Analysis
-
max time kernel
129s -
max time network
134s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
12-02-2022 09:10
Static task
static1
Behavioral task
behavioral1
Sample
0acd1d97d931094ce293226bce76d9619642767f5208c52c3e081db4ee004908.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
0acd1d97d931094ce293226bce76d9619642767f5208c52c3e081db4ee004908.exe
Resource
win10v2004-en-20220113
General
-
Target
0acd1d97d931094ce293226bce76d9619642767f5208c52c3e081db4ee004908.exe
-
Size
150KB
-
MD5
f12f2e48af062b47d49deb3d86443513
-
SHA1
ced2ab55a8ef953f6f0b44b8ffddedda033eaf97
-
SHA256
0acd1d97d931094ce293226bce76d9619642767f5208c52c3e081db4ee004908
-
SHA512
40f55d5d9e992a687d14ae6b94f4e464f94bec3fb2d0412a78af57213a47fad91494c0536978f96a492006524334da6190a261e76a8bf3666332403d5f4636b0
Malware Config
Signatures
-
Sakula Payload 2 IoCs
Processes:
resource yara_rule \Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula -
suricata: ET MALWARE SUSPICIOUS UA (iexplore)
suricata: ET MALWARE SUSPICIOUS UA (iexplore)
-
suricata: ET MALWARE Sakula/Mivast RAT CnC Beacon 1
suricata: ET MALWARE Sakula/Mivast RAT CnC Beacon 1
-
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 792 MediaCenter.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 1096 cmd.exe -
Loads dropped DLL 1 IoCs
Processes:
0acd1d97d931094ce293226bce76d9619642767f5208c52c3e081db4ee004908.exepid process 1672 0acd1d97d931094ce293226bce76d9619642767f5208c52c3e081db4ee004908.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
0acd1d97d931094ce293226bce76d9619642767f5208c52c3e081db4ee004908.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 0acd1d97d931094ce293226bce76d9619642767f5208c52c3e081db4ee004908.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
0acd1d97d931094ce293226bce76d9619642767f5208c52c3e081db4ee004908.exedescription pid process Token: SeIncBasePriorityPrivilege 1672 0acd1d97d931094ce293226bce76d9619642767f5208c52c3e081db4ee004908.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
0acd1d97d931094ce293226bce76d9619642767f5208c52c3e081db4ee004908.execmd.exedescription pid process target process PID 1672 wrote to memory of 792 1672 0acd1d97d931094ce293226bce76d9619642767f5208c52c3e081db4ee004908.exe MediaCenter.exe PID 1672 wrote to memory of 792 1672 0acd1d97d931094ce293226bce76d9619642767f5208c52c3e081db4ee004908.exe MediaCenter.exe PID 1672 wrote to memory of 792 1672 0acd1d97d931094ce293226bce76d9619642767f5208c52c3e081db4ee004908.exe MediaCenter.exe PID 1672 wrote to memory of 792 1672 0acd1d97d931094ce293226bce76d9619642767f5208c52c3e081db4ee004908.exe MediaCenter.exe PID 1672 wrote to memory of 1096 1672 0acd1d97d931094ce293226bce76d9619642767f5208c52c3e081db4ee004908.exe cmd.exe PID 1672 wrote to memory of 1096 1672 0acd1d97d931094ce293226bce76d9619642767f5208c52c3e081db4ee004908.exe cmd.exe PID 1672 wrote to memory of 1096 1672 0acd1d97d931094ce293226bce76d9619642767f5208c52c3e081db4ee004908.exe cmd.exe PID 1672 wrote to memory of 1096 1672 0acd1d97d931094ce293226bce76d9619642767f5208c52c3e081db4ee004908.exe cmd.exe PID 1096 wrote to memory of 676 1096 cmd.exe PING.EXE PID 1096 wrote to memory of 676 1096 cmd.exe PING.EXE PID 1096 wrote to memory of 676 1096 cmd.exe PING.EXE PID 1096 wrote to memory of 676 1096 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\0acd1d97d931094ce293226bce76d9619642767f5208c52c3e081db4ee004908.exe"C:\Users\Admin\AppData\Local\Temp\0acd1d97d931094ce293226bce76d9619642767f5208c52c3e081db4ee004908.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1672 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:792 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\0acd1d97d931094ce293226bce76d9619642767f5208c52c3e081db4ee004908.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:1096 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:676
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
1c96581a98dcc69ff7bb258fd4f0cb0c
SHA164e409f7acaf6beb8f3e9c65caec764b2e1419f6
SHA256f14d3514a13f1c4fdff95465196e6acd35ce78ee52a9179c1654350100f669ea
SHA512986fcd49bd3e93db9530e715a1155456d0d8aeb60aa1ce333d038d708ab2212ff1727617e6b2eb038033f51529dfe284064cfbe4371cdc8cc2e780e92bcc9ced
-
\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
1c96581a98dcc69ff7bb258fd4f0cb0c
SHA164e409f7acaf6beb8f3e9c65caec764b2e1419f6
SHA256f14d3514a13f1c4fdff95465196e6acd35ce78ee52a9179c1654350100f669ea
SHA512986fcd49bd3e93db9530e715a1155456d0d8aeb60aa1ce333d038d708ab2212ff1727617e6b2eb038033f51529dfe284064cfbe4371cdc8cc2e780e92bcc9ced
-
memory/1672-54-0x0000000075341000-0x0000000075343000-memory.dmpFilesize
8KB