Analysis
-
max time kernel
160s -
max time network
176s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
12-02-2022 10:09
Static task
static1
Behavioral task
behavioral1
Sample
07f638b0d990399700617282f003043d881af7e6d05fe6707cffe5f1cfce467c.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
07f638b0d990399700617282f003043d881af7e6d05fe6707cffe5f1cfce467c.exe
Resource
win10v2004-en-20220113
General
-
Target
07f638b0d990399700617282f003043d881af7e6d05fe6707cffe5f1cfce467c.exe
-
Size
168KB
-
MD5
177147967fe9cbac67f8b7b7cfcff07f
-
SHA1
e360c70cfb231930b1d98588687279aa68299370
-
SHA256
07f638b0d990399700617282f003043d881af7e6d05fe6707cffe5f1cfce467c
-
SHA512
80527b3041676057c8e7aee4aa7b5545d19386c78f528441ac1c7d89bb6abc5bd3541f18a74c292a954f34d54c4421df2b6379ec298abb3e4ed80cce30cc65ca
Malware Config
Signatures
-
Sakula Payload 4 IoCs
Processes:
resource yara_rule \Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula behavioral1/memory/948-58-0x0000000000400000-0x0000000000420000-memory.dmp family_sakula behavioral1/memory/1564-59-0x0000000000400000-0x0000000000420000-memory.dmp family_sakula -
suricata: ET MALWARE SUSPICIOUS UA (iexplore)
suricata: ET MALWARE SUSPICIOUS UA (iexplore)
-
suricata: ET MALWARE Sakula/Mivast RAT CnC Beacon 1
suricata: ET MALWARE Sakula/Mivast RAT CnC Beacon 1
-
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 1564 MediaCenter.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 396 cmd.exe -
Loads dropped DLL 1 IoCs
Processes:
07f638b0d990399700617282f003043d881af7e6d05fe6707cffe5f1cfce467c.exepid process 948 07f638b0d990399700617282f003043d881af7e6d05fe6707cffe5f1cfce467c.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
07f638b0d990399700617282f003043d881af7e6d05fe6707cffe5f1cfce467c.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 07f638b0d990399700617282f003043d881af7e6d05fe6707cffe5f1cfce467c.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
07f638b0d990399700617282f003043d881af7e6d05fe6707cffe5f1cfce467c.exedescription pid process Token: SeIncBasePriorityPrivilege 948 07f638b0d990399700617282f003043d881af7e6d05fe6707cffe5f1cfce467c.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
07f638b0d990399700617282f003043d881af7e6d05fe6707cffe5f1cfce467c.execmd.exedescription pid process target process PID 948 wrote to memory of 1564 948 07f638b0d990399700617282f003043d881af7e6d05fe6707cffe5f1cfce467c.exe MediaCenter.exe PID 948 wrote to memory of 1564 948 07f638b0d990399700617282f003043d881af7e6d05fe6707cffe5f1cfce467c.exe MediaCenter.exe PID 948 wrote to memory of 1564 948 07f638b0d990399700617282f003043d881af7e6d05fe6707cffe5f1cfce467c.exe MediaCenter.exe PID 948 wrote to memory of 1564 948 07f638b0d990399700617282f003043d881af7e6d05fe6707cffe5f1cfce467c.exe MediaCenter.exe PID 948 wrote to memory of 396 948 07f638b0d990399700617282f003043d881af7e6d05fe6707cffe5f1cfce467c.exe cmd.exe PID 948 wrote to memory of 396 948 07f638b0d990399700617282f003043d881af7e6d05fe6707cffe5f1cfce467c.exe cmd.exe PID 948 wrote to memory of 396 948 07f638b0d990399700617282f003043d881af7e6d05fe6707cffe5f1cfce467c.exe cmd.exe PID 948 wrote to memory of 396 948 07f638b0d990399700617282f003043d881af7e6d05fe6707cffe5f1cfce467c.exe cmd.exe PID 396 wrote to memory of 1260 396 cmd.exe PING.EXE PID 396 wrote to memory of 1260 396 cmd.exe PING.EXE PID 396 wrote to memory of 1260 396 cmd.exe PING.EXE PID 396 wrote to memory of 1260 396 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\07f638b0d990399700617282f003043d881af7e6d05fe6707cffe5f1cfce467c.exe"C:\Users\Admin\AppData\Local\Temp\07f638b0d990399700617282f003043d881af7e6d05fe6707cffe5f1cfce467c.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:948 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:1564 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\07f638b0d990399700617282f003043d881af7e6d05fe6707cffe5f1cfce467c.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:396 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:1260
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
79f2a2b2004c38acb53e8f01af4d8386
SHA1c3b8c9fb93d8d16a1d305c54ad1081879014c8d5
SHA2560910db29c6aeb590b4f89aa56c0a6a929a910959da134ff53e4d07ff8edbfc83
SHA5124fb0d881ba2b7b3b2a20cbcd8a55b37f40a6b4883d2fb8341894fb2a9ce5e3fb06a7ce1f2d2568119ba9790c9712b16d0aba8935371fa5e1237b3dcf26c4848a
-
\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
79f2a2b2004c38acb53e8f01af4d8386
SHA1c3b8c9fb93d8d16a1d305c54ad1081879014c8d5
SHA2560910db29c6aeb590b4f89aa56c0a6a929a910959da134ff53e4d07ff8edbfc83
SHA5124fb0d881ba2b7b3b2a20cbcd8a55b37f40a6b4883d2fb8341894fb2a9ce5e3fb06a7ce1f2d2568119ba9790c9712b16d0aba8935371fa5e1237b3dcf26c4848a
-
memory/948-54-0x0000000075B51000-0x0000000075B53000-memory.dmpFilesize
8KB
-
memory/948-58-0x0000000000400000-0x0000000000420000-memory.dmpFilesize
128KB
-
memory/1564-59-0x0000000000400000-0x0000000000420000-memory.dmpFilesize
128KB