Analysis
-
max time kernel
124s -
max time network
126s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
12-02-2022 09:13
Static task
static1
Behavioral task
behavioral1
Sample
0aae946594b68de5057b51ce36be182b2f22dad95c26ef0212715b8e93d8d7af.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
0aae946594b68de5057b51ce36be182b2f22dad95c26ef0212715b8e93d8d7af.exe
Resource
win10v2004-en-20220112
General
-
Target
0aae946594b68de5057b51ce36be182b2f22dad95c26ef0212715b8e93d8d7af.exe
-
Size
168KB
-
MD5
1b4f253a40f516d1c82b5954c9c9a265
-
SHA1
28a739c4609670d08e202fad864a0fc6ac1311af
-
SHA256
0aae946594b68de5057b51ce36be182b2f22dad95c26ef0212715b8e93d8d7af
-
SHA512
2cbc6ca3b6a5ff87b383c4c63f143e19cca175daf00102f61d9eb29e8fb463ef02fac68a3abad346ff7a317e82305e11f967ffb5f6f3de81d30f65cb8371764a
Malware Config
Signatures
-
Sakula Payload 4 IoCs
Processes:
resource yara_rule \Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula behavioral1/memory/1904-59-0x0000000000400000-0x0000000000420000-memory.dmp family_sakula behavioral1/memory/2032-60-0x0000000000400000-0x0000000000420000-memory.dmp family_sakula -
suricata: ET MALWARE SUSPICIOUS UA (iexplore)
suricata: ET MALWARE SUSPICIOUS UA (iexplore)
-
suricata: ET MALWARE Sakula/Mivast RAT CnC Beacon 1
suricata: ET MALWARE Sakula/Mivast RAT CnC Beacon 1
-
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 2032 MediaCenter.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 1784 cmd.exe -
Loads dropped DLL 1 IoCs
Processes:
0aae946594b68de5057b51ce36be182b2f22dad95c26ef0212715b8e93d8d7af.exepid process 1904 0aae946594b68de5057b51ce36be182b2f22dad95c26ef0212715b8e93d8d7af.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
0aae946594b68de5057b51ce36be182b2f22dad95c26ef0212715b8e93d8d7af.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 0aae946594b68de5057b51ce36be182b2f22dad95c26ef0212715b8e93d8d7af.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
0aae946594b68de5057b51ce36be182b2f22dad95c26ef0212715b8e93d8d7af.exedescription pid process Token: SeIncBasePriorityPrivilege 1904 0aae946594b68de5057b51ce36be182b2f22dad95c26ef0212715b8e93d8d7af.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
0aae946594b68de5057b51ce36be182b2f22dad95c26ef0212715b8e93d8d7af.execmd.exedescription pid process target process PID 1904 wrote to memory of 2032 1904 0aae946594b68de5057b51ce36be182b2f22dad95c26ef0212715b8e93d8d7af.exe MediaCenter.exe PID 1904 wrote to memory of 2032 1904 0aae946594b68de5057b51ce36be182b2f22dad95c26ef0212715b8e93d8d7af.exe MediaCenter.exe PID 1904 wrote to memory of 2032 1904 0aae946594b68de5057b51ce36be182b2f22dad95c26ef0212715b8e93d8d7af.exe MediaCenter.exe PID 1904 wrote to memory of 2032 1904 0aae946594b68de5057b51ce36be182b2f22dad95c26ef0212715b8e93d8d7af.exe MediaCenter.exe PID 1904 wrote to memory of 1784 1904 0aae946594b68de5057b51ce36be182b2f22dad95c26ef0212715b8e93d8d7af.exe cmd.exe PID 1904 wrote to memory of 1784 1904 0aae946594b68de5057b51ce36be182b2f22dad95c26ef0212715b8e93d8d7af.exe cmd.exe PID 1904 wrote to memory of 1784 1904 0aae946594b68de5057b51ce36be182b2f22dad95c26ef0212715b8e93d8d7af.exe cmd.exe PID 1904 wrote to memory of 1784 1904 0aae946594b68de5057b51ce36be182b2f22dad95c26ef0212715b8e93d8d7af.exe cmd.exe PID 1784 wrote to memory of 1788 1784 cmd.exe PING.EXE PID 1784 wrote to memory of 1788 1784 cmd.exe PING.EXE PID 1784 wrote to memory of 1788 1784 cmd.exe PING.EXE PID 1784 wrote to memory of 1788 1784 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\0aae946594b68de5057b51ce36be182b2f22dad95c26ef0212715b8e93d8d7af.exe"C:\Users\Admin\AppData\Local\Temp\0aae946594b68de5057b51ce36be182b2f22dad95c26ef0212715b8e93d8d7af.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1904 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:2032 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\0aae946594b68de5057b51ce36be182b2f22dad95c26ef0212715b8e93d8d7af.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:1784 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:1788
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
f31f65e653e4d40ebf109dfc5bdc03c8
SHA160306c061362978c8f1d46885af91ea49fc42819
SHA256d77e97be52b14f5e93124ce81db5bacd72654a6554f4c98d8f5216f41569604b
SHA51276d99245a29b5c6549bda395a43d800426d14d9638a27bee4a77db8a3b23528d7688063f9a78650e78571a11a44771cd87584dc656619b0372d6be908f0ff25b
-
\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
f31f65e653e4d40ebf109dfc5bdc03c8
SHA160306c061362978c8f1d46885af91ea49fc42819
SHA256d77e97be52b14f5e93124ce81db5bacd72654a6554f4c98d8f5216f41569604b
SHA51276d99245a29b5c6549bda395a43d800426d14d9638a27bee4a77db8a3b23528d7688063f9a78650e78571a11a44771cd87584dc656619b0372d6be908f0ff25b
-
memory/1904-55-0x0000000076731000-0x0000000076733000-memory.dmpFilesize
8KB
-
memory/1904-59-0x0000000000400000-0x0000000000420000-memory.dmpFilesize
128KB
-
memory/2032-60-0x0000000000400000-0x0000000000420000-memory.dmpFilesize
128KB