Analysis
-
max time kernel
139s -
max time network
154s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
12-02-2022 07:57
Static task
static1
Behavioral task
behavioral1
Sample
0c212fbde3f7a7fc8ae33649fcb316a7c338edb31cf37579341d5d972a0df39a.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
0c212fbde3f7a7fc8ae33649fcb316a7c338edb31cf37579341d5d972a0df39a.exe
Resource
win10v2004-en-20220113
General
-
Target
0c212fbde3f7a7fc8ae33649fcb316a7c338edb31cf37579341d5d972a0df39a.exe
-
Size
216KB
-
MD5
11ac5015db07b180426784ef739e0f45
-
SHA1
91df958d1ba8ceda2ae76a90e3228ee105b1f465
-
SHA256
0c212fbde3f7a7fc8ae33649fcb316a7c338edb31cf37579341d5d972a0df39a
-
SHA512
8f38230ed0644e85639fb2bc39b61883fc299025d6016b50407a9f26815f7dbca48c049896cea0256a957236cea84d58cbe39a291e009feef9fe07e25136ad0e
Malware Config
Signatures
-
Sakula Payload 4 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula \Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula behavioral1/memory/952-59-0x0000000000400000-0x0000000000420000-memory.dmp family_sakula behavioral1/memory/1556-60-0x0000000000400000-0x0000000000420000-memory.dmp family_sakula -
suricata: ET MALWARE SUSPICIOUS UA (iexplore)
suricata: ET MALWARE SUSPICIOUS UA (iexplore)
-
suricata: ET MALWARE Sakula/Mivast RAT CnC Beacon 1
suricata: ET MALWARE Sakula/Mivast RAT CnC Beacon 1
-
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 1556 MediaCenter.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 608 cmd.exe -
Loads dropped DLL 1 IoCs
Processes:
0c212fbde3f7a7fc8ae33649fcb316a7c338edb31cf37579341d5d972a0df39a.exepid process 952 0c212fbde3f7a7fc8ae33649fcb316a7c338edb31cf37579341d5d972a0df39a.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
0c212fbde3f7a7fc8ae33649fcb316a7c338edb31cf37579341d5d972a0df39a.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 0c212fbde3f7a7fc8ae33649fcb316a7c338edb31cf37579341d5d972a0df39a.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
0c212fbde3f7a7fc8ae33649fcb316a7c338edb31cf37579341d5d972a0df39a.exedescription pid process Token: SeIncBasePriorityPrivilege 952 0c212fbde3f7a7fc8ae33649fcb316a7c338edb31cf37579341d5d972a0df39a.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
0c212fbde3f7a7fc8ae33649fcb316a7c338edb31cf37579341d5d972a0df39a.execmd.exedescription pid process target process PID 952 wrote to memory of 1556 952 0c212fbde3f7a7fc8ae33649fcb316a7c338edb31cf37579341d5d972a0df39a.exe MediaCenter.exe PID 952 wrote to memory of 1556 952 0c212fbde3f7a7fc8ae33649fcb316a7c338edb31cf37579341d5d972a0df39a.exe MediaCenter.exe PID 952 wrote to memory of 1556 952 0c212fbde3f7a7fc8ae33649fcb316a7c338edb31cf37579341d5d972a0df39a.exe MediaCenter.exe PID 952 wrote to memory of 1556 952 0c212fbde3f7a7fc8ae33649fcb316a7c338edb31cf37579341d5d972a0df39a.exe MediaCenter.exe PID 952 wrote to memory of 608 952 0c212fbde3f7a7fc8ae33649fcb316a7c338edb31cf37579341d5d972a0df39a.exe cmd.exe PID 952 wrote to memory of 608 952 0c212fbde3f7a7fc8ae33649fcb316a7c338edb31cf37579341d5d972a0df39a.exe cmd.exe PID 952 wrote to memory of 608 952 0c212fbde3f7a7fc8ae33649fcb316a7c338edb31cf37579341d5d972a0df39a.exe cmd.exe PID 952 wrote to memory of 608 952 0c212fbde3f7a7fc8ae33649fcb316a7c338edb31cf37579341d5d972a0df39a.exe cmd.exe PID 608 wrote to memory of 360 608 cmd.exe PING.EXE PID 608 wrote to memory of 360 608 cmd.exe PING.EXE PID 608 wrote to memory of 360 608 cmd.exe PING.EXE PID 608 wrote to memory of 360 608 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\0c212fbde3f7a7fc8ae33649fcb316a7c338edb31cf37579341d5d972a0df39a.exe"C:\Users\Admin\AppData\Local\Temp\0c212fbde3f7a7fc8ae33649fcb316a7c338edb31cf37579341d5d972a0df39a.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:952 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:1556 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\0c212fbde3f7a7fc8ae33649fcb316a7c338edb31cf37579341d5d972a0df39a.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:608 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:360
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
df6c11f28985867ef9b3acd0fafcced2
SHA1d7e004fbaf74fa65ffc463b5c1544838af831bdb
SHA2567f74986be27caee8e8830b1acf8d5e123730bd25289d84ef84591754081951f3
SHA5125e3906a6b7f869a81bd8dc5883806fbc779bb2d58bbcc2f14aae612708cc88366159d7c9d445c64397786dafd066f8cf20f04d39ece5a4013d078dbc390b31e2
-
MD5
df6c11f28985867ef9b3acd0fafcced2
SHA1d7e004fbaf74fa65ffc463b5c1544838af831bdb
SHA2567f74986be27caee8e8830b1acf8d5e123730bd25289d84ef84591754081951f3
SHA5125e3906a6b7f869a81bd8dc5883806fbc779bb2d58bbcc2f14aae612708cc88366159d7c9d445c64397786dafd066f8cf20f04d39ece5a4013d078dbc390b31e2