Analysis
-
max time kernel
149s -
max time network
171s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
12-02-2022 09:27
Static task
static1
Behavioral task
behavioral1
Sample
0a0f8cd645d0466a10955740a7bb0d1b3b591e632b6a9422e32884e1bf0dea1f.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
0a0f8cd645d0466a10955740a7bb0d1b3b591e632b6a9422e32884e1bf0dea1f.exe
Resource
win10v2004-en-20220112
General
-
Target
0a0f8cd645d0466a10955740a7bb0d1b3b591e632b6a9422e32884e1bf0dea1f.exe
-
Size
216KB
-
MD5
a18c204062821f34000e17b09b8f2810
-
SHA1
bdce1a00d1fefc55591a3783e5c087d53b248577
-
SHA256
0a0f8cd645d0466a10955740a7bb0d1b3b591e632b6a9422e32884e1bf0dea1f
-
SHA512
4a70ebb4ad1144c14596369536f6f16937b43f84277208572f5e07aadf5c444606b9ef578700a17a7bfd892ebb24f5fa0ecc6be929804f5e9b025b134cd8e8d1
Malware Config
Signatures
-
Sakula Payload 4 IoCs
Processes:
resource yara_rule \Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula behavioral1/memory/748-58-0x0000000000400000-0x0000000000420000-memory.dmp family_sakula behavioral1/memory/1500-59-0x0000000000400000-0x0000000000420000-memory.dmp family_sakula -
suricata: ET MALWARE SUSPICIOUS UA (iexplore)
suricata: ET MALWARE SUSPICIOUS UA (iexplore)
-
suricata: ET MALWARE Sakula/Mivast RAT CnC Beacon 1
suricata: ET MALWARE Sakula/Mivast RAT CnC Beacon 1
-
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 1500 MediaCenter.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 764 cmd.exe -
Loads dropped DLL 1 IoCs
Processes:
0a0f8cd645d0466a10955740a7bb0d1b3b591e632b6a9422e32884e1bf0dea1f.exepid process 748 0a0f8cd645d0466a10955740a7bb0d1b3b591e632b6a9422e32884e1bf0dea1f.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
0a0f8cd645d0466a10955740a7bb0d1b3b591e632b6a9422e32884e1bf0dea1f.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 0a0f8cd645d0466a10955740a7bb0d1b3b591e632b6a9422e32884e1bf0dea1f.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
0a0f8cd645d0466a10955740a7bb0d1b3b591e632b6a9422e32884e1bf0dea1f.exedescription pid process Token: SeIncBasePriorityPrivilege 748 0a0f8cd645d0466a10955740a7bb0d1b3b591e632b6a9422e32884e1bf0dea1f.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
0a0f8cd645d0466a10955740a7bb0d1b3b591e632b6a9422e32884e1bf0dea1f.execmd.exedescription pid process target process PID 748 wrote to memory of 1500 748 0a0f8cd645d0466a10955740a7bb0d1b3b591e632b6a9422e32884e1bf0dea1f.exe MediaCenter.exe PID 748 wrote to memory of 1500 748 0a0f8cd645d0466a10955740a7bb0d1b3b591e632b6a9422e32884e1bf0dea1f.exe MediaCenter.exe PID 748 wrote to memory of 1500 748 0a0f8cd645d0466a10955740a7bb0d1b3b591e632b6a9422e32884e1bf0dea1f.exe MediaCenter.exe PID 748 wrote to memory of 1500 748 0a0f8cd645d0466a10955740a7bb0d1b3b591e632b6a9422e32884e1bf0dea1f.exe MediaCenter.exe PID 748 wrote to memory of 764 748 0a0f8cd645d0466a10955740a7bb0d1b3b591e632b6a9422e32884e1bf0dea1f.exe cmd.exe PID 748 wrote to memory of 764 748 0a0f8cd645d0466a10955740a7bb0d1b3b591e632b6a9422e32884e1bf0dea1f.exe cmd.exe PID 748 wrote to memory of 764 748 0a0f8cd645d0466a10955740a7bb0d1b3b591e632b6a9422e32884e1bf0dea1f.exe cmd.exe PID 748 wrote to memory of 764 748 0a0f8cd645d0466a10955740a7bb0d1b3b591e632b6a9422e32884e1bf0dea1f.exe cmd.exe PID 764 wrote to memory of 1856 764 cmd.exe PING.EXE PID 764 wrote to memory of 1856 764 cmd.exe PING.EXE PID 764 wrote to memory of 1856 764 cmd.exe PING.EXE PID 764 wrote to memory of 1856 764 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\0a0f8cd645d0466a10955740a7bb0d1b3b591e632b6a9422e32884e1bf0dea1f.exe"C:\Users\Admin\AppData\Local\Temp\0a0f8cd645d0466a10955740a7bb0d1b3b591e632b6a9422e32884e1bf0dea1f.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:748 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:1500 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\0a0f8cd645d0466a10955740a7bb0d1b3b591e632b6a9422e32884e1bf0dea1f.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:764 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:1856
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
8cac4857dd3863fa85ade0740f5c2ee8
SHA1278a6ab0000c666e74407261995435e4cd92d2e7
SHA256df9e378f55cbd3f31178f3d6ddb116b92c86dc3c8d9c2328ae2a0e7473fe2dbb
SHA5123f0af801592660c00e5b14f3c4421cf9b500185cdd9ca63bc7aa0e7a41fd082ebed2edf6808c3bf4551f31a0544ff239df34407076e8b6ae41ca6479e3d27ab0
-
\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
8cac4857dd3863fa85ade0740f5c2ee8
SHA1278a6ab0000c666e74407261995435e4cd92d2e7
SHA256df9e378f55cbd3f31178f3d6ddb116b92c86dc3c8d9c2328ae2a0e7473fe2dbb
SHA5123f0af801592660c00e5b14f3c4421cf9b500185cdd9ca63bc7aa0e7a41fd082ebed2edf6808c3bf4551f31a0544ff239df34407076e8b6ae41ca6479e3d27ab0
-
memory/748-54-0x0000000074F01000-0x0000000074F03000-memory.dmpFilesize
8KB
-
memory/748-58-0x0000000000400000-0x0000000000420000-memory.dmpFilesize
128KB
-
memory/1500-59-0x0000000000400000-0x0000000000420000-memory.dmpFilesize
128KB