Analysis
-
max time kernel
125s -
max time network
136s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
12-02-2022 10:38
Static task
static1
Behavioral task
behavioral1
Sample
06a0df93edb0176aabd97470c459e8954cab2e35d93bd24b9f21972542b0bf6d.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
06a0df93edb0176aabd97470c459e8954cab2e35d93bd24b9f21972542b0bf6d.exe
Resource
win10v2004-en-20220112
General
-
Target
06a0df93edb0176aabd97470c459e8954cab2e35d93bd24b9f21972542b0bf6d.exe
-
Size
150KB
-
MD5
0e6b86dc121c2abb7a561659d4df15bd
-
SHA1
41de5e83a352b931c33f4595070823e484a4267f
-
SHA256
06a0df93edb0176aabd97470c459e8954cab2e35d93bd24b9f21972542b0bf6d
-
SHA512
2ec470b36bc1fc6e87e7680c3792b1a1b9a4fb918c3b0d89fcd38ec96bf888527cc62622f999fa1deff4311a41e1932cc902063e932ce5f479e6d47d939d7203
Malware Config
Signatures
-
Sakula Payload 2 IoCs
Processes:
resource yara_rule \Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula -
suricata: ET MALWARE SUSPICIOUS UA (iexplore)
suricata: ET MALWARE SUSPICIOUS UA (iexplore)
-
suricata: ET MALWARE Sakula/Mivast RAT CnC Beacon 1
suricata: ET MALWARE Sakula/Mivast RAT CnC Beacon 1
-
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 1084 MediaCenter.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 1440 cmd.exe -
Loads dropped DLL 1 IoCs
Processes:
06a0df93edb0176aabd97470c459e8954cab2e35d93bd24b9f21972542b0bf6d.exepid process 1292 06a0df93edb0176aabd97470c459e8954cab2e35d93bd24b9f21972542b0bf6d.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
06a0df93edb0176aabd97470c459e8954cab2e35d93bd24b9f21972542b0bf6d.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 06a0df93edb0176aabd97470c459e8954cab2e35d93bd24b9f21972542b0bf6d.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
06a0df93edb0176aabd97470c459e8954cab2e35d93bd24b9f21972542b0bf6d.exedescription pid process Token: SeIncBasePriorityPrivilege 1292 06a0df93edb0176aabd97470c459e8954cab2e35d93bd24b9f21972542b0bf6d.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
06a0df93edb0176aabd97470c459e8954cab2e35d93bd24b9f21972542b0bf6d.execmd.exedescription pid process target process PID 1292 wrote to memory of 1084 1292 06a0df93edb0176aabd97470c459e8954cab2e35d93bd24b9f21972542b0bf6d.exe MediaCenter.exe PID 1292 wrote to memory of 1084 1292 06a0df93edb0176aabd97470c459e8954cab2e35d93bd24b9f21972542b0bf6d.exe MediaCenter.exe PID 1292 wrote to memory of 1084 1292 06a0df93edb0176aabd97470c459e8954cab2e35d93bd24b9f21972542b0bf6d.exe MediaCenter.exe PID 1292 wrote to memory of 1084 1292 06a0df93edb0176aabd97470c459e8954cab2e35d93bd24b9f21972542b0bf6d.exe MediaCenter.exe PID 1292 wrote to memory of 1440 1292 06a0df93edb0176aabd97470c459e8954cab2e35d93bd24b9f21972542b0bf6d.exe cmd.exe PID 1292 wrote to memory of 1440 1292 06a0df93edb0176aabd97470c459e8954cab2e35d93bd24b9f21972542b0bf6d.exe cmd.exe PID 1292 wrote to memory of 1440 1292 06a0df93edb0176aabd97470c459e8954cab2e35d93bd24b9f21972542b0bf6d.exe cmd.exe PID 1292 wrote to memory of 1440 1292 06a0df93edb0176aabd97470c459e8954cab2e35d93bd24b9f21972542b0bf6d.exe cmd.exe PID 1440 wrote to memory of 1512 1440 cmd.exe PING.EXE PID 1440 wrote to memory of 1512 1440 cmd.exe PING.EXE PID 1440 wrote to memory of 1512 1440 cmd.exe PING.EXE PID 1440 wrote to memory of 1512 1440 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\06a0df93edb0176aabd97470c459e8954cab2e35d93bd24b9f21972542b0bf6d.exe"C:\Users\Admin\AppData\Local\Temp\06a0df93edb0176aabd97470c459e8954cab2e35d93bd24b9f21972542b0bf6d.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1292 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:1084 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\06a0df93edb0176aabd97470c459e8954cab2e35d93bd24b9f21972542b0bf6d.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:1440 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:1512
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
d9798818216a7f8205f88e7973337635
SHA105fcd67c5149daff8f20589fbb03862bf1a0fee8
SHA2566ddd590c0d8fe9ca93c52765ee3d60df9ae5dd72a00439e7688a585b579ca1e3
SHA5128724c43260143d6cc3d0de4fa0d31945df11cf790e99dd8e3a0fe038826cc168bad47a7d7abcf90048f53e4250866fd2161b67be753b1ade7848ba2a9619891e
-
\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
d9798818216a7f8205f88e7973337635
SHA105fcd67c5149daff8f20589fbb03862bf1a0fee8
SHA2566ddd590c0d8fe9ca93c52765ee3d60df9ae5dd72a00439e7688a585b579ca1e3
SHA5128724c43260143d6cc3d0de4fa0d31945df11cf790e99dd8e3a0fe038826cc168bad47a7d7abcf90048f53e4250866fd2161b67be753b1ade7848ba2a9619891e
-
memory/1292-54-0x0000000075AE1000-0x0000000075AE3000-memory.dmpFilesize
8KB