Analysis
-
max time kernel
130s -
max time network
147s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
12-02-2022 10:32
Static task
static1
Behavioral task
behavioral1
Sample
06d632f6dd43704ffcdf4df923bf8f01dae2885adcecae5a7ea19df6a7634d77.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
06d632f6dd43704ffcdf4df923bf8f01dae2885adcecae5a7ea19df6a7634d77.exe
Resource
win10v2004-en-20220113
General
-
Target
06d632f6dd43704ffcdf4df923bf8f01dae2885adcecae5a7ea19df6a7634d77.exe
-
Size
120KB
-
MD5
fd3d5aa0e77c1b04c1636056f5199b7e
-
SHA1
06138e687d5519bcce31940e84c2113cab34ce07
-
SHA256
06d632f6dd43704ffcdf4df923bf8f01dae2885adcecae5a7ea19df6a7634d77
-
SHA512
f5b508a28715280f9473e9f32c7059e23e6ae8b3ee7f16c42385e25fe671befa12943b5823194a846b88bc61002b14c2fc3e0e4f5c51218a2482bee5b8b77eac
Malware Config
Signatures
-
Sakula Payload 4 IoCs
Processes:
resource yara_rule \Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula behavioral1/memory/1588-59-0x0000000000400000-0x0000000000420000-memory.dmp family_sakula behavioral1/memory/1664-61-0x0000000000400000-0x0000000000420000-memory.dmp family_sakula -
suricata: ET MALWARE SUSPICIOUS UA (iexplore)
suricata: ET MALWARE SUSPICIOUS UA (iexplore)
-
suricata: ET MALWARE Sakula/Mivast RAT CnC Beacon 1
suricata: ET MALWARE Sakula/Mivast RAT CnC Beacon 1
-
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 1664 MediaCenter.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 812 cmd.exe -
Loads dropped DLL 1 IoCs
Processes:
06d632f6dd43704ffcdf4df923bf8f01dae2885adcecae5a7ea19df6a7634d77.exepid process 1588 06d632f6dd43704ffcdf4df923bf8f01dae2885adcecae5a7ea19df6a7634d77.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
06d632f6dd43704ffcdf4df923bf8f01dae2885adcecae5a7ea19df6a7634d77.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 06d632f6dd43704ffcdf4df923bf8f01dae2885adcecae5a7ea19df6a7634d77.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
06d632f6dd43704ffcdf4df923bf8f01dae2885adcecae5a7ea19df6a7634d77.exedescription pid process Token: SeIncBasePriorityPrivilege 1588 06d632f6dd43704ffcdf4df923bf8f01dae2885adcecae5a7ea19df6a7634d77.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
06d632f6dd43704ffcdf4df923bf8f01dae2885adcecae5a7ea19df6a7634d77.execmd.exedescription pid process target process PID 1588 wrote to memory of 1664 1588 06d632f6dd43704ffcdf4df923bf8f01dae2885adcecae5a7ea19df6a7634d77.exe MediaCenter.exe PID 1588 wrote to memory of 1664 1588 06d632f6dd43704ffcdf4df923bf8f01dae2885adcecae5a7ea19df6a7634d77.exe MediaCenter.exe PID 1588 wrote to memory of 1664 1588 06d632f6dd43704ffcdf4df923bf8f01dae2885adcecae5a7ea19df6a7634d77.exe MediaCenter.exe PID 1588 wrote to memory of 1664 1588 06d632f6dd43704ffcdf4df923bf8f01dae2885adcecae5a7ea19df6a7634d77.exe MediaCenter.exe PID 1588 wrote to memory of 812 1588 06d632f6dd43704ffcdf4df923bf8f01dae2885adcecae5a7ea19df6a7634d77.exe cmd.exe PID 1588 wrote to memory of 812 1588 06d632f6dd43704ffcdf4df923bf8f01dae2885adcecae5a7ea19df6a7634d77.exe cmd.exe PID 1588 wrote to memory of 812 1588 06d632f6dd43704ffcdf4df923bf8f01dae2885adcecae5a7ea19df6a7634d77.exe cmd.exe PID 1588 wrote to memory of 812 1588 06d632f6dd43704ffcdf4df923bf8f01dae2885adcecae5a7ea19df6a7634d77.exe cmd.exe PID 812 wrote to memory of 1648 812 cmd.exe PING.EXE PID 812 wrote to memory of 1648 812 cmd.exe PING.EXE PID 812 wrote to memory of 1648 812 cmd.exe PING.EXE PID 812 wrote to memory of 1648 812 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\06d632f6dd43704ffcdf4df923bf8f01dae2885adcecae5a7ea19df6a7634d77.exe"C:\Users\Admin\AppData\Local\Temp\06d632f6dd43704ffcdf4df923bf8f01dae2885adcecae5a7ea19df6a7634d77.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1588 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:1664 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\06d632f6dd43704ffcdf4df923bf8f01dae2885adcecae5a7ea19df6a7634d77.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:812 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:1648
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
5b1819aaf9a84d2903bffc5555a0d098
SHA1414e66e53460207f5b465a1d0a0e1bf8ebc6ce60
SHA256e97b7d8eeff620ce1f6305161e21ece383b9ddb6ade59e7713faf8369035eaa4
SHA51283ccc1b7a714c6a51fbf07d0d5bd9fd9e8757ff486c9efdf00585bffa7e18e10d99c29fbe6341a875b3429d758fc9efcf61fbbc848ec6c83f9904ca5ddb465fa
-
\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
5b1819aaf9a84d2903bffc5555a0d098
SHA1414e66e53460207f5b465a1d0a0e1bf8ebc6ce60
SHA256e97b7d8eeff620ce1f6305161e21ece383b9ddb6ade59e7713faf8369035eaa4
SHA51283ccc1b7a714c6a51fbf07d0d5bd9fd9e8757ff486c9efdf00585bffa7e18e10d99c29fbe6341a875b3429d758fc9efcf61fbbc848ec6c83f9904ca5ddb465fa
-
memory/1588-55-0x0000000075321000-0x0000000075323000-memory.dmpFilesize
8KB
-
memory/1588-60-0x0000000000230000-0x0000000000250000-memory.dmpFilesize
128KB
-
memory/1588-59-0x0000000000400000-0x0000000000420000-memory.dmpFilesize
128KB
-
memory/1664-61-0x0000000000400000-0x0000000000420000-memory.dmpFilesize
128KB