Analysis
-
max time kernel
145s -
max time network
154s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
12-02-2022 08:31
Static task
static1
Behavioral task
behavioral1
Sample
0aed49ba83a9a59ff05bdb87baba383583385befb8c052690f263d640c024810.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
0aed49ba83a9a59ff05bdb87baba383583385befb8c052690f263d640c024810.exe
Resource
win10v2004-en-20220113
General
-
Target
0aed49ba83a9a59ff05bdb87baba383583385befb8c052690f263d640c024810.exe
-
Size
216KB
-
MD5
b5954577c3cac5b8e7b53afdbe1a61ac
-
SHA1
df82dd8a7a3768e0036a78d4ddb4a8cdc20dc3af
-
SHA256
0aed49ba83a9a59ff05bdb87baba383583385befb8c052690f263d640c024810
-
SHA512
9e49c1d39d3a2a8bfce36aea285ab209673630a1ea3cb88ceb26fc95ab18427241352311ee8837c984edcb83bcef36b9e4ce2e76e5b869f0bd5af2fa0ae6bdc3
Malware Config
Signatures
-
Sakula Payload 4 IoCs
Processes:
resource yara_rule \Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula behavioral1/memory/288-58-0x0000000000400000-0x0000000000420000-memory.dmp family_sakula behavioral1/memory/1664-59-0x0000000000400000-0x0000000000420000-memory.dmp family_sakula -
suricata: ET MALWARE SUSPICIOUS UA (iexplore)
suricata: ET MALWARE SUSPICIOUS UA (iexplore)
-
suricata: ET MALWARE Sakula/Mivast RAT CnC Beacon 1
suricata: ET MALWARE Sakula/Mivast RAT CnC Beacon 1
-
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 1664 MediaCenter.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 432 cmd.exe -
Loads dropped DLL 1 IoCs
Processes:
0aed49ba83a9a59ff05bdb87baba383583385befb8c052690f263d640c024810.exepid process 288 0aed49ba83a9a59ff05bdb87baba383583385befb8c052690f263d640c024810.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
0aed49ba83a9a59ff05bdb87baba383583385befb8c052690f263d640c024810.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 0aed49ba83a9a59ff05bdb87baba383583385befb8c052690f263d640c024810.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
0aed49ba83a9a59ff05bdb87baba383583385befb8c052690f263d640c024810.exedescription pid process Token: SeIncBasePriorityPrivilege 288 0aed49ba83a9a59ff05bdb87baba383583385befb8c052690f263d640c024810.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
0aed49ba83a9a59ff05bdb87baba383583385befb8c052690f263d640c024810.execmd.exedescription pid process target process PID 288 wrote to memory of 1664 288 0aed49ba83a9a59ff05bdb87baba383583385befb8c052690f263d640c024810.exe MediaCenter.exe PID 288 wrote to memory of 1664 288 0aed49ba83a9a59ff05bdb87baba383583385befb8c052690f263d640c024810.exe MediaCenter.exe PID 288 wrote to memory of 1664 288 0aed49ba83a9a59ff05bdb87baba383583385befb8c052690f263d640c024810.exe MediaCenter.exe PID 288 wrote to memory of 1664 288 0aed49ba83a9a59ff05bdb87baba383583385befb8c052690f263d640c024810.exe MediaCenter.exe PID 288 wrote to memory of 432 288 0aed49ba83a9a59ff05bdb87baba383583385befb8c052690f263d640c024810.exe cmd.exe PID 288 wrote to memory of 432 288 0aed49ba83a9a59ff05bdb87baba383583385befb8c052690f263d640c024810.exe cmd.exe PID 288 wrote to memory of 432 288 0aed49ba83a9a59ff05bdb87baba383583385befb8c052690f263d640c024810.exe cmd.exe PID 288 wrote to memory of 432 288 0aed49ba83a9a59ff05bdb87baba383583385befb8c052690f263d640c024810.exe cmd.exe PID 432 wrote to memory of 1996 432 cmd.exe PING.EXE PID 432 wrote to memory of 1996 432 cmd.exe PING.EXE PID 432 wrote to memory of 1996 432 cmd.exe PING.EXE PID 432 wrote to memory of 1996 432 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\0aed49ba83a9a59ff05bdb87baba383583385befb8c052690f263d640c024810.exe"C:\Users\Admin\AppData\Local\Temp\0aed49ba83a9a59ff05bdb87baba383583385befb8c052690f263d640c024810.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:288 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:1664 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\0aed49ba83a9a59ff05bdb87baba383583385befb8c052690f263d640c024810.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:432 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:1996
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
06fdb6b94d7da46ae022ca0070f0b943
SHA157a5b98e007def1294ee3e64816e5e17e2261d3c
SHA256751e5139cd59cd70fa4abc155203b7ddca7e67a12cda23c2b7abe574e2b24bf6
SHA5122b9da18b78c822197fb5fd7aa5e8a4053b75d146b3ef3710544e024367d2cd877ba01d8c0f268ea06ce0053d04eba0cc565c068afa0730b2db15c99c5e89bcbc
-
\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
06fdb6b94d7da46ae022ca0070f0b943
SHA157a5b98e007def1294ee3e64816e5e17e2261d3c
SHA256751e5139cd59cd70fa4abc155203b7ddca7e67a12cda23c2b7abe574e2b24bf6
SHA5122b9da18b78c822197fb5fd7aa5e8a4053b75d146b3ef3710544e024367d2cd877ba01d8c0f268ea06ce0053d04eba0cc565c068afa0730b2db15c99c5e89bcbc
-
memory/288-54-0x0000000075D61000-0x0000000075D63000-memory.dmpFilesize
8KB
-
memory/288-58-0x0000000000400000-0x0000000000420000-memory.dmpFilesize
128KB
-
memory/1664-59-0x0000000000400000-0x0000000000420000-memory.dmpFilesize
128KB