Analysis
-
max time kernel
166s -
max time network
161s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
12-02-2022 07:56
Static task
static1
Behavioral task
behavioral1
Sample
0c3774f67777b766fee51524b5758c37e77830c79b81d196c115b7d0d2389da5.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
0c3774f67777b766fee51524b5758c37e77830c79b81d196c115b7d0d2389da5.exe
Resource
win10v2004-en-20220113
General
-
Target
0c3774f67777b766fee51524b5758c37e77830c79b81d196c115b7d0d2389da5.exe
-
Size
216KB
-
MD5
bbca6c39502f278261354129ecf991f6
-
SHA1
ec75ce4f5bf4a04f4279f53ee559e3a25a9bf156
-
SHA256
0c3774f67777b766fee51524b5758c37e77830c79b81d196c115b7d0d2389da5
-
SHA512
bde3b00d6bee7ba5917c0babd173aff2295c8ecbaec6d1c7a996adcfc2834d1df299ef846108ce2c7681a3ee1ccd5a1ff1c4b370d2449f403c56d7701605e69c
Malware Config
Signatures
-
Sakula Payload 4 IoCs
Processes:
resource yara_rule \Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula behavioral1/memory/1584-59-0x0000000000400000-0x0000000000420000-memory.dmp family_sakula behavioral1/memory/1512-60-0x0000000000400000-0x0000000000420000-memory.dmp family_sakula -
suricata: ET MALWARE SUSPICIOUS UA (iexplore)
suricata: ET MALWARE SUSPICIOUS UA (iexplore)
-
suricata: ET MALWARE Sakula/Mivast RAT CnC Beacon 1
suricata: ET MALWARE Sakula/Mivast RAT CnC Beacon 1
-
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 1512 MediaCenter.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 392 cmd.exe -
Loads dropped DLL 1 IoCs
Processes:
0c3774f67777b766fee51524b5758c37e77830c79b81d196c115b7d0d2389da5.exepid process 1584 0c3774f67777b766fee51524b5758c37e77830c79b81d196c115b7d0d2389da5.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
0c3774f67777b766fee51524b5758c37e77830c79b81d196c115b7d0d2389da5.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 0c3774f67777b766fee51524b5758c37e77830c79b81d196c115b7d0d2389da5.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
0c3774f67777b766fee51524b5758c37e77830c79b81d196c115b7d0d2389da5.exedescription pid process Token: SeIncBasePriorityPrivilege 1584 0c3774f67777b766fee51524b5758c37e77830c79b81d196c115b7d0d2389da5.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
0c3774f67777b766fee51524b5758c37e77830c79b81d196c115b7d0d2389da5.execmd.exedescription pid process target process PID 1584 wrote to memory of 1512 1584 0c3774f67777b766fee51524b5758c37e77830c79b81d196c115b7d0d2389da5.exe MediaCenter.exe PID 1584 wrote to memory of 1512 1584 0c3774f67777b766fee51524b5758c37e77830c79b81d196c115b7d0d2389da5.exe MediaCenter.exe PID 1584 wrote to memory of 1512 1584 0c3774f67777b766fee51524b5758c37e77830c79b81d196c115b7d0d2389da5.exe MediaCenter.exe PID 1584 wrote to memory of 1512 1584 0c3774f67777b766fee51524b5758c37e77830c79b81d196c115b7d0d2389da5.exe MediaCenter.exe PID 1584 wrote to memory of 392 1584 0c3774f67777b766fee51524b5758c37e77830c79b81d196c115b7d0d2389da5.exe cmd.exe PID 1584 wrote to memory of 392 1584 0c3774f67777b766fee51524b5758c37e77830c79b81d196c115b7d0d2389da5.exe cmd.exe PID 1584 wrote to memory of 392 1584 0c3774f67777b766fee51524b5758c37e77830c79b81d196c115b7d0d2389da5.exe cmd.exe PID 1584 wrote to memory of 392 1584 0c3774f67777b766fee51524b5758c37e77830c79b81d196c115b7d0d2389da5.exe cmd.exe PID 392 wrote to memory of 1068 392 cmd.exe PING.EXE PID 392 wrote to memory of 1068 392 cmd.exe PING.EXE PID 392 wrote to memory of 1068 392 cmd.exe PING.EXE PID 392 wrote to memory of 1068 392 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\0c3774f67777b766fee51524b5758c37e77830c79b81d196c115b7d0d2389da5.exe"C:\Users\Admin\AppData\Local\Temp\0c3774f67777b766fee51524b5758c37e77830c79b81d196c115b7d0d2389da5.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1584 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:1512 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\0c3774f67777b766fee51524b5758c37e77830c79b81d196c115b7d0d2389da5.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:392 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:1068
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
d7ee7e58e11a51147bf2f4a55250594f
SHA176628109bb5fddbd6d9b56eb5b1cd58978350587
SHA2562c5c0b284cb8303369d56d4096b9b94abc6e52840a9c58b9e7d6d88c3ec34ccc
SHA512fb84a5661d0497776b9c3ef41cb7fd4181c75137164bfc686ead7c2479090c5c7a74e2298ee8a3715a32c01937f03078e3b38875d55981a05d6cfd8d928fc859
-
MD5
d7ee7e58e11a51147bf2f4a55250594f
SHA176628109bb5fddbd6d9b56eb5b1cd58978350587
SHA2562c5c0b284cb8303369d56d4096b9b94abc6e52840a9c58b9e7d6d88c3ec34ccc
SHA512fb84a5661d0497776b9c3ef41cb7fd4181c75137164bfc686ead7c2479090c5c7a74e2298ee8a3715a32c01937f03078e3b38875d55981a05d6cfd8d928fc859