Analysis
-
max time kernel
140s -
max time network
152s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
12-02-2022 09:23
Static task
static1
Behavioral task
behavioral1
Sample
0a3ebdb6420e2bd1f5d48f34c1afb7fb0d608970c4922cb6c83a0016a7eed296.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
0a3ebdb6420e2bd1f5d48f34c1afb7fb0d608970c4922cb6c83a0016a7eed296.exe
Resource
win10v2004-en-20220113
General
-
Target
0a3ebdb6420e2bd1f5d48f34c1afb7fb0d608970c4922cb6c83a0016a7eed296.exe
-
Size
89KB
-
MD5
c6ea3448769a78a89c6f0e8f71e2854a
-
SHA1
6b81a822d860254321e49c848f2ee74986367b19
-
SHA256
0a3ebdb6420e2bd1f5d48f34c1afb7fb0d608970c4922cb6c83a0016a7eed296
-
SHA512
41220650d6a1f04c57dd2683d4ac6c027e55ed3102cae7d1ee4daa405ebd70f1978687b88b49f2a9ac0e4823cf1763949c039d5db7ec84a5b9bcf68d3306d9c2
Malware Config
Signatures
-
Sakula Payload 4 IoCs
Processes:
resource yara_rule \Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula behavioral1/memory/1528-58-0x0000000000400000-0x000000000041B000-memory.dmp family_sakula behavioral1/memory/940-59-0x0000000000400000-0x000000000041B000-memory.dmp family_sakula -
suricata: ET MALWARE SUSPICIOUS UA (iexplore)
suricata: ET MALWARE SUSPICIOUS UA (iexplore)
-
suricata: ET MALWARE Sakula/Mivast RAT CnC Beacon 1
suricata: ET MALWARE Sakula/Mivast RAT CnC Beacon 1
-
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 940 MediaCenter.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 428 cmd.exe -
Loads dropped DLL 1 IoCs
Processes:
0a3ebdb6420e2bd1f5d48f34c1afb7fb0d608970c4922cb6c83a0016a7eed296.exepid process 1528 0a3ebdb6420e2bd1f5d48f34c1afb7fb0d608970c4922cb6c83a0016a7eed296.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
0a3ebdb6420e2bd1f5d48f34c1afb7fb0d608970c4922cb6c83a0016a7eed296.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 0a3ebdb6420e2bd1f5d48f34c1afb7fb0d608970c4922cb6c83a0016a7eed296.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
0a3ebdb6420e2bd1f5d48f34c1afb7fb0d608970c4922cb6c83a0016a7eed296.exedescription pid process Token: SeIncBasePriorityPrivilege 1528 0a3ebdb6420e2bd1f5d48f34c1afb7fb0d608970c4922cb6c83a0016a7eed296.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
0a3ebdb6420e2bd1f5d48f34c1afb7fb0d608970c4922cb6c83a0016a7eed296.execmd.exedescription pid process target process PID 1528 wrote to memory of 940 1528 0a3ebdb6420e2bd1f5d48f34c1afb7fb0d608970c4922cb6c83a0016a7eed296.exe MediaCenter.exe PID 1528 wrote to memory of 940 1528 0a3ebdb6420e2bd1f5d48f34c1afb7fb0d608970c4922cb6c83a0016a7eed296.exe MediaCenter.exe PID 1528 wrote to memory of 940 1528 0a3ebdb6420e2bd1f5d48f34c1afb7fb0d608970c4922cb6c83a0016a7eed296.exe MediaCenter.exe PID 1528 wrote to memory of 940 1528 0a3ebdb6420e2bd1f5d48f34c1afb7fb0d608970c4922cb6c83a0016a7eed296.exe MediaCenter.exe PID 1528 wrote to memory of 428 1528 0a3ebdb6420e2bd1f5d48f34c1afb7fb0d608970c4922cb6c83a0016a7eed296.exe cmd.exe PID 1528 wrote to memory of 428 1528 0a3ebdb6420e2bd1f5d48f34c1afb7fb0d608970c4922cb6c83a0016a7eed296.exe cmd.exe PID 1528 wrote to memory of 428 1528 0a3ebdb6420e2bd1f5d48f34c1afb7fb0d608970c4922cb6c83a0016a7eed296.exe cmd.exe PID 1528 wrote to memory of 428 1528 0a3ebdb6420e2bd1f5d48f34c1afb7fb0d608970c4922cb6c83a0016a7eed296.exe cmd.exe PID 428 wrote to memory of 1824 428 cmd.exe PING.EXE PID 428 wrote to memory of 1824 428 cmd.exe PING.EXE PID 428 wrote to memory of 1824 428 cmd.exe PING.EXE PID 428 wrote to memory of 1824 428 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\0a3ebdb6420e2bd1f5d48f34c1afb7fb0d608970c4922cb6c83a0016a7eed296.exe"C:\Users\Admin\AppData\Local\Temp\0a3ebdb6420e2bd1f5d48f34c1afb7fb0d608970c4922cb6c83a0016a7eed296.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1528 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:940 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\0a3ebdb6420e2bd1f5d48f34c1afb7fb0d608970c4922cb6c83a0016a7eed296.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:428 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:1824
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
afbf083940aa1042e3e103f25af301c4
SHA15502e2d59d584a89a5bd897d84ff2bcf8c080a0a
SHA256574ca5f674c94eef90660a4d6146cfbfa353d8d4cf83653564f8b8f13b8beb49
SHA5126a38b1f72df5926fc339c14ab25966270ec80d7ec3ecbdbc6d09e178ef179861e32a248fcc40908ceb56ae760e9e243a8520873d52c19ee30072cdf5d6181a80
-
\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
afbf083940aa1042e3e103f25af301c4
SHA15502e2d59d584a89a5bd897d84ff2bcf8c080a0a
SHA256574ca5f674c94eef90660a4d6146cfbfa353d8d4cf83653564f8b8f13b8beb49
SHA5126a38b1f72df5926fc339c14ab25966270ec80d7ec3ecbdbc6d09e178ef179861e32a248fcc40908ceb56ae760e9e243a8520873d52c19ee30072cdf5d6181a80
-
memory/940-59-0x0000000000400000-0x000000000041B000-memory.dmpFilesize
108KB
-
memory/1528-54-0x0000000076121000-0x0000000076123000-memory.dmpFilesize
8KB
-
memory/1528-58-0x0000000000400000-0x000000000041B000-memory.dmpFilesize
108KB