Analysis
-
max time kernel
141s -
max time network
148s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
12-02-2022 07:46
Behavioral task
behavioral1
Sample
0ca3e2c88c0f82410b92b498fc9bdc9d499ac8737b7673bf34724421841ce9e1.exe
Resource
win7-en-20211208
General
-
Target
0ca3e2c88c0f82410b92b498fc9bdc9d499ac8737b7673bf34724421841ce9e1.exe
-
Size
212KB
-
MD5
4f555d008896698e15f7d99963c63382
-
SHA1
397fd99d2fb6f0159e84ca394526dd1ff2e1d4c4
-
SHA256
0ca3e2c88c0f82410b92b498fc9bdc9d499ac8737b7673bf34724421841ce9e1
-
SHA512
879319ea6a5ee001b8404b004d3494f33a9621dc5d24b1f2c41e000657205695b643dc528201fcfade2d5773f7d964edcb492177317ea8fe13a936c0da6a8a4e
Malware Config
Signatures
-
Sakula Payload 2 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula \Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula -
suricata: ET MALWARE SUSPICIOUS UA (iexplore)
suricata: ET MALWARE SUSPICIOUS UA (iexplore)
-
suricata: ET MALWARE Sakula/Mivast RAT CnC Beacon 1
suricata: ET MALWARE Sakula/Mivast RAT CnC Beacon 1
-
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 828 MediaCenter.exe -
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe upx \Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe upx -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 432 cmd.exe -
Loads dropped DLL 1 IoCs
Processes:
0ca3e2c88c0f82410b92b498fc9bdc9d499ac8737b7673bf34724421841ce9e1.exepid process 1664 0ca3e2c88c0f82410b92b498fc9bdc9d499ac8737b7673bf34724421841ce9e1.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
0ca3e2c88c0f82410b92b498fc9bdc9d499ac8737b7673bf34724421841ce9e1.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 0ca3e2c88c0f82410b92b498fc9bdc9d499ac8737b7673bf34724421841ce9e1.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
0ca3e2c88c0f82410b92b498fc9bdc9d499ac8737b7673bf34724421841ce9e1.exedescription pid process Token: SeIncBasePriorityPrivilege 1664 0ca3e2c88c0f82410b92b498fc9bdc9d499ac8737b7673bf34724421841ce9e1.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
0ca3e2c88c0f82410b92b498fc9bdc9d499ac8737b7673bf34724421841ce9e1.execmd.exedescription pid process target process PID 1664 wrote to memory of 828 1664 0ca3e2c88c0f82410b92b498fc9bdc9d499ac8737b7673bf34724421841ce9e1.exe MediaCenter.exe PID 1664 wrote to memory of 828 1664 0ca3e2c88c0f82410b92b498fc9bdc9d499ac8737b7673bf34724421841ce9e1.exe MediaCenter.exe PID 1664 wrote to memory of 828 1664 0ca3e2c88c0f82410b92b498fc9bdc9d499ac8737b7673bf34724421841ce9e1.exe MediaCenter.exe PID 1664 wrote to memory of 828 1664 0ca3e2c88c0f82410b92b498fc9bdc9d499ac8737b7673bf34724421841ce9e1.exe MediaCenter.exe PID 1664 wrote to memory of 432 1664 0ca3e2c88c0f82410b92b498fc9bdc9d499ac8737b7673bf34724421841ce9e1.exe cmd.exe PID 1664 wrote to memory of 432 1664 0ca3e2c88c0f82410b92b498fc9bdc9d499ac8737b7673bf34724421841ce9e1.exe cmd.exe PID 1664 wrote to memory of 432 1664 0ca3e2c88c0f82410b92b498fc9bdc9d499ac8737b7673bf34724421841ce9e1.exe cmd.exe PID 1664 wrote to memory of 432 1664 0ca3e2c88c0f82410b92b498fc9bdc9d499ac8737b7673bf34724421841ce9e1.exe cmd.exe PID 432 wrote to memory of 1260 432 cmd.exe PING.EXE PID 432 wrote to memory of 1260 432 cmd.exe PING.EXE PID 432 wrote to memory of 1260 432 cmd.exe PING.EXE PID 432 wrote to memory of 1260 432 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\0ca3e2c88c0f82410b92b498fc9bdc9d499ac8737b7673bf34724421841ce9e1.exe"C:\Users\Admin\AppData\Local\Temp\0ca3e2c88c0f82410b92b498fc9bdc9d499ac8737b7673bf34724421841ce9e1.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1664 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:828 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\0ca3e2c88c0f82410b92b498fc9bdc9d499ac8737b7673bf34724421841ce9e1.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:432 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:1260
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
89070f60c1ca1625a648c0e736bd4d8b
SHA1d9667a9f72307732ffe465f260ad765dce7ddc3c
SHA256d75334d5be5d37ab5df17205d6c6a4780a44870f57e585adabfeb44a640e8d43
SHA512d8185e8b59a6e48028ae679204489893a3a81d0ad2b98c8beb5648d8bb28a684a1e9a2982f49947d824df322b6b78dd70bc8814eff0453220c34c0cd59b16a6a
-
MD5
89070f60c1ca1625a648c0e736bd4d8b
SHA1d9667a9f72307732ffe465f260ad765dce7ddc3c
SHA256d75334d5be5d37ab5df17205d6c6a4780a44870f57e585adabfeb44a640e8d43
SHA512d8185e8b59a6e48028ae679204489893a3a81d0ad2b98c8beb5648d8bb28a684a1e9a2982f49947d824df322b6b78dd70bc8814eff0453220c34c0cd59b16a6a