Analysis
-
max time kernel
151s -
max time network
158s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
12-02-2022 09:27
Static task
static1
Behavioral task
behavioral1
Sample
0a0fe4142783ac24c802467592559889fbc88c34f865158f30df1e0b38929358.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
0a0fe4142783ac24c802467592559889fbc88c34f865158f30df1e0b38929358.exe
Resource
win10v2004-en-20220113
General
-
Target
0a0fe4142783ac24c802467592559889fbc88c34f865158f30df1e0b38929358.exe
-
Size
184KB
-
MD5
afd52f772793930547f18b87d6693c0f
-
SHA1
60b24f9ab545e9ec51a53641c91aaf2d6095127b
-
SHA256
0a0fe4142783ac24c802467592559889fbc88c34f865158f30df1e0b38929358
-
SHA512
6da16040d5f52fbfe4f9351efe18e248c17d295696bc89f950aa3cbcd8ce5ad5cf52636de9d343e5f3cd1a43660b2f06f6c192a8594de14a4c349f27e0852508
Malware Config
Signatures
-
Sakula Payload 4 IoCs
Processes:
resource yara_rule \Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula behavioral1/memory/1636-59-0x0000000000400000-0x0000000000420000-memory.dmp family_sakula behavioral1/memory/1588-60-0x0000000000400000-0x0000000000420000-memory.dmp family_sakula -
suricata: ET MALWARE SUSPICIOUS UA (iexplore)
suricata: ET MALWARE SUSPICIOUS UA (iexplore)
-
suricata: ET MALWARE Sakula/Mivast RAT CnC Beacon 1
suricata: ET MALWARE Sakula/Mivast RAT CnC Beacon 1
-
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 1588 MediaCenter.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 960 cmd.exe -
Loads dropped DLL 1 IoCs
Processes:
0a0fe4142783ac24c802467592559889fbc88c34f865158f30df1e0b38929358.exepid process 1636 0a0fe4142783ac24c802467592559889fbc88c34f865158f30df1e0b38929358.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
0a0fe4142783ac24c802467592559889fbc88c34f865158f30df1e0b38929358.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 0a0fe4142783ac24c802467592559889fbc88c34f865158f30df1e0b38929358.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
0a0fe4142783ac24c802467592559889fbc88c34f865158f30df1e0b38929358.exedescription pid process Token: SeIncBasePriorityPrivilege 1636 0a0fe4142783ac24c802467592559889fbc88c34f865158f30df1e0b38929358.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
0a0fe4142783ac24c802467592559889fbc88c34f865158f30df1e0b38929358.execmd.exedescription pid process target process PID 1636 wrote to memory of 1588 1636 0a0fe4142783ac24c802467592559889fbc88c34f865158f30df1e0b38929358.exe MediaCenter.exe PID 1636 wrote to memory of 1588 1636 0a0fe4142783ac24c802467592559889fbc88c34f865158f30df1e0b38929358.exe MediaCenter.exe PID 1636 wrote to memory of 1588 1636 0a0fe4142783ac24c802467592559889fbc88c34f865158f30df1e0b38929358.exe MediaCenter.exe PID 1636 wrote to memory of 1588 1636 0a0fe4142783ac24c802467592559889fbc88c34f865158f30df1e0b38929358.exe MediaCenter.exe PID 1636 wrote to memory of 960 1636 0a0fe4142783ac24c802467592559889fbc88c34f865158f30df1e0b38929358.exe cmd.exe PID 1636 wrote to memory of 960 1636 0a0fe4142783ac24c802467592559889fbc88c34f865158f30df1e0b38929358.exe cmd.exe PID 1636 wrote to memory of 960 1636 0a0fe4142783ac24c802467592559889fbc88c34f865158f30df1e0b38929358.exe cmd.exe PID 1636 wrote to memory of 960 1636 0a0fe4142783ac24c802467592559889fbc88c34f865158f30df1e0b38929358.exe cmd.exe PID 960 wrote to memory of 640 960 cmd.exe PING.EXE PID 960 wrote to memory of 640 960 cmd.exe PING.EXE PID 960 wrote to memory of 640 960 cmd.exe PING.EXE PID 960 wrote to memory of 640 960 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\0a0fe4142783ac24c802467592559889fbc88c34f865158f30df1e0b38929358.exe"C:\Users\Admin\AppData\Local\Temp\0a0fe4142783ac24c802467592559889fbc88c34f865158f30df1e0b38929358.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1636 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:1588 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\0a0fe4142783ac24c802467592559889fbc88c34f865158f30df1e0b38929358.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:960 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:640
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
9a157a23bddafe6c25710cc2df6b519a
SHA130c852504a50eba96978041215c276b04e943cea
SHA256fa6815a4ab4f933f235e947de614ba347610e1bd23a24cb93f0c0010a06cc871
SHA512671efdcc07840285898b188f720b90b181b452d7849ebf42650a243e32c9ebf1fcd7955b7a4f40a0b4fd7d3ed1a0238473e67de5186cf6c75723e1337dc5a640
-
\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
9a157a23bddafe6c25710cc2df6b519a
SHA130c852504a50eba96978041215c276b04e943cea
SHA256fa6815a4ab4f933f235e947de614ba347610e1bd23a24cb93f0c0010a06cc871
SHA512671efdcc07840285898b188f720b90b181b452d7849ebf42650a243e32c9ebf1fcd7955b7a4f40a0b4fd7d3ed1a0238473e67de5186cf6c75723e1337dc5a640
-
memory/1588-60-0x0000000000400000-0x0000000000420000-memory.dmpFilesize
128KB
-
memory/1636-55-0x0000000075801000-0x0000000075803000-memory.dmpFilesize
8KB
-
memory/1636-59-0x0000000000400000-0x0000000000420000-memory.dmpFilesize
128KB