Analysis
-
max time kernel
147s -
max time network
153s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
12-02-2022 09:10
Static task
static1
Behavioral task
behavioral1
Sample
0acae2f4fdc58e4e89a5ec08bc674e52de33d5cf2e2039f313c472b5126b34dd.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
0acae2f4fdc58e4e89a5ec08bc674e52de33d5cf2e2039f313c472b5126b34dd.exe
Resource
win10v2004-en-20220113
General
-
Target
0acae2f4fdc58e4e89a5ec08bc674e52de33d5cf2e2039f313c472b5126b34dd.exe
-
Size
120KB
-
MD5
43d416b54a7bbc7c120254879b308cbb
-
SHA1
1da497ac6116fb330141166c87d49356ff7f688c
-
SHA256
0acae2f4fdc58e4e89a5ec08bc674e52de33d5cf2e2039f313c472b5126b34dd
-
SHA512
2bb63336bf5e8ef0581c73e99605e0eef0fd0c6bcf639283e0395373c75a6503fda201d2a5e058e3259b907f81e0f5149c0cf23a1f0cebb2a2ea7df180bb9535
Malware Config
Signatures
-
Sakula Payload 4 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula \Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula behavioral1/memory/1664-58-0x0000000000400000-0x0000000000420000-memory.dmp family_sakula behavioral1/memory/1576-59-0x0000000000400000-0x0000000000420000-memory.dmp family_sakula -
suricata: ET MALWARE SUSPICIOUS UA (iexplore)
suricata: ET MALWARE SUSPICIOUS UA (iexplore)
-
suricata: ET MALWARE Sakula/Mivast RAT CnC Beacon 1
suricata: ET MALWARE Sakula/Mivast RAT CnC Beacon 1
-
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 1576 MediaCenter.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 432 cmd.exe -
Loads dropped DLL 1 IoCs
Processes:
0acae2f4fdc58e4e89a5ec08bc674e52de33d5cf2e2039f313c472b5126b34dd.exepid process 1664 0acae2f4fdc58e4e89a5ec08bc674e52de33d5cf2e2039f313c472b5126b34dd.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
0acae2f4fdc58e4e89a5ec08bc674e52de33d5cf2e2039f313c472b5126b34dd.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 0acae2f4fdc58e4e89a5ec08bc674e52de33d5cf2e2039f313c472b5126b34dd.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
0acae2f4fdc58e4e89a5ec08bc674e52de33d5cf2e2039f313c472b5126b34dd.exedescription pid process Token: SeIncBasePriorityPrivilege 1664 0acae2f4fdc58e4e89a5ec08bc674e52de33d5cf2e2039f313c472b5126b34dd.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
0acae2f4fdc58e4e89a5ec08bc674e52de33d5cf2e2039f313c472b5126b34dd.execmd.exedescription pid process target process PID 1664 wrote to memory of 1576 1664 0acae2f4fdc58e4e89a5ec08bc674e52de33d5cf2e2039f313c472b5126b34dd.exe MediaCenter.exe PID 1664 wrote to memory of 1576 1664 0acae2f4fdc58e4e89a5ec08bc674e52de33d5cf2e2039f313c472b5126b34dd.exe MediaCenter.exe PID 1664 wrote to memory of 1576 1664 0acae2f4fdc58e4e89a5ec08bc674e52de33d5cf2e2039f313c472b5126b34dd.exe MediaCenter.exe PID 1664 wrote to memory of 1576 1664 0acae2f4fdc58e4e89a5ec08bc674e52de33d5cf2e2039f313c472b5126b34dd.exe MediaCenter.exe PID 1664 wrote to memory of 432 1664 0acae2f4fdc58e4e89a5ec08bc674e52de33d5cf2e2039f313c472b5126b34dd.exe cmd.exe PID 1664 wrote to memory of 432 1664 0acae2f4fdc58e4e89a5ec08bc674e52de33d5cf2e2039f313c472b5126b34dd.exe cmd.exe PID 1664 wrote to memory of 432 1664 0acae2f4fdc58e4e89a5ec08bc674e52de33d5cf2e2039f313c472b5126b34dd.exe cmd.exe PID 1664 wrote to memory of 432 1664 0acae2f4fdc58e4e89a5ec08bc674e52de33d5cf2e2039f313c472b5126b34dd.exe cmd.exe PID 432 wrote to memory of 1856 432 cmd.exe PING.EXE PID 432 wrote to memory of 1856 432 cmd.exe PING.EXE PID 432 wrote to memory of 1856 432 cmd.exe PING.EXE PID 432 wrote to memory of 1856 432 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\0acae2f4fdc58e4e89a5ec08bc674e52de33d5cf2e2039f313c472b5126b34dd.exe"C:\Users\Admin\AppData\Local\Temp\0acae2f4fdc58e4e89a5ec08bc674e52de33d5cf2e2039f313c472b5126b34dd.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1664 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:1576 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\0acae2f4fdc58e4e89a5ec08bc674e52de33d5cf2e2039f313c472b5126b34dd.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:432 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:1856
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
75dc4f7e12bee0bca5bad8583e2dfcee
SHA12a33a4f3eaeaf7ca730e1c7908c01d93f794011f
SHA2569003fbeeccfd001b6b71760dda7b92f12709c387c1d9e5c035b03e4d15e38caa
SHA5122a42c2b1c37b0ddff70e15fba3d5dc7cbb8ae687a986b407e74b5a4d5767ffa5f8c5567074dbb34a3a1bcde0cac6d4fba705f48f802b1440438f9bf363eb3465
-
\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
75dc4f7e12bee0bca5bad8583e2dfcee
SHA12a33a4f3eaeaf7ca730e1c7908c01d93f794011f
SHA2569003fbeeccfd001b6b71760dda7b92f12709c387c1d9e5c035b03e4d15e38caa
SHA5122a42c2b1c37b0ddff70e15fba3d5dc7cbb8ae687a986b407e74b5a4d5767ffa5f8c5567074dbb34a3a1bcde0cac6d4fba705f48f802b1440438f9bf363eb3465
-
memory/1576-59-0x0000000000400000-0x0000000000420000-memory.dmpFilesize
128KB
-
memory/1664-54-0x00000000754B1000-0x00000000754B3000-memory.dmpFilesize
8KB
-
memory/1664-58-0x0000000000400000-0x0000000000420000-memory.dmpFilesize
128KB