Analysis
-
max time kernel
136s -
max time network
152s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
12-02-2022 08:03
Static task
static1
Behavioral task
behavioral1
Sample
0bd47cea24a60db576b324ece6e4baef8c01472181a181f33ec656bd2feb04a6.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
0bd47cea24a60db576b324ece6e4baef8c01472181a181f33ec656bd2feb04a6.exe
Resource
win10v2004-en-20220112
General
-
Target
0bd47cea24a60db576b324ece6e4baef8c01472181a181f33ec656bd2feb04a6.exe
-
Size
92KB
-
MD5
61a0cfed1f2549c5b6c576ef55de8a9d
-
SHA1
0ab339f87fd74425a60839170d20d6221cef5291
-
SHA256
0bd47cea24a60db576b324ece6e4baef8c01472181a181f33ec656bd2feb04a6
-
SHA512
e4da601af1d0558acfc90c617f2db57c9cfccc12f371b12f571cfbed7e972fdccfd3c4d21dd2fa251f3696045c9068da28ea09b2fe1769e8b7af993d87f6e4ae
Malware Config
Signatures
-
Sakula Payload 2 IoCs
Processes:
resource yara_rule \Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula -
suricata: ET MALWARE SUSPICIOUS UA (iexplore)
suricata: ET MALWARE SUSPICIOUS UA (iexplore)
-
suricata: ET MALWARE Sakula/Mivast RAT CnC Beacon 1
suricata: ET MALWARE Sakula/Mivast RAT CnC Beacon 1
-
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 1896 MediaCenter.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 1084 cmd.exe -
Loads dropped DLL 1 IoCs
Processes:
0bd47cea24a60db576b324ece6e4baef8c01472181a181f33ec656bd2feb04a6.exepid process 952 0bd47cea24a60db576b324ece6e4baef8c01472181a181f33ec656bd2feb04a6.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
0bd47cea24a60db576b324ece6e4baef8c01472181a181f33ec656bd2feb04a6.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 0bd47cea24a60db576b324ece6e4baef8c01472181a181f33ec656bd2feb04a6.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
0bd47cea24a60db576b324ece6e4baef8c01472181a181f33ec656bd2feb04a6.exedescription pid process Token: SeIncBasePriorityPrivilege 952 0bd47cea24a60db576b324ece6e4baef8c01472181a181f33ec656bd2feb04a6.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
0bd47cea24a60db576b324ece6e4baef8c01472181a181f33ec656bd2feb04a6.execmd.exedescription pid process target process PID 952 wrote to memory of 1896 952 0bd47cea24a60db576b324ece6e4baef8c01472181a181f33ec656bd2feb04a6.exe MediaCenter.exe PID 952 wrote to memory of 1896 952 0bd47cea24a60db576b324ece6e4baef8c01472181a181f33ec656bd2feb04a6.exe MediaCenter.exe PID 952 wrote to memory of 1896 952 0bd47cea24a60db576b324ece6e4baef8c01472181a181f33ec656bd2feb04a6.exe MediaCenter.exe PID 952 wrote to memory of 1896 952 0bd47cea24a60db576b324ece6e4baef8c01472181a181f33ec656bd2feb04a6.exe MediaCenter.exe PID 952 wrote to memory of 1084 952 0bd47cea24a60db576b324ece6e4baef8c01472181a181f33ec656bd2feb04a6.exe cmd.exe PID 952 wrote to memory of 1084 952 0bd47cea24a60db576b324ece6e4baef8c01472181a181f33ec656bd2feb04a6.exe cmd.exe PID 952 wrote to memory of 1084 952 0bd47cea24a60db576b324ece6e4baef8c01472181a181f33ec656bd2feb04a6.exe cmd.exe PID 952 wrote to memory of 1084 952 0bd47cea24a60db576b324ece6e4baef8c01472181a181f33ec656bd2feb04a6.exe cmd.exe PID 1084 wrote to memory of 1964 1084 cmd.exe PING.EXE PID 1084 wrote to memory of 1964 1084 cmd.exe PING.EXE PID 1084 wrote to memory of 1964 1084 cmd.exe PING.EXE PID 1084 wrote to memory of 1964 1084 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\0bd47cea24a60db576b324ece6e4baef8c01472181a181f33ec656bd2feb04a6.exe"C:\Users\Admin\AppData\Local\Temp\0bd47cea24a60db576b324ece6e4baef8c01472181a181f33ec656bd2feb04a6.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:952 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:1896 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\0bd47cea24a60db576b324ece6e4baef8c01472181a181f33ec656bd2feb04a6.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:1084 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:1964
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
da6d1b37d69b39c55ea46d43fc279dea
SHA17c03cfab1e8022545eb5a44d0d85a7e8173b87f0
SHA256e6b59c457b410c339f1c5474402203aa13f2a045822e6ff49e3f24dd286e5469
SHA512ebbd2db1c4ebbc50a94aeb5c86d7a2623993f05e813302e029a601c6a9c4d47c7e3b966bda9e7f1c9aa5c351f1ee9d47b6ed1932681944272b5606d8581efc03
-
MD5
da6d1b37d69b39c55ea46d43fc279dea
SHA17c03cfab1e8022545eb5a44d0d85a7e8173b87f0
SHA256e6b59c457b410c339f1c5474402203aa13f2a045822e6ff49e3f24dd286e5469
SHA512ebbd2db1c4ebbc50a94aeb5c86d7a2623993f05e813302e029a601c6a9c4d47c7e3b966bda9e7f1c9aa5c351f1ee9d47b6ed1932681944272b5606d8581efc03