Analysis
-
max time kernel
152s -
max time network
167s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
12-02-2022 08:00
Static task
static1
Behavioral task
behavioral1
Sample
0bf7cd663f84a5aa4427d4f2ade69e232cacf42899fb5eaf97e7a2d87afb8ea2.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
0bf7cd663f84a5aa4427d4f2ade69e232cacf42899fb5eaf97e7a2d87afb8ea2.exe
Resource
win10v2004-en-20220113
General
-
Target
0bf7cd663f84a5aa4427d4f2ade69e232cacf42899fb5eaf97e7a2d87afb8ea2.exe
-
Size
92KB
-
MD5
6b127101c948ed99ccbeb9110397bc07
-
SHA1
af43d12c13f6942f67f6dc01f253429c3afc17d4
-
SHA256
0bf7cd663f84a5aa4427d4f2ade69e232cacf42899fb5eaf97e7a2d87afb8ea2
-
SHA512
d958f3bdd50b4a25e27e68a2506b493667b6e7b55a13c1c2af73d12d43a33f2b3f8133bc33e2b83284506da661339b761fa1023a3c808082023f5f8e70616236
Malware Config
Signatures
-
Sakula Payload 2 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula \Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula -
suricata: ET MALWARE SUSPICIOUS UA (iexplore)
suricata: ET MALWARE SUSPICIOUS UA (iexplore)
-
suricata: ET MALWARE Sakula/Mivast RAT CnC Beacon 1
suricata: ET MALWARE Sakula/Mivast RAT CnC Beacon 1
-
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 1052 MediaCenter.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 800 cmd.exe -
Loads dropped DLL 1 IoCs
Processes:
0bf7cd663f84a5aa4427d4f2ade69e232cacf42899fb5eaf97e7a2d87afb8ea2.exepid process 808 0bf7cd663f84a5aa4427d4f2ade69e232cacf42899fb5eaf97e7a2d87afb8ea2.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
0bf7cd663f84a5aa4427d4f2ade69e232cacf42899fb5eaf97e7a2d87afb8ea2.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 0bf7cd663f84a5aa4427d4f2ade69e232cacf42899fb5eaf97e7a2d87afb8ea2.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
0bf7cd663f84a5aa4427d4f2ade69e232cacf42899fb5eaf97e7a2d87afb8ea2.exedescription pid process Token: SeIncBasePriorityPrivilege 808 0bf7cd663f84a5aa4427d4f2ade69e232cacf42899fb5eaf97e7a2d87afb8ea2.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
0bf7cd663f84a5aa4427d4f2ade69e232cacf42899fb5eaf97e7a2d87afb8ea2.execmd.exedescription pid process target process PID 808 wrote to memory of 1052 808 0bf7cd663f84a5aa4427d4f2ade69e232cacf42899fb5eaf97e7a2d87afb8ea2.exe MediaCenter.exe PID 808 wrote to memory of 1052 808 0bf7cd663f84a5aa4427d4f2ade69e232cacf42899fb5eaf97e7a2d87afb8ea2.exe MediaCenter.exe PID 808 wrote to memory of 1052 808 0bf7cd663f84a5aa4427d4f2ade69e232cacf42899fb5eaf97e7a2d87afb8ea2.exe MediaCenter.exe PID 808 wrote to memory of 1052 808 0bf7cd663f84a5aa4427d4f2ade69e232cacf42899fb5eaf97e7a2d87afb8ea2.exe MediaCenter.exe PID 808 wrote to memory of 800 808 0bf7cd663f84a5aa4427d4f2ade69e232cacf42899fb5eaf97e7a2d87afb8ea2.exe cmd.exe PID 808 wrote to memory of 800 808 0bf7cd663f84a5aa4427d4f2ade69e232cacf42899fb5eaf97e7a2d87afb8ea2.exe cmd.exe PID 808 wrote to memory of 800 808 0bf7cd663f84a5aa4427d4f2ade69e232cacf42899fb5eaf97e7a2d87afb8ea2.exe cmd.exe PID 808 wrote to memory of 800 808 0bf7cd663f84a5aa4427d4f2ade69e232cacf42899fb5eaf97e7a2d87afb8ea2.exe cmd.exe PID 800 wrote to memory of 1832 800 cmd.exe PING.EXE PID 800 wrote to memory of 1832 800 cmd.exe PING.EXE PID 800 wrote to memory of 1832 800 cmd.exe PING.EXE PID 800 wrote to memory of 1832 800 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\0bf7cd663f84a5aa4427d4f2ade69e232cacf42899fb5eaf97e7a2d87afb8ea2.exe"C:\Users\Admin\AppData\Local\Temp\0bf7cd663f84a5aa4427d4f2ade69e232cacf42899fb5eaf97e7a2d87afb8ea2.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:808 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:1052 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\0bf7cd663f84a5aa4427d4f2ade69e232cacf42899fb5eaf97e7a2d87afb8ea2.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:800 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:1832
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
431d202ca257aab39c0a5e2af6d86422
SHA1de9978fb6bcfb5be59671269534e38b7bff69d80
SHA256641b6a810e1848d929209b8bb21e7ef12c097f6ccde4511706eaa6314b8e7b0d
SHA512abf4f9308bfa5fe951659bb4d1084b5fd8d063988f2de68ce3046cdb77f09e0bdb27ef2a39ba0afeeb8f103050d03a51640516ba8e78c45444d7904f6c891e22
-
MD5
431d202ca257aab39c0a5e2af6d86422
SHA1de9978fb6bcfb5be59671269534e38b7bff69d80
SHA256641b6a810e1848d929209b8bb21e7ef12c097f6ccde4511706eaa6314b8e7b0d
SHA512abf4f9308bfa5fe951659bb4d1084b5fd8d063988f2de68ce3046cdb77f09e0bdb27ef2a39ba0afeeb8f103050d03a51640516ba8e78c45444d7904f6c891e22