Analysis
-
max time kernel
134s -
max time network
144s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
12-02-2022 07:50
Static task
static1
Behavioral task
behavioral1
Sample
0c922c3498b639e1340b836f3961e2de78a8ef828396dff6626ed4a136014110.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
0c922c3498b639e1340b836f3961e2de78a8ef828396dff6626ed4a136014110.exe
Resource
win10v2004-en-20220112
General
-
Target
0c922c3498b639e1340b836f3961e2de78a8ef828396dff6626ed4a136014110.exe
-
Size
216KB
-
MD5
0b02352436bdbe87d89ab078ed83dcf1
-
SHA1
ff5c07e810be06de55bfa58bbfd66d6740236578
-
SHA256
0c922c3498b639e1340b836f3961e2de78a8ef828396dff6626ed4a136014110
-
SHA512
46f7d5053e3cdb90e7aa191b291cfc18c4312d233ba64f23edb71b63e680bd91abef8707c53e7ab6aa2540aad116b878a53b6d57a272986de478cc937c888e03
Malware Config
Signatures
-
Sakula Payload 4 IoCs
Processes:
resource yara_rule \Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula behavioral1/memory/1664-58-0x0000000000400000-0x0000000000420000-memory.dmp family_sakula behavioral1/memory/828-59-0x0000000000400000-0x0000000000420000-memory.dmp family_sakula -
suricata: ET MALWARE SUSPICIOUS UA (iexplore)
suricata: ET MALWARE SUSPICIOUS UA (iexplore)
-
suricata: ET MALWARE Sakula/Mivast RAT CnC Beacon 1
suricata: ET MALWARE Sakula/Mivast RAT CnC Beacon 1
-
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 828 MediaCenter.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 1964 cmd.exe -
Loads dropped DLL 1 IoCs
Processes:
0c922c3498b639e1340b836f3961e2de78a8ef828396dff6626ed4a136014110.exepid process 1664 0c922c3498b639e1340b836f3961e2de78a8ef828396dff6626ed4a136014110.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
0c922c3498b639e1340b836f3961e2de78a8ef828396dff6626ed4a136014110.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 0c922c3498b639e1340b836f3961e2de78a8ef828396dff6626ed4a136014110.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
0c922c3498b639e1340b836f3961e2de78a8ef828396dff6626ed4a136014110.exedescription pid process Token: SeIncBasePriorityPrivilege 1664 0c922c3498b639e1340b836f3961e2de78a8ef828396dff6626ed4a136014110.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
0c922c3498b639e1340b836f3961e2de78a8ef828396dff6626ed4a136014110.execmd.exedescription pid process target process PID 1664 wrote to memory of 828 1664 0c922c3498b639e1340b836f3961e2de78a8ef828396dff6626ed4a136014110.exe MediaCenter.exe PID 1664 wrote to memory of 828 1664 0c922c3498b639e1340b836f3961e2de78a8ef828396dff6626ed4a136014110.exe MediaCenter.exe PID 1664 wrote to memory of 828 1664 0c922c3498b639e1340b836f3961e2de78a8ef828396dff6626ed4a136014110.exe MediaCenter.exe PID 1664 wrote to memory of 828 1664 0c922c3498b639e1340b836f3961e2de78a8ef828396dff6626ed4a136014110.exe MediaCenter.exe PID 1664 wrote to memory of 1964 1664 0c922c3498b639e1340b836f3961e2de78a8ef828396dff6626ed4a136014110.exe cmd.exe PID 1664 wrote to memory of 1964 1664 0c922c3498b639e1340b836f3961e2de78a8ef828396dff6626ed4a136014110.exe cmd.exe PID 1664 wrote to memory of 1964 1664 0c922c3498b639e1340b836f3961e2de78a8ef828396dff6626ed4a136014110.exe cmd.exe PID 1664 wrote to memory of 1964 1664 0c922c3498b639e1340b836f3961e2de78a8ef828396dff6626ed4a136014110.exe cmd.exe PID 1964 wrote to memory of 1256 1964 cmd.exe PING.EXE PID 1964 wrote to memory of 1256 1964 cmd.exe PING.EXE PID 1964 wrote to memory of 1256 1964 cmd.exe PING.EXE PID 1964 wrote to memory of 1256 1964 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\0c922c3498b639e1340b836f3961e2de78a8ef828396dff6626ed4a136014110.exe"C:\Users\Admin\AppData\Local\Temp\0c922c3498b639e1340b836f3961e2de78a8ef828396dff6626ed4a136014110.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1664 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:828 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\0c922c3498b639e1340b836f3961e2de78a8ef828396dff6626ed4a136014110.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:1964 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:1256
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
dd002f9cde09f4d39501172e9a177931
SHA15883d54d073d5375f13d662595506f0d251d5714
SHA256600d395029000d4b035939cfe62058784529d700a57af2caf3081256eca733f7
SHA5129a2ffa0f2f535543d69abebd6c6fb8e67ea02a84fef38ba36026e40e4246e2fe3e80dd0572d54c7f6bef773904edd190bdc029b43debfedac58f6622b6dc0044
-
MD5
dd002f9cde09f4d39501172e9a177931
SHA15883d54d073d5375f13d662595506f0d251d5714
SHA256600d395029000d4b035939cfe62058784529d700a57af2caf3081256eca733f7
SHA5129a2ffa0f2f535543d69abebd6c6fb8e67ea02a84fef38ba36026e40e4246e2fe3e80dd0572d54c7f6bef773904edd190bdc029b43debfedac58f6622b6dc0044