Analysis
-
max time kernel
141s -
max time network
161s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
12-02-2022 09:19
Static task
static1
Behavioral task
behavioral1
Sample
0a68141f15a71a4daf4c45952e24fb02b1c2f7534e345430c651c625ac3dd023.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
0a68141f15a71a4daf4c45952e24fb02b1c2f7534e345430c651c625ac3dd023.exe
Resource
win10v2004-en-20220113
General
-
Target
0a68141f15a71a4daf4c45952e24fb02b1c2f7534e345430c651c625ac3dd023.exe
-
Size
89KB
-
MD5
2b208d904691d6f8c4b8200593567760
-
SHA1
9c8d2b221448816d351f761c9c70cacbfa48d28f
-
SHA256
0a68141f15a71a4daf4c45952e24fb02b1c2f7534e345430c651c625ac3dd023
-
SHA512
bb1349c25156eaae13c005e301afbf032460b5211dd45423f88f858eb40448886d5bcf0d1003025092677646858d10a456e2b9dfa87744660c8dc8977180eab9
Malware Config
Signatures
-
Sakula Payload 2 IoCs
Processes:
resource yara_rule \Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula -
suricata: ET MALWARE SUSPICIOUS UA (iexplore)
suricata: ET MALWARE SUSPICIOUS UA (iexplore)
-
suricata: ET MALWARE Sakula/Mivast RAT CnC Beacon 1
suricata: ET MALWARE Sakula/Mivast RAT CnC Beacon 1
-
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 1920 MediaCenter.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 1636 cmd.exe -
Loads dropped DLL 1 IoCs
Processes:
0a68141f15a71a4daf4c45952e24fb02b1c2f7534e345430c651c625ac3dd023.exepid process 1588 0a68141f15a71a4daf4c45952e24fb02b1c2f7534e345430c651c625ac3dd023.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
0a68141f15a71a4daf4c45952e24fb02b1c2f7534e345430c651c625ac3dd023.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 0a68141f15a71a4daf4c45952e24fb02b1c2f7534e345430c651c625ac3dd023.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
0a68141f15a71a4daf4c45952e24fb02b1c2f7534e345430c651c625ac3dd023.exedescription pid process Token: SeIncBasePriorityPrivilege 1588 0a68141f15a71a4daf4c45952e24fb02b1c2f7534e345430c651c625ac3dd023.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
0a68141f15a71a4daf4c45952e24fb02b1c2f7534e345430c651c625ac3dd023.execmd.exedescription pid process target process PID 1588 wrote to memory of 1920 1588 0a68141f15a71a4daf4c45952e24fb02b1c2f7534e345430c651c625ac3dd023.exe MediaCenter.exe PID 1588 wrote to memory of 1920 1588 0a68141f15a71a4daf4c45952e24fb02b1c2f7534e345430c651c625ac3dd023.exe MediaCenter.exe PID 1588 wrote to memory of 1920 1588 0a68141f15a71a4daf4c45952e24fb02b1c2f7534e345430c651c625ac3dd023.exe MediaCenter.exe PID 1588 wrote to memory of 1920 1588 0a68141f15a71a4daf4c45952e24fb02b1c2f7534e345430c651c625ac3dd023.exe MediaCenter.exe PID 1588 wrote to memory of 1636 1588 0a68141f15a71a4daf4c45952e24fb02b1c2f7534e345430c651c625ac3dd023.exe cmd.exe PID 1588 wrote to memory of 1636 1588 0a68141f15a71a4daf4c45952e24fb02b1c2f7534e345430c651c625ac3dd023.exe cmd.exe PID 1588 wrote to memory of 1636 1588 0a68141f15a71a4daf4c45952e24fb02b1c2f7534e345430c651c625ac3dd023.exe cmd.exe PID 1588 wrote to memory of 1636 1588 0a68141f15a71a4daf4c45952e24fb02b1c2f7534e345430c651c625ac3dd023.exe cmd.exe PID 1636 wrote to memory of 896 1636 cmd.exe PING.EXE PID 1636 wrote to memory of 896 1636 cmd.exe PING.EXE PID 1636 wrote to memory of 896 1636 cmd.exe PING.EXE PID 1636 wrote to memory of 896 1636 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\0a68141f15a71a4daf4c45952e24fb02b1c2f7534e345430c651c625ac3dd023.exe"C:\Users\Admin\AppData\Local\Temp\0a68141f15a71a4daf4c45952e24fb02b1c2f7534e345430c651c625ac3dd023.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1588 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:1920 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\0a68141f15a71a4daf4c45952e24fb02b1c2f7534e345430c651c625ac3dd023.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:1636 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:896
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
d40b1a0ec12c4c708f0532fd4c53540a
SHA1baf45e48e6a80e248e84b28ed2e83f69e9cea971
SHA256b6a01c4941ac6290e409a8a72ff9336457ed7480c9848f9d4d1df8801d14f82a
SHA51293c19931b468dad58c510cc12567372a7a7fc3b882066019fd8ad709595df097c6d8d0aee9ff129561c0b7ccec6536532130a800d4b96323592bd578371213e5
-
\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
d40b1a0ec12c4c708f0532fd4c53540a
SHA1baf45e48e6a80e248e84b28ed2e83f69e9cea971
SHA256b6a01c4941ac6290e409a8a72ff9336457ed7480c9848f9d4d1df8801d14f82a
SHA51293c19931b468dad58c510cc12567372a7a7fc3b882066019fd8ad709595df097c6d8d0aee9ff129561c0b7ccec6536532130a800d4b96323592bd578371213e5
-
memory/1588-55-0x0000000075321000-0x0000000075323000-memory.dmpFilesize
8KB