Analysis
-
max time kernel
131s -
max time network
141s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
12-02-2022 10:34
Static task
static1
Behavioral task
behavioral1
Sample
06c7509621b6f70c790fddc3595ef5890afcc0d8aa21112d3e8fde07d66e1985.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
06c7509621b6f70c790fddc3595ef5890afcc0d8aa21112d3e8fde07d66e1985.exe
Resource
win10v2004-en-20220113
General
-
Target
06c7509621b6f70c790fddc3595ef5890afcc0d8aa21112d3e8fde07d66e1985.exe
-
Size
216KB
-
MD5
529e27aa32e8826ebae7581d9ff050ee
-
SHA1
18e17a9d30518a9cbbc4ebb27165ba8c6291eee2
-
SHA256
06c7509621b6f70c790fddc3595ef5890afcc0d8aa21112d3e8fde07d66e1985
-
SHA512
7a2126bff313f5322d5aa8bc05a0a4ede68b828e483c492a43a6801ad10f13f0f1a50f0f002eafe471d1c08e9718f4cbbfd44ff564dbe68905debaff7a5f2dfb
Malware Config
Signatures
-
Sakula Payload 4 IoCs
Processes:
resource yara_rule \Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula behavioral1/memory/740-58-0x0000000000400000-0x0000000000420000-memory.dmp family_sakula behavioral1/memory/1916-59-0x0000000000400000-0x0000000000420000-memory.dmp family_sakula -
suricata: ET MALWARE SUSPICIOUS UA (iexplore)
suricata: ET MALWARE SUSPICIOUS UA (iexplore)
-
suricata: ET MALWARE Sakula/Mivast RAT CnC Beacon 1
suricata: ET MALWARE Sakula/Mivast RAT CnC Beacon 1
-
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 1916 MediaCenter.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 432 cmd.exe -
Loads dropped DLL 1 IoCs
Processes:
06c7509621b6f70c790fddc3595ef5890afcc0d8aa21112d3e8fde07d66e1985.exepid process 740 06c7509621b6f70c790fddc3595ef5890afcc0d8aa21112d3e8fde07d66e1985.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
06c7509621b6f70c790fddc3595ef5890afcc0d8aa21112d3e8fde07d66e1985.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 06c7509621b6f70c790fddc3595ef5890afcc0d8aa21112d3e8fde07d66e1985.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
06c7509621b6f70c790fddc3595ef5890afcc0d8aa21112d3e8fde07d66e1985.exedescription pid process Token: SeIncBasePriorityPrivilege 740 06c7509621b6f70c790fddc3595ef5890afcc0d8aa21112d3e8fde07d66e1985.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
06c7509621b6f70c790fddc3595ef5890afcc0d8aa21112d3e8fde07d66e1985.execmd.exedescription pid process target process PID 740 wrote to memory of 1916 740 06c7509621b6f70c790fddc3595ef5890afcc0d8aa21112d3e8fde07d66e1985.exe MediaCenter.exe PID 740 wrote to memory of 1916 740 06c7509621b6f70c790fddc3595ef5890afcc0d8aa21112d3e8fde07d66e1985.exe MediaCenter.exe PID 740 wrote to memory of 1916 740 06c7509621b6f70c790fddc3595ef5890afcc0d8aa21112d3e8fde07d66e1985.exe MediaCenter.exe PID 740 wrote to memory of 1916 740 06c7509621b6f70c790fddc3595ef5890afcc0d8aa21112d3e8fde07d66e1985.exe MediaCenter.exe PID 740 wrote to memory of 432 740 06c7509621b6f70c790fddc3595ef5890afcc0d8aa21112d3e8fde07d66e1985.exe cmd.exe PID 740 wrote to memory of 432 740 06c7509621b6f70c790fddc3595ef5890afcc0d8aa21112d3e8fde07d66e1985.exe cmd.exe PID 740 wrote to memory of 432 740 06c7509621b6f70c790fddc3595ef5890afcc0d8aa21112d3e8fde07d66e1985.exe cmd.exe PID 740 wrote to memory of 432 740 06c7509621b6f70c790fddc3595ef5890afcc0d8aa21112d3e8fde07d66e1985.exe cmd.exe PID 432 wrote to memory of 2012 432 cmd.exe PING.EXE PID 432 wrote to memory of 2012 432 cmd.exe PING.EXE PID 432 wrote to memory of 2012 432 cmd.exe PING.EXE PID 432 wrote to memory of 2012 432 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\06c7509621b6f70c790fddc3595ef5890afcc0d8aa21112d3e8fde07d66e1985.exe"C:\Users\Admin\AppData\Local\Temp\06c7509621b6f70c790fddc3595ef5890afcc0d8aa21112d3e8fde07d66e1985.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:740 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:1916 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\06c7509621b6f70c790fddc3595ef5890afcc0d8aa21112d3e8fde07d66e1985.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:432 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:2012
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
83a5500b18f0392b753ab41065000128
SHA18be5b49d9dd8b73979971b300156b886e634e954
SHA25657608b9d411d803a2b051e87160951f244ff169cfa87ab0d4ef52ffd771fd40f
SHA51299c04270db249772d1b5901e44db74d22289dc0c6f2ce257e11696c07908370573a50e1f054ee697c1dfe59be7b71c6633d6720cf45406eff9d8f1d5e5b19469
-
\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
83a5500b18f0392b753ab41065000128
SHA18be5b49d9dd8b73979971b300156b886e634e954
SHA25657608b9d411d803a2b051e87160951f244ff169cfa87ab0d4ef52ffd771fd40f
SHA51299c04270db249772d1b5901e44db74d22289dc0c6f2ce257e11696c07908370573a50e1f054ee697c1dfe59be7b71c6633d6720cf45406eff9d8f1d5e5b19469
-
memory/740-54-0x0000000076041000-0x0000000076043000-memory.dmpFilesize
8KB
-
memory/740-58-0x0000000000400000-0x0000000000420000-memory.dmpFilesize
128KB
-
memory/1916-59-0x0000000000400000-0x0000000000420000-memory.dmpFilesize
128KB