Analysis
-
max time kernel
149s -
max time network
157s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
12-02-2022 07:47
Static task
static1
Behavioral task
behavioral1
Sample
0ca0a2a38476e188cfd1acf8df24a25d48878fe7b7180e027069ef7e874f9632.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
0ca0a2a38476e188cfd1acf8df24a25d48878fe7b7180e027069ef7e874f9632.exe
Resource
win10v2004-en-20220113
General
-
Target
0ca0a2a38476e188cfd1acf8df24a25d48878fe7b7180e027069ef7e874f9632.exe
-
Size
200KB
-
MD5
bfbe4b2ec56db581d1e48ab3572143f9
-
SHA1
6fdfa0c845252ad6aa802579c22de6a4f591fd72
-
SHA256
0ca0a2a38476e188cfd1acf8df24a25d48878fe7b7180e027069ef7e874f9632
-
SHA512
4a5669bd2f9537b33a79480304813978cd3fffbbf7a27d3399248d3c257b1bf869101bd09eff2763c6b5a6a54e68f266a8af4fa150a98f721d190af24fc11af4
Malware Config
Signatures
-
Sakula Payload 4 IoCs
Processes:
resource yara_rule \Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula behavioral1/memory/1396-59-0x0000000000400000-0x0000000000420000-memory.dmp family_sakula behavioral1/memory/804-60-0x0000000000400000-0x0000000000420000-memory.dmp family_sakula -
suricata: ET MALWARE SUSPICIOUS UA (iexplore)
suricata: ET MALWARE SUSPICIOUS UA (iexplore)
-
suricata: ET MALWARE Sakula/Mivast RAT CnC Beacon 1
suricata: ET MALWARE Sakula/Mivast RAT CnC Beacon 1
-
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 804 MediaCenter.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 668 cmd.exe -
Loads dropped DLL 1 IoCs
Processes:
0ca0a2a38476e188cfd1acf8df24a25d48878fe7b7180e027069ef7e874f9632.exepid process 1396 0ca0a2a38476e188cfd1acf8df24a25d48878fe7b7180e027069ef7e874f9632.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
0ca0a2a38476e188cfd1acf8df24a25d48878fe7b7180e027069ef7e874f9632.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 0ca0a2a38476e188cfd1acf8df24a25d48878fe7b7180e027069ef7e874f9632.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
0ca0a2a38476e188cfd1acf8df24a25d48878fe7b7180e027069ef7e874f9632.exedescription pid process Token: SeIncBasePriorityPrivilege 1396 0ca0a2a38476e188cfd1acf8df24a25d48878fe7b7180e027069ef7e874f9632.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
0ca0a2a38476e188cfd1acf8df24a25d48878fe7b7180e027069ef7e874f9632.execmd.exedescription pid process target process PID 1396 wrote to memory of 804 1396 0ca0a2a38476e188cfd1acf8df24a25d48878fe7b7180e027069ef7e874f9632.exe MediaCenter.exe PID 1396 wrote to memory of 804 1396 0ca0a2a38476e188cfd1acf8df24a25d48878fe7b7180e027069ef7e874f9632.exe MediaCenter.exe PID 1396 wrote to memory of 804 1396 0ca0a2a38476e188cfd1acf8df24a25d48878fe7b7180e027069ef7e874f9632.exe MediaCenter.exe PID 1396 wrote to memory of 804 1396 0ca0a2a38476e188cfd1acf8df24a25d48878fe7b7180e027069ef7e874f9632.exe MediaCenter.exe PID 1396 wrote to memory of 668 1396 0ca0a2a38476e188cfd1acf8df24a25d48878fe7b7180e027069ef7e874f9632.exe cmd.exe PID 1396 wrote to memory of 668 1396 0ca0a2a38476e188cfd1acf8df24a25d48878fe7b7180e027069ef7e874f9632.exe cmd.exe PID 1396 wrote to memory of 668 1396 0ca0a2a38476e188cfd1acf8df24a25d48878fe7b7180e027069ef7e874f9632.exe cmd.exe PID 1396 wrote to memory of 668 1396 0ca0a2a38476e188cfd1acf8df24a25d48878fe7b7180e027069ef7e874f9632.exe cmd.exe PID 668 wrote to memory of 1984 668 cmd.exe PING.EXE PID 668 wrote to memory of 1984 668 cmd.exe PING.EXE PID 668 wrote to memory of 1984 668 cmd.exe PING.EXE PID 668 wrote to memory of 1984 668 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\0ca0a2a38476e188cfd1acf8df24a25d48878fe7b7180e027069ef7e874f9632.exe"C:\Users\Admin\AppData\Local\Temp\0ca0a2a38476e188cfd1acf8df24a25d48878fe7b7180e027069ef7e874f9632.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1396 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:804 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\0ca0a2a38476e188cfd1acf8df24a25d48878fe7b7180e027069ef7e874f9632.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:668 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:1984
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
9f1346b9632a2ccf15965548bc4bab15
SHA1edafd646dca82836374465e38874cc1accf69c08
SHA256cb46993ab3b48814fe9d7acb2e3e861ca99df476a510001f8683e7562f1c1a59
SHA51227dba21a077ac169b293647dbb22b66b429d24e66cf2e351c456cecb92fbc54ac509d518ada4a1b12ac93aefa3a90091204ad6e169ca499cc089683ceb5b40ed
-
MD5
9f1346b9632a2ccf15965548bc4bab15
SHA1edafd646dca82836374465e38874cc1accf69c08
SHA256cb46993ab3b48814fe9d7acb2e3e861ca99df476a510001f8683e7562f1c1a59
SHA51227dba21a077ac169b293647dbb22b66b429d24e66cf2e351c456cecb92fbc54ac509d518ada4a1b12ac93aefa3a90091204ad6e169ca499cc089683ceb5b40ed