Analysis
-
max time kernel
121s -
max time network
140s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
12-02-2022 10:19
Static task
static1
Behavioral task
behavioral1
Sample
0794b5d083295ea5e8af5f30d70e3e49ba9f37b93aed96756ef7a5b50de9d12a.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
0794b5d083295ea5e8af5f30d70e3e49ba9f37b93aed96756ef7a5b50de9d12a.exe
Resource
win10v2004-en-20220112
General
-
Target
0794b5d083295ea5e8af5f30d70e3e49ba9f37b93aed96756ef7a5b50de9d12a.exe
-
Size
176KB
-
MD5
6f3b7d29a54393bef502f60143662910
-
SHA1
180b1835a5925637331ca6c94e2cd284cb7e7908
-
SHA256
0794b5d083295ea5e8af5f30d70e3e49ba9f37b93aed96756ef7a5b50de9d12a
-
SHA512
fe95144b14b7c18883d3016278fd5894873c74814ac65d0636b54f3d29936fbf4dd705f7d7ee2574bd1a114c085be9c726d2737103fa51a118551d96f5a7ed51
Malware Config
Signatures
-
Sakula Payload 4 IoCs
Processes:
resource yara_rule \Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula behavioral1/memory/1396-59-0x0000000000400000-0x0000000000420000-memory.dmp family_sakula behavioral1/memory/804-60-0x0000000000400000-0x0000000000420000-memory.dmp family_sakula -
suricata: ET MALWARE SUSPICIOUS UA (iexplore)
suricata: ET MALWARE SUSPICIOUS UA (iexplore)
-
suricata: ET MALWARE Sakula/Mivast RAT CnC Beacon 1
suricata: ET MALWARE Sakula/Mivast RAT CnC Beacon 1
-
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 804 MediaCenter.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 668 cmd.exe -
Loads dropped DLL 1 IoCs
Processes:
0794b5d083295ea5e8af5f30d70e3e49ba9f37b93aed96756ef7a5b50de9d12a.exepid process 1396 0794b5d083295ea5e8af5f30d70e3e49ba9f37b93aed96756ef7a5b50de9d12a.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
0794b5d083295ea5e8af5f30d70e3e49ba9f37b93aed96756ef7a5b50de9d12a.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 0794b5d083295ea5e8af5f30d70e3e49ba9f37b93aed96756ef7a5b50de9d12a.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
0794b5d083295ea5e8af5f30d70e3e49ba9f37b93aed96756ef7a5b50de9d12a.exedescription pid process Token: SeIncBasePriorityPrivilege 1396 0794b5d083295ea5e8af5f30d70e3e49ba9f37b93aed96756ef7a5b50de9d12a.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
0794b5d083295ea5e8af5f30d70e3e49ba9f37b93aed96756ef7a5b50de9d12a.execmd.exedescription pid process target process PID 1396 wrote to memory of 804 1396 0794b5d083295ea5e8af5f30d70e3e49ba9f37b93aed96756ef7a5b50de9d12a.exe MediaCenter.exe PID 1396 wrote to memory of 804 1396 0794b5d083295ea5e8af5f30d70e3e49ba9f37b93aed96756ef7a5b50de9d12a.exe MediaCenter.exe PID 1396 wrote to memory of 804 1396 0794b5d083295ea5e8af5f30d70e3e49ba9f37b93aed96756ef7a5b50de9d12a.exe MediaCenter.exe PID 1396 wrote to memory of 804 1396 0794b5d083295ea5e8af5f30d70e3e49ba9f37b93aed96756ef7a5b50de9d12a.exe MediaCenter.exe PID 1396 wrote to memory of 668 1396 0794b5d083295ea5e8af5f30d70e3e49ba9f37b93aed96756ef7a5b50de9d12a.exe cmd.exe PID 1396 wrote to memory of 668 1396 0794b5d083295ea5e8af5f30d70e3e49ba9f37b93aed96756ef7a5b50de9d12a.exe cmd.exe PID 1396 wrote to memory of 668 1396 0794b5d083295ea5e8af5f30d70e3e49ba9f37b93aed96756ef7a5b50de9d12a.exe cmd.exe PID 1396 wrote to memory of 668 1396 0794b5d083295ea5e8af5f30d70e3e49ba9f37b93aed96756ef7a5b50de9d12a.exe cmd.exe PID 668 wrote to memory of 1984 668 cmd.exe PING.EXE PID 668 wrote to memory of 1984 668 cmd.exe PING.EXE PID 668 wrote to memory of 1984 668 cmd.exe PING.EXE PID 668 wrote to memory of 1984 668 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\0794b5d083295ea5e8af5f30d70e3e49ba9f37b93aed96756ef7a5b50de9d12a.exe"C:\Users\Admin\AppData\Local\Temp\0794b5d083295ea5e8af5f30d70e3e49ba9f37b93aed96756ef7a5b50de9d12a.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1396 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:804 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\0794b5d083295ea5e8af5f30d70e3e49ba9f37b93aed96756ef7a5b50de9d12a.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:668 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:1984
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
f9f7b8100232a55bb05903065b141fed
SHA1040340f1da98a1082bee9a6c1c237998e86bd6a8
SHA256230bf813108bc9d071bf692f18b09e57bbabe53c536209754ddb27c977dfa4ad
SHA5122abc7219477bcec13e9d88d85a1d136874c16d9d5f8d9897c661c04e8382083fb415fd704d74c16453ceb47aab4300521b6e8a5952b718698264a0a58612d3ab
-
\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
f9f7b8100232a55bb05903065b141fed
SHA1040340f1da98a1082bee9a6c1c237998e86bd6a8
SHA256230bf813108bc9d071bf692f18b09e57bbabe53c536209754ddb27c977dfa4ad
SHA5122abc7219477bcec13e9d88d85a1d136874c16d9d5f8d9897c661c04e8382083fb415fd704d74c16453ceb47aab4300521b6e8a5952b718698264a0a58612d3ab
-
memory/804-60-0x0000000000400000-0x0000000000420000-memory.dmpFilesize
128KB
-
memory/1396-55-0x0000000075AC1000-0x0000000075AC3000-memory.dmpFilesize
8KB
-
memory/1396-59-0x0000000000400000-0x0000000000420000-memory.dmpFilesize
128KB