Analysis
-
max time kernel
139s -
max time network
147s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
12-02-2022 10:30
Static task
static1
Behavioral task
behavioral1
Sample
06f01bfa7cfca92b64d533d0f9b46416c52169f5682cee019a99591aa2471cb7.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
06f01bfa7cfca92b64d533d0f9b46416c52169f5682cee019a99591aa2471cb7.exe
Resource
win10v2004-en-20220112
General
-
Target
06f01bfa7cfca92b64d533d0f9b46416c52169f5682cee019a99591aa2471cb7.exe
-
Size
176KB
-
MD5
72370f5c346b8bd221d6af9d5d8d9eb5
-
SHA1
c2b04e8f5136d1cfbc80afe5abbc4066e8697e0d
-
SHA256
06f01bfa7cfca92b64d533d0f9b46416c52169f5682cee019a99591aa2471cb7
-
SHA512
a3f9429fb9f297401f84ab5252e15dcbfc4e4d63445081d21893e0ba6999d817f662c3d69b9edfdaf3ee2fcc77cc57d0c8e824b434af73ff5ad65adc89b28143
Malware Config
Signatures
-
Sakula Payload 4 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula \Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula behavioral1/memory/812-58-0x0000000000400000-0x0000000000420000-memory.dmp family_sakula behavioral1/memory/1128-59-0x0000000000400000-0x0000000000420000-memory.dmp family_sakula -
suricata: ET MALWARE SUSPICIOUS UA (iexplore)
suricata: ET MALWARE SUSPICIOUS UA (iexplore)
-
suricata: ET MALWARE Sakula/Mivast RAT CnC Beacon 1
suricata: ET MALWARE Sakula/Mivast RAT CnC Beacon 1
-
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 1128 MediaCenter.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 396 cmd.exe -
Loads dropped DLL 1 IoCs
Processes:
06f01bfa7cfca92b64d533d0f9b46416c52169f5682cee019a99591aa2471cb7.exepid process 812 06f01bfa7cfca92b64d533d0f9b46416c52169f5682cee019a99591aa2471cb7.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
06f01bfa7cfca92b64d533d0f9b46416c52169f5682cee019a99591aa2471cb7.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 06f01bfa7cfca92b64d533d0f9b46416c52169f5682cee019a99591aa2471cb7.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
06f01bfa7cfca92b64d533d0f9b46416c52169f5682cee019a99591aa2471cb7.exedescription pid process Token: SeIncBasePriorityPrivilege 812 06f01bfa7cfca92b64d533d0f9b46416c52169f5682cee019a99591aa2471cb7.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
06f01bfa7cfca92b64d533d0f9b46416c52169f5682cee019a99591aa2471cb7.execmd.exedescription pid process target process PID 812 wrote to memory of 1128 812 06f01bfa7cfca92b64d533d0f9b46416c52169f5682cee019a99591aa2471cb7.exe MediaCenter.exe PID 812 wrote to memory of 1128 812 06f01bfa7cfca92b64d533d0f9b46416c52169f5682cee019a99591aa2471cb7.exe MediaCenter.exe PID 812 wrote to memory of 1128 812 06f01bfa7cfca92b64d533d0f9b46416c52169f5682cee019a99591aa2471cb7.exe MediaCenter.exe PID 812 wrote to memory of 1128 812 06f01bfa7cfca92b64d533d0f9b46416c52169f5682cee019a99591aa2471cb7.exe MediaCenter.exe PID 812 wrote to memory of 396 812 06f01bfa7cfca92b64d533d0f9b46416c52169f5682cee019a99591aa2471cb7.exe cmd.exe PID 812 wrote to memory of 396 812 06f01bfa7cfca92b64d533d0f9b46416c52169f5682cee019a99591aa2471cb7.exe cmd.exe PID 812 wrote to memory of 396 812 06f01bfa7cfca92b64d533d0f9b46416c52169f5682cee019a99591aa2471cb7.exe cmd.exe PID 812 wrote to memory of 396 812 06f01bfa7cfca92b64d533d0f9b46416c52169f5682cee019a99591aa2471cb7.exe cmd.exe PID 396 wrote to memory of 1332 396 cmd.exe PING.EXE PID 396 wrote to memory of 1332 396 cmd.exe PING.EXE PID 396 wrote to memory of 1332 396 cmd.exe PING.EXE PID 396 wrote to memory of 1332 396 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\06f01bfa7cfca92b64d533d0f9b46416c52169f5682cee019a99591aa2471cb7.exe"C:\Users\Admin\AppData\Local\Temp\06f01bfa7cfca92b64d533d0f9b46416c52169f5682cee019a99591aa2471cb7.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:812 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:1128 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\06f01bfa7cfca92b64d533d0f9b46416c52169f5682cee019a99591aa2471cb7.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:396 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:1332
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
1dda871d8bf93abf0df4152bfc90b7ad
SHA173a9700314c124d3c46224bd2ef7469a02abedd2
SHA256e688f07e0e8feae95f01ca9d258647a2b70afb7c98fbb01c070ecccf73d8b1bc
SHA512319ef6dac48338e26f2bba2afed075d1b54e82b42fc29865c29c0fb65839ffa229eb54beecaaf3ed834c1b6083fae4f0ecb6a9f82dfbdd510a7a275bcaf9630b
-
\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
1dda871d8bf93abf0df4152bfc90b7ad
SHA173a9700314c124d3c46224bd2ef7469a02abedd2
SHA256e688f07e0e8feae95f01ca9d258647a2b70afb7c98fbb01c070ecccf73d8b1bc
SHA512319ef6dac48338e26f2bba2afed075d1b54e82b42fc29865c29c0fb65839ffa229eb54beecaaf3ed834c1b6083fae4f0ecb6a9f82dfbdd510a7a275bcaf9630b
-
memory/812-54-0x0000000075F21000-0x0000000075F23000-memory.dmpFilesize
8KB
-
memory/812-58-0x0000000000400000-0x0000000000420000-memory.dmpFilesize
128KB
-
memory/1128-59-0x0000000000400000-0x0000000000420000-memory.dmpFilesize
128KB