Analysis
-
max time kernel
140s -
max time network
145s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
12-02-2022 09:10
Static task
static1
Behavioral task
behavioral1
Sample
0ac69bb84a7490395408997e2ca05a1f407153d8c1b304bb2b3dae9716164c20.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
0ac69bb84a7490395408997e2ca05a1f407153d8c1b304bb2b3dae9716164c20.exe
Resource
win10v2004-en-20220112
General
-
Target
0ac69bb84a7490395408997e2ca05a1f407153d8c1b304bb2b3dae9716164c20.exe
-
Size
150KB
-
MD5
8e0b27047bf6ba2e5ccf5fae00f08a8b
-
SHA1
7aa44927ad8dd75ef1eaf281e38b50e6a0789146
-
SHA256
0ac69bb84a7490395408997e2ca05a1f407153d8c1b304bb2b3dae9716164c20
-
SHA512
65b5a2adfb55c69751cd4fe8dd273bef4950b1a6ab163693439e84e3447f7198eaa0d86980f2eb6adfea156705937dad801bcafd73464674b300e21a7d354a2d
Malware Config
Signatures
-
Sakula Payload 2 IoCs
Processes:
resource yara_rule \Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula -
suricata: ET MALWARE SUSPICIOUS UA (iexplore)
suricata: ET MALWARE SUSPICIOUS UA (iexplore)
-
suricata: ET MALWARE Sakula/Mivast RAT CnC Beacon 1
suricata: ET MALWARE Sakula/Mivast RAT CnC Beacon 1
-
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 1540 MediaCenter.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 1068 cmd.exe -
Loads dropped DLL 1 IoCs
Processes:
0ac69bb84a7490395408997e2ca05a1f407153d8c1b304bb2b3dae9716164c20.exepid process 1744 0ac69bb84a7490395408997e2ca05a1f407153d8c1b304bb2b3dae9716164c20.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
0ac69bb84a7490395408997e2ca05a1f407153d8c1b304bb2b3dae9716164c20.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 0ac69bb84a7490395408997e2ca05a1f407153d8c1b304bb2b3dae9716164c20.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
0ac69bb84a7490395408997e2ca05a1f407153d8c1b304bb2b3dae9716164c20.exedescription pid process Token: SeIncBasePriorityPrivilege 1744 0ac69bb84a7490395408997e2ca05a1f407153d8c1b304bb2b3dae9716164c20.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
0ac69bb84a7490395408997e2ca05a1f407153d8c1b304bb2b3dae9716164c20.execmd.exedescription pid process target process PID 1744 wrote to memory of 1540 1744 0ac69bb84a7490395408997e2ca05a1f407153d8c1b304bb2b3dae9716164c20.exe MediaCenter.exe PID 1744 wrote to memory of 1540 1744 0ac69bb84a7490395408997e2ca05a1f407153d8c1b304bb2b3dae9716164c20.exe MediaCenter.exe PID 1744 wrote to memory of 1540 1744 0ac69bb84a7490395408997e2ca05a1f407153d8c1b304bb2b3dae9716164c20.exe MediaCenter.exe PID 1744 wrote to memory of 1540 1744 0ac69bb84a7490395408997e2ca05a1f407153d8c1b304bb2b3dae9716164c20.exe MediaCenter.exe PID 1744 wrote to memory of 1068 1744 0ac69bb84a7490395408997e2ca05a1f407153d8c1b304bb2b3dae9716164c20.exe cmd.exe PID 1744 wrote to memory of 1068 1744 0ac69bb84a7490395408997e2ca05a1f407153d8c1b304bb2b3dae9716164c20.exe cmd.exe PID 1744 wrote to memory of 1068 1744 0ac69bb84a7490395408997e2ca05a1f407153d8c1b304bb2b3dae9716164c20.exe cmd.exe PID 1744 wrote to memory of 1068 1744 0ac69bb84a7490395408997e2ca05a1f407153d8c1b304bb2b3dae9716164c20.exe cmd.exe PID 1068 wrote to memory of 880 1068 cmd.exe PING.EXE PID 1068 wrote to memory of 880 1068 cmd.exe PING.EXE PID 1068 wrote to memory of 880 1068 cmd.exe PING.EXE PID 1068 wrote to memory of 880 1068 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\0ac69bb84a7490395408997e2ca05a1f407153d8c1b304bb2b3dae9716164c20.exe"C:\Users\Admin\AppData\Local\Temp\0ac69bb84a7490395408997e2ca05a1f407153d8c1b304bb2b3dae9716164c20.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1744 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:1540 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\0ac69bb84a7490395408997e2ca05a1f407153d8c1b304bb2b3dae9716164c20.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:1068 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:880
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
8d11c46358199b239a14c68374098271
SHA16dd9c4a89751fbbfdd4fed5096a471d4acbe09cb
SHA2562441c9155fbaa18a2668d735283e39d259369f1e959e1571d25cfa0bb9bcd712
SHA5124695b6e1f9999545be23eda87be77db045b96a2983e59d8fcbf5bb12ec63863f99d5fb35517d91dbc6daf336a6f3a76cbd23691776da942855ff36271222f946
-
\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
8d11c46358199b239a14c68374098271
SHA16dd9c4a89751fbbfdd4fed5096a471d4acbe09cb
SHA2562441c9155fbaa18a2668d735283e39d259369f1e959e1571d25cfa0bb9bcd712
SHA5124695b6e1f9999545be23eda87be77db045b96a2983e59d8fcbf5bb12ec63863f99d5fb35517d91dbc6daf336a6f3a76cbd23691776da942855ff36271222f946
-
memory/1744-53-0x0000000075761000-0x0000000075763000-memory.dmpFilesize
8KB