Analysis
-
max time kernel
146s -
max time network
152s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
12-02-2022 07:53
Static task
static1
Behavioral task
behavioral1
Sample
0c6b397f5fe55d4de41e4ffd9638d0d20494199ca7aea85318e4ac40668c6038.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
0c6b397f5fe55d4de41e4ffd9638d0d20494199ca7aea85318e4ac40668c6038.exe
Resource
win10v2004-en-20220112
General
-
Target
0c6b397f5fe55d4de41e4ffd9638d0d20494199ca7aea85318e4ac40668c6038.exe
-
Size
216KB
-
MD5
985773b809bf939e3c43f4b636e0b5a3
-
SHA1
4def3921a0e76b55ae53f3c7451e8953833337b5
-
SHA256
0c6b397f5fe55d4de41e4ffd9638d0d20494199ca7aea85318e4ac40668c6038
-
SHA512
09ba41a9f967d047d01b2f2953043985d0af21e576d2fa41455f07872402ebe3fdc07e467ff0f97f1b8a7ebb43f5f023e8bcef8d75f5f5db998c22c19e7fcbf5
Malware Config
Signatures
-
Sakula Payload 4 IoCs
Processes:
resource yara_rule \Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula behavioral1/memory/1680-58-0x0000000000400000-0x0000000000420000-memory.dmp family_sakula behavioral1/memory/1388-59-0x0000000000400000-0x0000000000420000-memory.dmp family_sakula -
suricata: ET MALWARE SUSPICIOUS UA (iexplore)
suricata: ET MALWARE SUSPICIOUS UA (iexplore)
-
suricata: ET MALWARE Sakula/Mivast RAT CnC Beacon 1
suricata: ET MALWARE Sakula/Mivast RAT CnC Beacon 1
-
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 1388 MediaCenter.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 540 cmd.exe -
Loads dropped DLL 1 IoCs
Processes:
0c6b397f5fe55d4de41e4ffd9638d0d20494199ca7aea85318e4ac40668c6038.exepid process 1680 0c6b397f5fe55d4de41e4ffd9638d0d20494199ca7aea85318e4ac40668c6038.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
0c6b397f5fe55d4de41e4ffd9638d0d20494199ca7aea85318e4ac40668c6038.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 0c6b397f5fe55d4de41e4ffd9638d0d20494199ca7aea85318e4ac40668c6038.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
0c6b397f5fe55d4de41e4ffd9638d0d20494199ca7aea85318e4ac40668c6038.exedescription pid process Token: SeIncBasePriorityPrivilege 1680 0c6b397f5fe55d4de41e4ffd9638d0d20494199ca7aea85318e4ac40668c6038.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
0c6b397f5fe55d4de41e4ffd9638d0d20494199ca7aea85318e4ac40668c6038.execmd.exedescription pid process target process PID 1680 wrote to memory of 1388 1680 0c6b397f5fe55d4de41e4ffd9638d0d20494199ca7aea85318e4ac40668c6038.exe MediaCenter.exe PID 1680 wrote to memory of 1388 1680 0c6b397f5fe55d4de41e4ffd9638d0d20494199ca7aea85318e4ac40668c6038.exe MediaCenter.exe PID 1680 wrote to memory of 1388 1680 0c6b397f5fe55d4de41e4ffd9638d0d20494199ca7aea85318e4ac40668c6038.exe MediaCenter.exe PID 1680 wrote to memory of 1388 1680 0c6b397f5fe55d4de41e4ffd9638d0d20494199ca7aea85318e4ac40668c6038.exe MediaCenter.exe PID 1680 wrote to memory of 540 1680 0c6b397f5fe55d4de41e4ffd9638d0d20494199ca7aea85318e4ac40668c6038.exe cmd.exe PID 1680 wrote to memory of 540 1680 0c6b397f5fe55d4de41e4ffd9638d0d20494199ca7aea85318e4ac40668c6038.exe cmd.exe PID 1680 wrote to memory of 540 1680 0c6b397f5fe55d4de41e4ffd9638d0d20494199ca7aea85318e4ac40668c6038.exe cmd.exe PID 1680 wrote to memory of 540 1680 0c6b397f5fe55d4de41e4ffd9638d0d20494199ca7aea85318e4ac40668c6038.exe cmd.exe PID 540 wrote to memory of 396 540 cmd.exe PING.EXE PID 540 wrote to memory of 396 540 cmd.exe PING.EXE PID 540 wrote to memory of 396 540 cmd.exe PING.EXE PID 540 wrote to memory of 396 540 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\0c6b397f5fe55d4de41e4ffd9638d0d20494199ca7aea85318e4ac40668c6038.exe"C:\Users\Admin\AppData\Local\Temp\0c6b397f5fe55d4de41e4ffd9638d0d20494199ca7aea85318e4ac40668c6038.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1680 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:1388 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\0c6b397f5fe55d4de41e4ffd9638d0d20494199ca7aea85318e4ac40668c6038.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:540 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:396
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
d75e558eeec4880fbf635fd12c544f06
SHA1404ad3d252a21c23d4c6a3f3a17313ee543cef05
SHA2562143047194f7c65cb3f73b539cd881767271d41e2d763492272cdeeaca1e5ec1
SHA51211058ea391c0dc4e875491b967e1f4e7efbe997f6fa42eda420d1acc7a589e1fbed60276d166412cdb981e8d9adec82a5f1a111ffd72004b6fee501838f23eb5
-
MD5
d75e558eeec4880fbf635fd12c544f06
SHA1404ad3d252a21c23d4c6a3f3a17313ee543cef05
SHA2562143047194f7c65cb3f73b539cd881767271d41e2d763492272cdeeaca1e5ec1
SHA51211058ea391c0dc4e875491b967e1f4e7efbe997f6fa42eda420d1acc7a589e1fbed60276d166412cdb981e8d9adec82a5f1a111ffd72004b6fee501838f23eb5