Analysis
-
max time kernel
159s -
max time network
183s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
12-02-2022 07:55
Static task
static1
Behavioral task
behavioral1
Sample
0c49764e31da8ca95f9d7e1af91b86f59303ebbcc0e38b41cd90073ac0b1971c.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
0c49764e31da8ca95f9d7e1af91b86f59303ebbcc0e38b41cd90073ac0b1971c.exe
Resource
win10v2004-en-20220113
General
-
Target
0c49764e31da8ca95f9d7e1af91b86f59303ebbcc0e38b41cd90073ac0b1971c.exe
-
Size
176KB
-
MD5
236463c6b44dae64de40acae6139ff1b
-
SHA1
51faf7605c44f850cce440fa360b0c963ca04e4a
-
SHA256
0c49764e31da8ca95f9d7e1af91b86f59303ebbcc0e38b41cd90073ac0b1971c
-
SHA512
ce0d99e826ac82c2e6031cd8d26faff5b592a24340663534c48eef1ce903f70b1c412b6738f23a9feae68c06727abf67544baef24aa5c869917ce7733d1b1489
Malware Config
Signatures
-
Sakula Payload 4 IoCs
Processes:
resource yara_rule \Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula behavioral1/memory/1264-59-0x0000000000400000-0x0000000000420000-memory.dmp family_sakula behavioral1/memory/1100-60-0x0000000000400000-0x0000000000420000-memory.dmp family_sakula -
suricata: ET MALWARE SUSPICIOUS UA (iexplore)
suricata: ET MALWARE SUSPICIOUS UA (iexplore)
-
suricata: ET MALWARE Sakula/Mivast RAT CnC Beacon 1
suricata: ET MALWARE Sakula/Mivast RAT CnC Beacon 1
-
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 1100 MediaCenter.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 1988 cmd.exe -
Loads dropped DLL 1 IoCs
Processes:
0c49764e31da8ca95f9d7e1af91b86f59303ebbcc0e38b41cd90073ac0b1971c.exepid process 1264 0c49764e31da8ca95f9d7e1af91b86f59303ebbcc0e38b41cd90073ac0b1971c.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
0c49764e31da8ca95f9d7e1af91b86f59303ebbcc0e38b41cd90073ac0b1971c.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 0c49764e31da8ca95f9d7e1af91b86f59303ebbcc0e38b41cd90073ac0b1971c.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
0c49764e31da8ca95f9d7e1af91b86f59303ebbcc0e38b41cd90073ac0b1971c.exedescription pid process Token: SeIncBasePriorityPrivilege 1264 0c49764e31da8ca95f9d7e1af91b86f59303ebbcc0e38b41cd90073ac0b1971c.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
0c49764e31da8ca95f9d7e1af91b86f59303ebbcc0e38b41cd90073ac0b1971c.execmd.exedescription pid process target process PID 1264 wrote to memory of 1100 1264 0c49764e31da8ca95f9d7e1af91b86f59303ebbcc0e38b41cd90073ac0b1971c.exe MediaCenter.exe PID 1264 wrote to memory of 1100 1264 0c49764e31da8ca95f9d7e1af91b86f59303ebbcc0e38b41cd90073ac0b1971c.exe MediaCenter.exe PID 1264 wrote to memory of 1100 1264 0c49764e31da8ca95f9d7e1af91b86f59303ebbcc0e38b41cd90073ac0b1971c.exe MediaCenter.exe PID 1264 wrote to memory of 1100 1264 0c49764e31da8ca95f9d7e1af91b86f59303ebbcc0e38b41cd90073ac0b1971c.exe MediaCenter.exe PID 1264 wrote to memory of 1988 1264 0c49764e31da8ca95f9d7e1af91b86f59303ebbcc0e38b41cd90073ac0b1971c.exe cmd.exe PID 1264 wrote to memory of 1988 1264 0c49764e31da8ca95f9d7e1af91b86f59303ebbcc0e38b41cd90073ac0b1971c.exe cmd.exe PID 1264 wrote to memory of 1988 1264 0c49764e31da8ca95f9d7e1af91b86f59303ebbcc0e38b41cd90073ac0b1971c.exe cmd.exe PID 1264 wrote to memory of 1988 1264 0c49764e31da8ca95f9d7e1af91b86f59303ebbcc0e38b41cd90073ac0b1971c.exe cmd.exe PID 1988 wrote to memory of 1596 1988 cmd.exe PING.EXE PID 1988 wrote to memory of 1596 1988 cmd.exe PING.EXE PID 1988 wrote to memory of 1596 1988 cmd.exe PING.EXE PID 1988 wrote to memory of 1596 1988 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\0c49764e31da8ca95f9d7e1af91b86f59303ebbcc0e38b41cd90073ac0b1971c.exe"C:\Users\Admin\AppData\Local\Temp\0c49764e31da8ca95f9d7e1af91b86f59303ebbcc0e38b41cd90073ac0b1971c.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1264 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:1100 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\0c49764e31da8ca95f9d7e1af91b86f59303ebbcc0e38b41cd90073ac0b1971c.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:1988 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:1596
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
b4c442d7b0e1f4afd20bca61b8ade3cb
SHA1b590966c5d5b93821dd3ecdaeff9798aa722816f
SHA256ea436b7b3d4b99c5011728d67a10edfe8d0ee90c4792860e6261678d3ef6b9b9
SHA512116eac6bd26444aeb7477342d6e4c5c03dc7922e82acc37a7282d749371f7b642d0a5c1f6aa1803749068235aa4a30455a25d6f741395c4a9839dcfb256852cc
-
MD5
b4c442d7b0e1f4afd20bca61b8ade3cb
SHA1b590966c5d5b93821dd3ecdaeff9798aa722816f
SHA256ea436b7b3d4b99c5011728d67a10edfe8d0ee90c4792860e6261678d3ef6b9b9
SHA512116eac6bd26444aeb7477342d6e4c5c03dc7922e82acc37a7282d749371f7b642d0a5c1f6aa1803749068235aa4a30455a25d6f741395c4a9839dcfb256852cc