Analysis
-
max time kernel
128s -
max time network
140s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
12-02-2022 09:26
Static task
static1
Behavioral task
behavioral1
Sample
0a11e78bff99a6cc0487e9787c380a8bcc636952e02756ba699d5e2a93f113f7.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
0a11e78bff99a6cc0487e9787c380a8bcc636952e02756ba699d5e2a93f113f7.exe
Resource
win10v2004-en-20220113
General
-
Target
0a11e78bff99a6cc0487e9787c380a8bcc636952e02756ba699d5e2a93f113f7.exe
-
Size
216KB
-
MD5
85bc25ef655a1fa10cac30002dd949f6
-
SHA1
720d1010f01156f1e566ec354ac5339adce2690e
-
SHA256
0a11e78bff99a6cc0487e9787c380a8bcc636952e02756ba699d5e2a93f113f7
-
SHA512
31607b5f23392dcd67c6a3e699d899dd1beb7e1e574b83b9724dbfede5223556a4e96114473b9b3301003f9ac05698f41dadd709bbe26b7571e8013fb7b565df
Malware Config
Signatures
-
Sakula Payload 4 IoCs
Processes:
resource yara_rule \Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula behavioral1/memory/832-58-0x0000000000400000-0x0000000000420000-memory.dmp family_sakula behavioral1/memory/1848-59-0x0000000000400000-0x0000000000420000-memory.dmp family_sakula -
suricata: ET MALWARE SUSPICIOUS UA (iexplore)
suricata: ET MALWARE SUSPICIOUS UA (iexplore)
-
suricata: ET MALWARE Sakula/Mivast RAT CnC Beacon 1
suricata: ET MALWARE Sakula/Mivast RAT CnC Beacon 1
-
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 1848 MediaCenter.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 396 cmd.exe -
Loads dropped DLL 1 IoCs
Processes:
0a11e78bff99a6cc0487e9787c380a8bcc636952e02756ba699d5e2a93f113f7.exepid process 832 0a11e78bff99a6cc0487e9787c380a8bcc636952e02756ba699d5e2a93f113f7.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
0a11e78bff99a6cc0487e9787c380a8bcc636952e02756ba699d5e2a93f113f7.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 0a11e78bff99a6cc0487e9787c380a8bcc636952e02756ba699d5e2a93f113f7.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
0a11e78bff99a6cc0487e9787c380a8bcc636952e02756ba699d5e2a93f113f7.exedescription pid process Token: SeIncBasePriorityPrivilege 832 0a11e78bff99a6cc0487e9787c380a8bcc636952e02756ba699d5e2a93f113f7.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
0a11e78bff99a6cc0487e9787c380a8bcc636952e02756ba699d5e2a93f113f7.execmd.exedescription pid process target process PID 832 wrote to memory of 1848 832 0a11e78bff99a6cc0487e9787c380a8bcc636952e02756ba699d5e2a93f113f7.exe MediaCenter.exe PID 832 wrote to memory of 1848 832 0a11e78bff99a6cc0487e9787c380a8bcc636952e02756ba699d5e2a93f113f7.exe MediaCenter.exe PID 832 wrote to memory of 1848 832 0a11e78bff99a6cc0487e9787c380a8bcc636952e02756ba699d5e2a93f113f7.exe MediaCenter.exe PID 832 wrote to memory of 1848 832 0a11e78bff99a6cc0487e9787c380a8bcc636952e02756ba699d5e2a93f113f7.exe MediaCenter.exe PID 832 wrote to memory of 396 832 0a11e78bff99a6cc0487e9787c380a8bcc636952e02756ba699d5e2a93f113f7.exe cmd.exe PID 832 wrote to memory of 396 832 0a11e78bff99a6cc0487e9787c380a8bcc636952e02756ba699d5e2a93f113f7.exe cmd.exe PID 832 wrote to memory of 396 832 0a11e78bff99a6cc0487e9787c380a8bcc636952e02756ba699d5e2a93f113f7.exe cmd.exe PID 832 wrote to memory of 396 832 0a11e78bff99a6cc0487e9787c380a8bcc636952e02756ba699d5e2a93f113f7.exe cmd.exe PID 396 wrote to memory of 1992 396 cmd.exe PING.EXE PID 396 wrote to memory of 1992 396 cmd.exe PING.EXE PID 396 wrote to memory of 1992 396 cmd.exe PING.EXE PID 396 wrote to memory of 1992 396 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\0a11e78bff99a6cc0487e9787c380a8bcc636952e02756ba699d5e2a93f113f7.exe"C:\Users\Admin\AppData\Local\Temp\0a11e78bff99a6cc0487e9787c380a8bcc636952e02756ba699d5e2a93f113f7.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:832 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:1848 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\0a11e78bff99a6cc0487e9787c380a8bcc636952e02756ba699d5e2a93f113f7.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:396 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:1992
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
3329327275a4f0c1bc01a07fc8927e5a
SHA16f558ae087bc69dcbbcd229276a2efcf7b01cc31
SHA2560fb61663c791747ef2ebf61436b4291171da6af7518a75b7a64c108e02fabbf9
SHA51231d09431b944711eb4740fbd51c391532f6b587efa8c4bafae02afb11b150522649729923ab722e933de96342ac8ff8dcc1f51783d3eada72d739869b1f95143
-
\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
3329327275a4f0c1bc01a07fc8927e5a
SHA16f558ae087bc69dcbbcd229276a2efcf7b01cc31
SHA2560fb61663c791747ef2ebf61436b4291171da6af7518a75b7a64c108e02fabbf9
SHA51231d09431b944711eb4740fbd51c391532f6b587efa8c4bafae02afb11b150522649729923ab722e933de96342ac8ff8dcc1f51783d3eada72d739869b1f95143
-
memory/832-54-0x0000000075891000-0x0000000075893000-memory.dmpFilesize
8KB
-
memory/832-58-0x0000000000400000-0x0000000000420000-memory.dmpFilesize
128KB
-
memory/1848-59-0x0000000000400000-0x0000000000420000-memory.dmpFilesize
128KB