Analysis
-
max time kernel
151s -
max time network
174s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
12-02-2022 08:33
Static task
static1
Behavioral task
behavioral1
Sample
0ae3302ab380a3f130007b45b84b9915a7dbe28b47b6c42d4363b5038cd7c89b.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
0ae3302ab380a3f130007b45b84b9915a7dbe28b47b6c42d4363b5038cd7c89b.exe
Resource
win10v2004-en-20220113
General
-
Target
0ae3302ab380a3f130007b45b84b9915a7dbe28b47b6c42d4363b5038cd7c89b.exe
-
Size
150KB
-
MD5
e646053f04979c98ba9bcd9eeaebb9eb
-
SHA1
ff9ece3a0a5094549c0a7428e22765c3b76a7fae
-
SHA256
0ae3302ab380a3f130007b45b84b9915a7dbe28b47b6c42d4363b5038cd7c89b
-
SHA512
6c13b140cc36ee29fc567ae13d2b816b9eebeb8810fd3180f1da6a575be65fbaf1bcf2956eb70e1e32451a8fc5395cef4f9b4152ebe5e611670b2e3ef5ba3bcf
Malware Config
Signatures
-
Sakula Payload 2 IoCs
Processes:
resource yara_rule \Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula -
suricata: ET MALWARE SUSPICIOUS UA (iexplore)
suricata: ET MALWARE SUSPICIOUS UA (iexplore)
-
suricata: ET MALWARE Sakula/Mivast RAT CnC Beacon 1
suricata: ET MALWARE Sakula/Mivast RAT CnC Beacon 1
-
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 828 MediaCenter.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 1240 cmd.exe -
Loads dropped DLL 1 IoCs
Processes:
0ae3302ab380a3f130007b45b84b9915a7dbe28b47b6c42d4363b5038cd7c89b.exepid process 836 0ae3302ab380a3f130007b45b84b9915a7dbe28b47b6c42d4363b5038cd7c89b.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
0ae3302ab380a3f130007b45b84b9915a7dbe28b47b6c42d4363b5038cd7c89b.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 0ae3302ab380a3f130007b45b84b9915a7dbe28b47b6c42d4363b5038cd7c89b.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
0ae3302ab380a3f130007b45b84b9915a7dbe28b47b6c42d4363b5038cd7c89b.exedescription pid process Token: SeIncBasePriorityPrivilege 836 0ae3302ab380a3f130007b45b84b9915a7dbe28b47b6c42d4363b5038cd7c89b.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
0ae3302ab380a3f130007b45b84b9915a7dbe28b47b6c42d4363b5038cd7c89b.execmd.exedescription pid process target process PID 836 wrote to memory of 828 836 0ae3302ab380a3f130007b45b84b9915a7dbe28b47b6c42d4363b5038cd7c89b.exe MediaCenter.exe PID 836 wrote to memory of 828 836 0ae3302ab380a3f130007b45b84b9915a7dbe28b47b6c42d4363b5038cd7c89b.exe MediaCenter.exe PID 836 wrote to memory of 828 836 0ae3302ab380a3f130007b45b84b9915a7dbe28b47b6c42d4363b5038cd7c89b.exe MediaCenter.exe PID 836 wrote to memory of 828 836 0ae3302ab380a3f130007b45b84b9915a7dbe28b47b6c42d4363b5038cd7c89b.exe MediaCenter.exe PID 836 wrote to memory of 1240 836 0ae3302ab380a3f130007b45b84b9915a7dbe28b47b6c42d4363b5038cd7c89b.exe cmd.exe PID 836 wrote to memory of 1240 836 0ae3302ab380a3f130007b45b84b9915a7dbe28b47b6c42d4363b5038cd7c89b.exe cmd.exe PID 836 wrote to memory of 1240 836 0ae3302ab380a3f130007b45b84b9915a7dbe28b47b6c42d4363b5038cd7c89b.exe cmd.exe PID 836 wrote to memory of 1240 836 0ae3302ab380a3f130007b45b84b9915a7dbe28b47b6c42d4363b5038cd7c89b.exe cmd.exe PID 1240 wrote to memory of 572 1240 cmd.exe PING.EXE PID 1240 wrote to memory of 572 1240 cmd.exe PING.EXE PID 1240 wrote to memory of 572 1240 cmd.exe PING.EXE PID 1240 wrote to memory of 572 1240 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\0ae3302ab380a3f130007b45b84b9915a7dbe28b47b6c42d4363b5038cd7c89b.exe"C:\Users\Admin\AppData\Local\Temp\0ae3302ab380a3f130007b45b84b9915a7dbe28b47b6c42d4363b5038cd7c89b.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:836 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:828 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\0ae3302ab380a3f130007b45b84b9915a7dbe28b47b6c42d4363b5038cd7c89b.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:1240 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:572
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
cc96f672ddddbb467c895cbb60ce72c8
SHA11f9fe7b338ca9caf06a3eb5f0e3a7df40933ab7a
SHA256afcdbfe250e9f08e93a2b80d3bce554c4c70bfbc530a83462e20c175571e0561
SHA512528421cf4445e4f403dd2f819648cfd28d84672051c588015f36420ed835876aa4b809d0a59e1ce48f0174941af2c7d3f3c428f22e2a02001f87b215120a19f9
-
\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
cc96f672ddddbb467c895cbb60ce72c8
SHA11f9fe7b338ca9caf06a3eb5f0e3a7df40933ab7a
SHA256afcdbfe250e9f08e93a2b80d3bce554c4c70bfbc530a83462e20c175571e0561
SHA512528421cf4445e4f403dd2f819648cfd28d84672051c588015f36420ed835876aa4b809d0a59e1ce48f0174941af2c7d3f3c428f22e2a02001f87b215120a19f9
-
memory/836-55-0x0000000075D61000-0x0000000075D63000-memory.dmpFilesize
8KB