Analysis
-
max time kernel
132s -
max time network
149s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
12-02-2022 10:12
Static task
static1
Behavioral task
behavioral1
Sample
07d6db962047ecdba45d50b7a6924c97b183da573799bd3332d19718f0b02eb1.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
07d6db962047ecdba45d50b7a6924c97b183da573799bd3332d19718f0b02eb1.exe
Resource
win10v2004-en-20220113
General
-
Target
07d6db962047ecdba45d50b7a6924c97b183da573799bd3332d19718f0b02eb1.exe
-
Size
176KB
-
MD5
0ee4615e38766f612d2ad93259da9ac1
-
SHA1
4c9a3c56651d5acd60303944676cd059e69cb574
-
SHA256
07d6db962047ecdba45d50b7a6924c97b183da573799bd3332d19718f0b02eb1
-
SHA512
773fccfd57efac08b14ead0d472b7bf021d75126d84482db86e1a3bddf58d3601dff4f2d86a310149c03255cffdc84c459f96401752ae82880adf944b9f03806
Malware Config
Signatures
-
Sakula Payload 4 IoCs
Processes:
resource yara_rule \Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula behavioral1/memory/1768-59-0x0000000000400000-0x0000000000420000-memory.dmp family_sakula behavioral1/memory/948-60-0x0000000000400000-0x0000000000420000-memory.dmp family_sakula -
suricata: ET MALWARE SUSPICIOUS UA (iexplore)
suricata: ET MALWARE SUSPICIOUS UA (iexplore)
-
suricata: ET MALWARE Sakula/Mivast RAT CnC Beacon 1
suricata: ET MALWARE Sakula/Mivast RAT CnC Beacon 1
-
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 948 MediaCenter.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 1684 cmd.exe -
Loads dropped DLL 1 IoCs
Processes:
07d6db962047ecdba45d50b7a6924c97b183da573799bd3332d19718f0b02eb1.exepid process 1768 07d6db962047ecdba45d50b7a6924c97b183da573799bd3332d19718f0b02eb1.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
07d6db962047ecdba45d50b7a6924c97b183da573799bd3332d19718f0b02eb1.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 07d6db962047ecdba45d50b7a6924c97b183da573799bd3332d19718f0b02eb1.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
07d6db962047ecdba45d50b7a6924c97b183da573799bd3332d19718f0b02eb1.exedescription pid process Token: SeIncBasePriorityPrivilege 1768 07d6db962047ecdba45d50b7a6924c97b183da573799bd3332d19718f0b02eb1.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
07d6db962047ecdba45d50b7a6924c97b183da573799bd3332d19718f0b02eb1.execmd.exedescription pid process target process PID 1768 wrote to memory of 948 1768 07d6db962047ecdba45d50b7a6924c97b183da573799bd3332d19718f0b02eb1.exe MediaCenter.exe PID 1768 wrote to memory of 948 1768 07d6db962047ecdba45d50b7a6924c97b183da573799bd3332d19718f0b02eb1.exe MediaCenter.exe PID 1768 wrote to memory of 948 1768 07d6db962047ecdba45d50b7a6924c97b183da573799bd3332d19718f0b02eb1.exe MediaCenter.exe PID 1768 wrote to memory of 948 1768 07d6db962047ecdba45d50b7a6924c97b183da573799bd3332d19718f0b02eb1.exe MediaCenter.exe PID 1768 wrote to memory of 1684 1768 07d6db962047ecdba45d50b7a6924c97b183da573799bd3332d19718f0b02eb1.exe cmd.exe PID 1768 wrote to memory of 1684 1768 07d6db962047ecdba45d50b7a6924c97b183da573799bd3332d19718f0b02eb1.exe cmd.exe PID 1768 wrote to memory of 1684 1768 07d6db962047ecdba45d50b7a6924c97b183da573799bd3332d19718f0b02eb1.exe cmd.exe PID 1768 wrote to memory of 1684 1768 07d6db962047ecdba45d50b7a6924c97b183da573799bd3332d19718f0b02eb1.exe cmd.exe PID 1684 wrote to memory of 1052 1684 cmd.exe PING.EXE PID 1684 wrote to memory of 1052 1684 cmd.exe PING.EXE PID 1684 wrote to memory of 1052 1684 cmd.exe PING.EXE PID 1684 wrote to memory of 1052 1684 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\07d6db962047ecdba45d50b7a6924c97b183da573799bd3332d19718f0b02eb1.exe"C:\Users\Admin\AppData\Local\Temp\07d6db962047ecdba45d50b7a6924c97b183da573799bd3332d19718f0b02eb1.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1768 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:948 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\07d6db962047ecdba45d50b7a6924c97b183da573799bd3332d19718f0b02eb1.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:1684 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:1052
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
885ff6aa5ece9ca790e59b2f33f784ae
SHA19af9d2831a75a672f485d912da51a852124a46d4
SHA2567836288f79bbca0b6d00a3bed59af92ac4068d1b88628199ebda1517871bbfb0
SHA512af7a0c36a98e75f9ca12da7c3e6647bd12bf0398bb3c6869e963b548447545ee573c4856931bff4407405207fc16b6984e962a32d7496cf6fefc3156fdd5a767
-
\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
885ff6aa5ece9ca790e59b2f33f784ae
SHA19af9d2831a75a672f485d912da51a852124a46d4
SHA2567836288f79bbca0b6d00a3bed59af92ac4068d1b88628199ebda1517871bbfb0
SHA512af7a0c36a98e75f9ca12da7c3e6647bd12bf0398bb3c6869e963b548447545ee573c4856931bff4407405207fc16b6984e962a32d7496cf6fefc3156fdd5a767
-
memory/948-60-0x0000000000400000-0x0000000000420000-memory.dmpFilesize
128KB
-
memory/1768-55-0x00000000762C1000-0x00000000762C3000-memory.dmpFilesize
8KB
-
memory/1768-59-0x0000000000400000-0x0000000000420000-memory.dmpFilesize
128KB