Analysis
-
max time kernel
136s -
max time network
141s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
12-02-2022 09:22
Static task
static1
Behavioral task
behavioral1
Sample
0a46f3d37bfb21b911933612eb93fca5e34cbc76dd80b169326820c38c14396d.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
0a46f3d37bfb21b911933612eb93fca5e34cbc76dd80b169326820c38c14396d.exe
Resource
win10v2004-en-20220113
General
-
Target
0a46f3d37bfb21b911933612eb93fca5e34cbc76dd80b169326820c38c14396d.exe
-
Size
92KB
-
MD5
8fde85b9c07e5bacc683a8eb0940b0d9
-
SHA1
acfe92e9c5f12d62216eaeff612679f0f8eeb74e
-
SHA256
0a46f3d37bfb21b911933612eb93fca5e34cbc76dd80b169326820c38c14396d
-
SHA512
20a78f67c482a407186e197e0becc37bfb3392ad0f8903b195882c22ca3fc6f0e46db92d00d5ed60ca3fd4c104c1909abb9738b28893efe9a63e25218c635fb5
Malware Config
Signatures
-
Sakula Payload 2 IoCs
Processes:
resource yara_rule \Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula -
suricata: ET MALWARE SUSPICIOUS UA (iexplore)
suricata: ET MALWARE SUSPICIOUS UA (iexplore)
-
suricata: ET MALWARE Sakula/Mivast RAT CnC Beacon 1
suricata: ET MALWARE Sakula/Mivast RAT CnC Beacon 1
-
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 1628 MediaCenter.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 748 cmd.exe -
Loads dropped DLL 1 IoCs
Processes:
0a46f3d37bfb21b911933612eb93fca5e34cbc76dd80b169326820c38c14396d.exepid process 1444 0a46f3d37bfb21b911933612eb93fca5e34cbc76dd80b169326820c38c14396d.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
0a46f3d37bfb21b911933612eb93fca5e34cbc76dd80b169326820c38c14396d.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 0a46f3d37bfb21b911933612eb93fca5e34cbc76dd80b169326820c38c14396d.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
0a46f3d37bfb21b911933612eb93fca5e34cbc76dd80b169326820c38c14396d.exedescription pid process Token: SeIncBasePriorityPrivilege 1444 0a46f3d37bfb21b911933612eb93fca5e34cbc76dd80b169326820c38c14396d.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
0a46f3d37bfb21b911933612eb93fca5e34cbc76dd80b169326820c38c14396d.execmd.exedescription pid process target process PID 1444 wrote to memory of 1628 1444 0a46f3d37bfb21b911933612eb93fca5e34cbc76dd80b169326820c38c14396d.exe MediaCenter.exe PID 1444 wrote to memory of 1628 1444 0a46f3d37bfb21b911933612eb93fca5e34cbc76dd80b169326820c38c14396d.exe MediaCenter.exe PID 1444 wrote to memory of 1628 1444 0a46f3d37bfb21b911933612eb93fca5e34cbc76dd80b169326820c38c14396d.exe MediaCenter.exe PID 1444 wrote to memory of 1628 1444 0a46f3d37bfb21b911933612eb93fca5e34cbc76dd80b169326820c38c14396d.exe MediaCenter.exe PID 1444 wrote to memory of 748 1444 0a46f3d37bfb21b911933612eb93fca5e34cbc76dd80b169326820c38c14396d.exe cmd.exe PID 1444 wrote to memory of 748 1444 0a46f3d37bfb21b911933612eb93fca5e34cbc76dd80b169326820c38c14396d.exe cmd.exe PID 1444 wrote to memory of 748 1444 0a46f3d37bfb21b911933612eb93fca5e34cbc76dd80b169326820c38c14396d.exe cmd.exe PID 1444 wrote to memory of 748 1444 0a46f3d37bfb21b911933612eb93fca5e34cbc76dd80b169326820c38c14396d.exe cmd.exe PID 748 wrote to memory of 1272 748 cmd.exe PING.EXE PID 748 wrote to memory of 1272 748 cmd.exe PING.EXE PID 748 wrote to memory of 1272 748 cmd.exe PING.EXE PID 748 wrote to memory of 1272 748 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\0a46f3d37bfb21b911933612eb93fca5e34cbc76dd80b169326820c38c14396d.exe"C:\Users\Admin\AppData\Local\Temp\0a46f3d37bfb21b911933612eb93fca5e34cbc76dd80b169326820c38c14396d.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1444 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:1628 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\0a46f3d37bfb21b911933612eb93fca5e34cbc76dd80b169326820c38c14396d.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:748 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:1272
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
16f28abb83cc39bbd5a62d4cbfef47e4
SHA1805f07ac14386a6e44d33196393410f4b8b47081
SHA256c9dcd80f1d67533fc3fc694112abe77c89ea78a6ecb9ffd55351cd1098c277f7
SHA512864431abf5c7b8f7ef74d7b47104f5bb3e88a216aabe938218e64364c243fc2b1e7ef32d69727607175055b9164843e9b0c007a1e72da27e8fdb9eeece37053d
-
\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
16f28abb83cc39bbd5a62d4cbfef47e4
SHA1805f07ac14386a6e44d33196393410f4b8b47081
SHA256c9dcd80f1d67533fc3fc694112abe77c89ea78a6ecb9ffd55351cd1098c277f7
SHA512864431abf5c7b8f7ef74d7b47104f5bb3e88a216aabe938218e64364c243fc2b1e7ef32d69727607175055b9164843e9b0c007a1e72da27e8fdb9eeece37053d
-
memory/1444-54-0x0000000075AE1000-0x0000000075AE3000-memory.dmpFilesize
8KB