Analysis
-
max time kernel
131s -
max time network
152s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
12-02-2022 09:42
Static task
static1
Behavioral task
behavioral1
Sample
093f4c1daf23832f07a0d60f1b7c6a11407f6d93665d7281e860633d5e8a0144.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
093f4c1daf23832f07a0d60f1b7c6a11407f6d93665d7281e860633d5e8a0144.exe
Resource
win10v2004-en-20220112
General
-
Target
093f4c1daf23832f07a0d60f1b7c6a11407f6d93665d7281e860633d5e8a0144.exe
-
Size
220KB
-
MD5
9a09b9f424267d8602977279775dd3f6
-
SHA1
8ad8b470797fae222929030d45df093d2eed36e8
-
SHA256
093f4c1daf23832f07a0d60f1b7c6a11407f6d93665d7281e860633d5e8a0144
-
SHA512
df6bd0f37f1c1e73bb36d3d4cab8d09f8fe1cd55320771212f743d4c9cda00ff5c4e05b4a0d8872671e6231760d21fea798c6980a103d4d4a37a1307d09bee4f
Malware Config
Signatures
-
Sakula Payload 4 IoCs
Processes:
resource yara_rule \Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula behavioral1/memory/1532-59-0x0000000000400000-0x0000000000420000-memory.dmp family_sakula behavioral1/memory/1540-60-0x0000000000400000-0x0000000000420000-memory.dmp family_sakula -
suricata: ET MALWARE SUSPICIOUS UA (iexplore)
suricata: ET MALWARE SUSPICIOUS UA (iexplore)
-
suricata: ET MALWARE Sakula/Mivast RAT CnC Beacon 1
suricata: ET MALWARE Sakula/Mivast RAT CnC Beacon 1
-
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 1540 MediaCenter.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 832 cmd.exe -
Loads dropped DLL 1 IoCs
Processes:
093f4c1daf23832f07a0d60f1b7c6a11407f6d93665d7281e860633d5e8a0144.exepid process 1532 093f4c1daf23832f07a0d60f1b7c6a11407f6d93665d7281e860633d5e8a0144.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
093f4c1daf23832f07a0d60f1b7c6a11407f6d93665d7281e860633d5e8a0144.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 093f4c1daf23832f07a0d60f1b7c6a11407f6d93665d7281e860633d5e8a0144.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
093f4c1daf23832f07a0d60f1b7c6a11407f6d93665d7281e860633d5e8a0144.exedescription pid process Token: SeIncBasePriorityPrivilege 1532 093f4c1daf23832f07a0d60f1b7c6a11407f6d93665d7281e860633d5e8a0144.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
093f4c1daf23832f07a0d60f1b7c6a11407f6d93665d7281e860633d5e8a0144.execmd.exedescription pid process target process PID 1532 wrote to memory of 1540 1532 093f4c1daf23832f07a0d60f1b7c6a11407f6d93665d7281e860633d5e8a0144.exe MediaCenter.exe PID 1532 wrote to memory of 1540 1532 093f4c1daf23832f07a0d60f1b7c6a11407f6d93665d7281e860633d5e8a0144.exe MediaCenter.exe PID 1532 wrote to memory of 1540 1532 093f4c1daf23832f07a0d60f1b7c6a11407f6d93665d7281e860633d5e8a0144.exe MediaCenter.exe PID 1532 wrote to memory of 1540 1532 093f4c1daf23832f07a0d60f1b7c6a11407f6d93665d7281e860633d5e8a0144.exe MediaCenter.exe PID 1532 wrote to memory of 832 1532 093f4c1daf23832f07a0d60f1b7c6a11407f6d93665d7281e860633d5e8a0144.exe cmd.exe PID 1532 wrote to memory of 832 1532 093f4c1daf23832f07a0d60f1b7c6a11407f6d93665d7281e860633d5e8a0144.exe cmd.exe PID 1532 wrote to memory of 832 1532 093f4c1daf23832f07a0d60f1b7c6a11407f6d93665d7281e860633d5e8a0144.exe cmd.exe PID 1532 wrote to memory of 832 1532 093f4c1daf23832f07a0d60f1b7c6a11407f6d93665d7281e860633d5e8a0144.exe cmd.exe PID 832 wrote to memory of 1432 832 cmd.exe PING.EXE PID 832 wrote to memory of 1432 832 cmd.exe PING.EXE PID 832 wrote to memory of 1432 832 cmd.exe PING.EXE PID 832 wrote to memory of 1432 832 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\093f4c1daf23832f07a0d60f1b7c6a11407f6d93665d7281e860633d5e8a0144.exe"C:\Users\Admin\AppData\Local\Temp\093f4c1daf23832f07a0d60f1b7c6a11407f6d93665d7281e860633d5e8a0144.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1532 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:1540 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\093f4c1daf23832f07a0d60f1b7c6a11407f6d93665d7281e860633d5e8a0144.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:832 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:1432
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
1e16d0479eba313d99ce5ff4ed8b09f5
SHA15ecb0c008cb2a788807ee5cf9ee2ae6691a095eb
SHA256df5cda50b1b7303a33179a32a9f55c5208c5e364062129bfb609d5a45635d58f
SHA512a1fdf47719cf3d7cec1373143ae879fe975bfff415ee51db821b2c957d325bd39cab51b438fc1c2430974aed517eeb1f7df8a946da883c5ae11b9f077bb7c12a
-
\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
1e16d0479eba313d99ce5ff4ed8b09f5
SHA15ecb0c008cb2a788807ee5cf9ee2ae6691a095eb
SHA256df5cda50b1b7303a33179a32a9f55c5208c5e364062129bfb609d5a45635d58f
SHA512a1fdf47719cf3d7cec1373143ae879fe975bfff415ee51db821b2c957d325bd39cab51b438fc1c2430974aed517eeb1f7df8a946da883c5ae11b9f077bb7c12a
-
memory/1532-55-0x0000000074F11000-0x0000000074F13000-memory.dmpFilesize
8KB
-
memory/1532-59-0x0000000000400000-0x0000000000420000-memory.dmpFilesize
128KB
-
memory/1540-60-0x0000000000400000-0x0000000000420000-memory.dmpFilesize
128KB