Analysis
-
max time kernel
139s -
max time network
155s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
12-02-2022 10:27
Static task
static1
Behavioral task
behavioral1
Sample
0729e7fa4c87b191ebf87edecb696a46c8d69383ceb2ccf5ebcc2a7f82025e15.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
0729e7fa4c87b191ebf87edecb696a46c8d69383ceb2ccf5ebcc2a7f82025e15.exe
Resource
win10v2004-en-20220113
General
-
Target
0729e7fa4c87b191ebf87edecb696a46c8d69383ceb2ccf5ebcc2a7f82025e15.exe
-
Size
176KB
-
MD5
9118b64918d2ddbe8258fccecff41beb
-
SHA1
3e96fd9e9d84bab29c42f443214ccfb2aa2af44a
-
SHA256
0729e7fa4c87b191ebf87edecb696a46c8d69383ceb2ccf5ebcc2a7f82025e15
-
SHA512
9d97e83f5054471016512bf1e04d2d51be5b3b5feb720a312b86f0e2e852d049d6fd17069826ce4c50c2f4dc52d7ad30da927936d0a018514fd5663260e591e8
Malware Config
Signatures
-
Sakula Payload 4 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula \Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula behavioral1/memory/1608-59-0x0000000000400000-0x0000000000420000-memory.dmp family_sakula behavioral1/memory/1616-60-0x0000000000400000-0x0000000000420000-memory.dmp family_sakula -
suricata: ET MALWARE SUSPICIOUS UA (iexplore)
suricata: ET MALWARE SUSPICIOUS UA (iexplore)
-
suricata: ET MALWARE Sakula/Mivast RAT CnC Beacon 1
suricata: ET MALWARE Sakula/Mivast RAT CnC Beacon 1
-
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 1616 MediaCenter.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 432 cmd.exe -
Loads dropped DLL 1 IoCs
Processes:
0729e7fa4c87b191ebf87edecb696a46c8d69383ceb2ccf5ebcc2a7f82025e15.exepid process 1608 0729e7fa4c87b191ebf87edecb696a46c8d69383ceb2ccf5ebcc2a7f82025e15.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
0729e7fa4c87b191ebf87edecb696a46c8d69383ceb2ccf5ebcc2a7f82025e15.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 0729e7fa4c87b191ebf87edecb696a46c8d69383ceb2ccf5ebcc2a7f82025e15.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
0729e7fa4c87b191ebf87edecb696a46c8d69383ceb2ccf5ebcc2a7f82025e15.exedescription pid process Token: SeIncBasePriorityPrivilege 1608 0729e7fa4c87b191ebf87edecb696a46c8d69383ceb2ccf5ebcc2a7f82025e15.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
0729e7fa4c87b191ebf87edecb696a46c8d69383ceb2ccf5ebcc2a7f82025e15.execmd.exedescription pid process target process PID 1608 wrote to memory of 1616 1608 0729e7fa4c87b191ebf87edecb696a46c8d69383ceb2ccf5ebcc2a7f82025e15.exe MediaCenter.exe PID 1608 wrote to memory of 1616 1608 0729e7fa4c87b191ebf87edecb696a46c8d69383ceb2ccf5ebcc2a7f82025e15.exe MediaCenter.exe PID 1608 wrote to memory of 1616 1608 0729e7fa4c87b191ebf87edecb696a46c8d69383ceb2ccf5ebcc2a7f82025e15.exe MediaCenter.exe PID 1608 wrote to memory of 1616 1608 0729e7fa4c87b191ebf87edecb696a46c8d69383ceb2ccf5ebcc2a7f82025e15.exe MediaCenter.exe PID 1608 wrote to memory of 432 1608 0729e7fa4c87b191ebf87edecb696a46c8d69383ceb2ccf5ebcc2a7f82025e15.exe cmd.exe PID 1608 wrote to memory of 432 1608 0729e7fa4c87b191ebf87edecb696a46c8d69383ceb2ccf5ebcc2a7f82025e15.exe cmd.exe PID 1608 wrote to memory of 432 1608 0729e7fa4c87b191ebf87edecb696a46c8d69383ceb2ccf5ebcc2a7f82025e15.exe cmd.exe PID 1608 wrote to memory of 432 1608 0729e7fa4c87b191ebf87edecb696a46c8d69383ceb2ccf5ebcc2a7f82025e15.exe cmd.exe PID 432 wrote to memory of 960 432 cmd.exe PING.EXE PID 432 wrote to memory of 960 432 cmd.exe PING.EXE PID 432 wrote to memory of 960 432 cmd.exe PING.EXE PID 432 wrote to memory of 960 432 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\0729e7fa4c87b191ebf87edecb696a46c8d69383ceb2ccf5ebcc2a7f82025e15.exe"C:\Users\Admin\AppData\Local\Temp\0729e7fa4c87b191ebf87edecb696a46c8d69383ceb2ccf5ebcc2a7f82025e15.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1608 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:1616 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\0729e7fa4c87b191ebf87edecb696a46c8d69383ceb2ccf5ebcc2a7f82025e15.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:432 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:960
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
38a89d3994154807ad7d902ada6ff504
SHA191f0dc998da35afcc8f930f2fc4f8d260641d54a
SHA25661b780e7617e250c2df3135311bc96bc5f2f3a200c387be9e5f52fbe4f4540ba
SHA512de2580d19ada34981e0e5f011d680bdd59f60de3b1f17edd362608275205331fda03ee9d9ed1924b2d47d02a57daa330039f66428ff39bf8542994a81d55e92e
-
\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
38a89d3994154807ad7d902ada6ff504
SHA191f0dc998da35afcc8f930f2fc4f8d260641d54a
SHA25661b780e7617e250c2df3135311bc96bc5f2f3a200c387be9e5f52fbe4f4540ba
SHA512de2580d19ada34981e0e5f011d680bdd59f60de3b1f17edd362608275205331fda03ee9d9ed1924b2d47d02a57daa330039f66428ff39bf8542994a81d55e92e
-
memory/1608-55-0x0000000075AB1000-0x0000000075AB3000-memory.dmpFilesize
8KB
-
memory/1608-59-0x0000000000400000-0x0000000000420000-memory.dmpFilesize
128KB
-
memory/1616-60-0x0000000000400000-0x0000000000420000-memory.dmpFilesize
128KB