7039
-
SHA256
0d2715efc8cdb25925e7d7d1f58514f0b62f999100fe892793c0e4e83c620a30
-
SHA512
d2307a62b2cfcb6d957817ce7b91011ec3e62da2b1919ad54f2f59c8f4e45c486362e8b5f342c1ce8c9dd4d34047e25d1d679f6f13f4797c5f2491adac69e51c
Malware Config
Signatures
-
Sakula Payload 2 IoCs
Processes:
resource yara_rule \Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula -
suricata: ET MALWARE SUSPICIOUS UA (iexplore)
suricata: ET MALWARE SUSPICIOUS UA (iexplore)
-
suricata: ET MALWARE Sakula/Mivast RAT CnC Beacon 1
suricata: ET MALWARE Sakula/Mivast RAT CnC Beacon 1
-
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 320 MediaCenter.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 1820 cmd.exe -
Loads dropped DLL 1 IoCs
Processes:
0d2715efc8cdb25925e7d7d1f58514f0b62f999100fe892793c0e4e83c620a30.exepid process 268 0d2715efc8cdb25925e7d7d1f58514f0b62f999100fe892793c0e4e83c620a30.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
0d2715efc8cdb25925e7d7d1f58514f0b62f999100fe892793c0e4e83c620a30.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 0d2715efc8cdb25925e7d7d1f58514f0b62f999100fe892793c0e4e83c620a30.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
0d2715efc8cdb25925e7d7d1f58514f0b62f999100fe892793c0e4e83c620a30.exedescription pid process Token: SeIncBasePriorityPrivilege 268 0d2715efc8cdb25925e7d7d1f58514f0b62f999100fe892793c0e4e83c620a30.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
0d2715efc8cdb25925e7d7d1f58514f0b62f999100fe892793c0e4e83c620a30.execmd.exedescription pid process target process PID 268 wrote to memory of 320 268 0d2715efc8cdb25925e7d7d1f58514f0b62f999100fe892793c0e4e83c620a30.exe MediaCenter.exe PID 268 wrote to memory of 320 268 0d2715efc8cdb25925e7d7d1f58514f0b62f999100fe892793c0e4e83c620a30.exe MediaCenter.exe PID 268 wrote to memory of 320 268 0d2715efc8cdb25925e7d7d1f58514f0b62f999100fe892793c0e4e83c620a30.exe MediaCenter.exe PID 268 wrote to memory of 320 268 0d2715efc8cdb25925e7d7d1f58514f0b62f999100fe892793c0e4e83c620a30.exe MediaCenter.exe PID 268 wrote to memory of 1820 268 0d2715efc8cdb25925e7d7d1f58514f0b62f999100fe892793c0e4e83c620a30.exe cmd.exe PID 268 wrote to memory of 1820 268 0d2715efc8cdb25925e7d7d1f58514f0b62f999100fe892793c0e4e83c620a30.exe cmd.exe PID 268 wrote to memory of 1820 268 0d2715efc8cdb25925e7d7d1f58514f0b62f999100fe892793c0e4e83c620a30.exe cmd.exe PID 268 wrote to memory of 1820 268 0d2715efc8cdb25925e7d7d1f58514f0b62f999100fe892793c0e4e83c620a30.exe cmd.exe PID 1820 wrote to memory of 956 1820 cmd.exe PING.EXE PID 1820 wrote to memory of 956 1820 cmd.exe PING.EXE PID 1820 wrote to memory of 956 1820 cmd.exe PING.EXE PID 1820 wrote to memory of 956 1820 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\0d2715efc8cdb25925e7d7d1f58514f0b62f999100fe892793c0e4e83c620a30.exe"C:\Users\Admin\AppData\Local\Temp\0d2715efc8cdb25925e7d7d1f58514f0b62f999100fe892793c0e4e83c620a30.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:268 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:320 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\0d2715efc8cdb25925e7d7d1f58514f0b62f999100fe892793c0e4e83c620a30.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:1820 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:956
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
42b3e40e41ec375316d6bc4ce0cec5f4
SHA16f994b6f035634651be5ccbe8e7a28d5c2337a69
SHA256a5c71ef7f1f7b26ad2aa5ea57eecde9b54e4ec0ddbfef94bad7477319cbc0c28
SHA5121ab901e71acd83826427c935ffb7afbb116257ad5ca5310b86feb958e8cdf3fb727683f4e19924197a13be17bf19dc08ac0e90f3d52dca014ce6f8103df0e1ba
-
MD5
42b3e40e41ec375316d6bc4ce0cec5f4
SHA16f994b6f035634651be5ccbe8e7a28d5c2337a69
SHA256a5c71ef7f1f7b26ad2aa5ea57eecde9b54e4ec0ddbfef94bad7477319cbc0c28
SHA5121ab901e71acd83826427c935ffb7afbb116257ad5ca5310b86feb958e8cdf3fb727683f4e19924197a13be17bf19dc08ac0e90f3d52dca014ce6f8103df0e1ba