Analysis
-
max time kernel
132s -
max time network
153s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
12-02-2022 08:06
Static task
static1
Behavioral task
behavioral1
Sample
0bb1747bb8b3ae57c3d7158eccced68ccd306d65b8073eca5b0a95a536fcac09.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
0bb1747bb8b3ae57c3d7158eccced68ccd306d65b8073eca5b0a95a536fcac09.exe
Resource
win10v2004-en-20220112
General
-
Target
0bb1747bb8b3ae57c3d7158eccced68ccd306d65b8073eca5b0a95a536fcac09.exe
-
Size
216KB
-
MD5
cbfe923d42b26516f01e97635ae0c88d
-
SHA1
328d59e05a3aefaf4bed86c98dff64f396b9cc02
-
SHA256
0bb1747bb8b3ae57c3d7158eccced68ccd306d65b8073eca5b0a95a536fcac09
-
SHA512
fb0fbd91b340917bad95bda9462c2fe18cd66685666a86d453ba762d3ea462f67f6bf4e40128b15645aaf192470122fd1235b5c92447dcb45557f2b9abdba4d7
Malware Config
Signatures
-
Sakula Payload 4 IoCs
Processes:
resource yara_rule \Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula behavioral1/memory/732-59-0x0000000000400000-0x0000000000420000-memory.dmp family_sakula behavioral1/memory/1656-60-0x0000000000400000-0x0000000000420000-memory.dmp family_sakula -
suricata: ET MALWARE SUSPICIOUS UA (iexplore)
suricata: ET MALWARE SUSPICIOUS UA (iexplore)
-
suricata: ET MALWARE Sakula/Mivast RAT CnC Beacon 1
suricata: ET MALWARE Sakula/Mivast RAT CnC Beacon 1
-
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 1656 MediaCenter.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 1628 cmd.exe -
Loads dropped DLL 1 IoCs
Processes:
0bb1747bb8b3ae57c3d7158eccced68ccd306d65b8073eca5b0a95a536fcac09.exepid process 732 0bb1747bb8b3ae57c3d7158eccced68ccd306d65b8073eca5b0a95a536fcac09.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
0bb1747bb8b3ae57c3d7158eccced68ccd306d65b8073eca5b0a95a536fcac09.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 0bb1747bb8b3ae57c3d7158eccced68ccd306d65b8073eca5b0a95a536fcac09.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
0bb1747bb8b3ae57c3d7158eccced68ccd306d65b8073eca5b0a95a536fcac09.exedescription pid process Token: SeIncBasePriorityPrivilege 732 0bb1747bb8b3ae57c3d7158eccced68ccd306d65b8073eca5b0a95a536fcac09.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
0bb1747bb8b3ae57c3d7158eccced68ccd306d65b8073eca5b0a95a536fcac09.execmd.exedescription pid process target process PID 732 wrote to memory of 1656 732 0bb1747bb8b3ae57c3d7158eccced68ccd306d65b8073eca5b0a95a536fcac09.exe MediaCenter.exe PID 732 wrote to memory of 1656 732 0bb1747bb8b3ae57c3d7158eccced68ccd306d65b8073eca5b0a95a536fcac09.exe MediaCenter.exe PID 732 wrote to memory of 1656 732 0bb1747bb8b3ae57c3d7158eccced68ccd306d65b8073eca5b0a95a536fcac09.exe MediaCenter.exe PID 732 wrote to memory of 1656 732 0bb1747bb8b3ae57c3d7158eccced68ccd306d65b8073eca5b0a95a536fcac09.exe MediaCenter.exe PID 732 wrote to memory of 1628 732 0bb1747bb8b3ae57c3d7158eccced68ccd306d65b8073eca5b0a95a536fcac09.exe cmd.exe PID 732 wrote to memory of 1628 732 0bb1747bb8b3ae57c3d7158eccced68ccd306d65b8073eca5b0a95a536fcac09.exe cmd.exe PID 732 wrote to memory of 1628 732 0bb1747bb8b3ae57c3d7158eccced68ccd306d65b8073eca5b0a95a536fcac09.exe cmd.exe PID 732 wrote to memory of 1628 732 0bb1747bb8b3ae57c3d7158eccced68ccd306d65b8073eca5b0a95a536fcac09.exe cmd.exe PID 1628 wrote to memory of 2036 1628 cmd.exe PING.EXE PID 1628 wrote to memory of 2036 1628 cmd.exe PING.EXE PID 1628 wrote to memory of 2036 1628 cmd.exe PING.EXE PID 1628 wrote to memory of 2036 1628 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\0bb1747bb8b3ae57c3d7158eccced68ccd306d65b8073eca5b0a95a536fcac09.exe"C:\Users\Admin\AppData\Local\Temp\0bb1747bb8b3ae57c3d7158eccced68ccd306d65b8073eca5b0a95a536fcac09.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:732 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:1656 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\0bb1747bb8b3ae57c3d7158eccced68ccd306d65b8073eca5b0a95a536fcac09.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:1628 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:2036
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
9f7358701e6260a3c74ab5cc77f2f2ff
SHA1a9089ab5f165b10f10aa8563992fca3bb4ca49cf
SHA256a0e6a584ce43138a6ae7575a34d3f723b95e7611a13e998d57131cb5c7bfa46e
SHA51282d452a72422ee9b549ed3cd8189c0a40c5d1f8f32747178eccf033c386fe8ad691d3ac9defd1b0f284c126224fb03b9bad0d53ea13ac3cdeb6285c6bd703745
-
MD5
9f7358701e6260a3c74ab5cc77f2f2ff
SHA1a9089ab5f165b10f10aa8563992fca3bb4ca49cf
SHA256a0e6a584ce43138a6ae7575a34d3f723b95e7611a13e998d57131cb5c7bfa46e
SHA51282d452a72422ee9b549ed3cd8189c0a40c5d1f8f32747178eccf033c386fe8ad691d3ac9defd1b0f284c126224fb03b9bad0d53ea13ac3cdeb6285c6bd703745