Analysis
-
max time kernel
125s -
max time network
133s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
12-02-2022 10:12
Static task
static1
Behavioral task
behavioral1
Sample
07dbf5e146a03658013bb0e134487e57980a06f454f514656b7db62d0d6554f4.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
07dbf5e146a03658013bb0e134487e57980a06f454f514656b7db62d0d6554f4.exe
Resource
win10v2004-en-20220113
General
-
Target
07dbf5e146a03658013bb0e134487e57980a06f454f514656b7db62d0d6554f4.exe
-
Size
92KB
-
MD5
3a0d5798c87d3457affbcf8b708eeb22
-
SHA1
a1811632819582871292fbcb2d014234cd64f863
-
SHA256
07dbf5e146a03658013bb0e134487e57980a06f454f514656b7db62d0d6554f4
-
SHA512
eeaa5364c5ceecc8d68fef9181bec3b380371e279a2210c4673066332c761b3c2c9d06d9b87afbe9b4db96c3380bd8d395dbe4928d5f20398ab61d61a317916d
Malware Config
Signatures
-
Sakula Payload 2 IoCs
Processes:
resource yara_rule \Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula -
suricata: ET MALWARE SUSPICIOUS UA (iexplore)
suricata: ET MALWARE SUSPICIOUS UA (iexplore)
-
suricata: ET MALWARE Sakula/Mivast RAT CnC Beacon 1
suricata: ET MALWARE Sakula/Mivast RAT CnC Beacon 1
-
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 1896 MediaCenter.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 828 cmd.exe -
Loads dropped DLL 1 IoCs
Processes:
07dbf5e146a03658013bb0e134487e57980a06f454f514656b7db62d0d6554f4.exepid process 1776 07dbf5e146a03658013bb0e134487e57980a06f454f514656b7db62d0d6554f4.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
07dbf5e146a03658013bb0e134487e57980a06f454f514656b7db62d0d6554f4.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 07dbf5e146a03658013bb0e134487e57980a06f454f514656b7db62d0d6554f4.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
07dbf5e146a03658013bb0e134487e57980a06f454f514656b7db62d0d6554f4.exedescription pid process Token: SeIncBasePriorityPrivilege 1776 07dbf5e146a03658013bb0e134487e57980a06f454f514656b7db62d0d6554f4.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
07dbf5e146a03658013bb0e134487e57980a06f454f514656b7db62d0d6554f4.execmd.exedescription pid process target process PID 1776 wrote to memory of 1896 1776 07dbf5e146a03658013bb0e134487e57980a06f454f514656b7db62d0d6554f4.exe MediaCenter.exe PID 1776 wrote to memory of 1896 1776 07dbf5e146a03658013bb0e134487e57980a06f454f514656b7db62d0d6554f4.exe MediaCenter.exe PID 1776 wrote to memory of 1896 1776 07dbf5e146a03658013bb0e134487e57980a06f454f514656b7db62d0d6554f4.exe MediaCenter.exe PID 1776 wrote to memory of 1896 1776 07dbf5e146a03658013bb0e134487e57980a06f454f514656b7db62d0d6554f4.exe MediaCenter.exe PID 1776 wrote to memory of 828 1776 07dbf5e146a03658013bb0e134487e57980a06f454f514656b7db62d0d6554f4.exe cmd.exe PID 1776 wrote to memory of 828 1776 07dbf5e146a03658013bb0e134487e57980a06f454f514656b7db62d0d6554f4.exe cmd.exe PID 1776 wrote to memory of 828 1776 07dbf5e146a03658013bb0e134487e57980a06f454f514656b7db62d0d6554f4.exe cmd.exe PID 1776 wrote to memory of 828 1776 07dbf5e146a03658013bb0e134487e57980a06f454f514656b7db62d0d6554f4.exe cmd.exe PID 828 wrote to memory of 1832 828 cmd.exe PING.EXE PID 828 wrote to memory of 1832 828 cmd.exe PING.EXE PID 828 wrote to memory of 1832 828 cmd.exe PING.EXE PID 828 wrote to memory of 1832 828 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\07dbf5e146a03658013bb0e134487e57980a06f454f514656b7db62d0d6554f4.exe"C:\Users\Admin\AppData\Local\Temp\07dbf5e146a03658013bb0e134487e57980a06f454f514656b7db62d0d6554f4.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1776 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:1896 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\07dbf5e146a03658013bb0e134487e57980a06f454f514656b7db62d0d6554f4.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:828 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:1832
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
1a02f608fd2aacc5452959e96fa398a1
SHA182ad3070247fe2ebeeb9d54fa7af328b70a8f2a2
SHA256d6b1580c5b41a0d31b95bc0dd8d4ad2df9b9f16df0dada029863ff10820b7ad5
SHA5129453b3a3b384ee73c9cfa25c7858d65fa9ae616fbaa7aeb7984c00972e059bcbddb899ceae08ba06867d0bca43f65fdf81de4bbe15f1d8ffbb46ff56c4def184
-
\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
1a02f608fd2aacc5452959e96fa398a1
SHA182ad3070247fe2ebeeb9d54fa7af328b70a8f2a2
SHA256d6b1580c5b41a0d31b95bc0dd8d4ad2df9b9f16df0dada029863ff10820b7ad5
SHA5129453b3a3b384ee73c9cfa25c7858d65fa9ae616fbaa7aeb7984c00972e059bcbddb899ceae08ba06867d0bca43f65fdf81de4bbe15f1d8ffbb46ff56c4def184
-
memory/1776-54-0x0000000076C61000-0x0000000076C63000-memory.dmpFilesize
8KB