Analysis
-
max time kernel
157s -
max time network
177s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
12-02-2022 10:39
Static task
static1
Behavioral task
behavioral1
Sample
06877c9aff6fde0853af791b2f0450ec21c8e2c384991c3b4f54b21707d0b3b8.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
06877c9aff6fde0853af791b2f0450ec21c8e2c384991c3b4f54b21707d0b3b8.exe
Resource
win10v2004-en-20220113
General
-
Target
06877c9aff6fde0853af791b2f0450ec21c8e2c384991c3b4f54b21707d0b3b8.exe
-
Size
176KB
-
MD5
109fb9d84b831b7845ce25e182ced731
-
SHA1
8083aa6465ef42fb4426ae72462aa22f4a98ed8d
-
SHA256
06877c9aff6fde0853af791b2f0450ec21c8e2c384991c3b4f54b21707d0b3b8
-
SHA512
71606d5b70ec3426bcf933d13eab585063c0116dff737dbbaa4d2efa1eb4c87f0ee906254474aff267ca12e0bdaa00105ecfc57df23759c4907f60b4d09d5bf2
Malware Config
Signatures
-
Sakula Payload 4 IoCs
Processes:
resource yara_rule \Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula behavioral1/memory/1312-58-0x0000000000400000-0x0000000000420000-memory.dmp family_sakula behavioral1/memory/820-59-0x0000000000400000-0x0000000000420000-memory.dmp family_sakula -
suricata: ET MALWARE SUSPICIOUS UA (iexplore)
suricata: ET MALWARE SUSPICIOUS UA (iexplore)
-
suricata: ET MALWARE Sakula/Mivast RAT CnC Beacon 1
suricata: ET MALWARE Sakula/Mivast RAT CnC Beacon 1
-
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 820 MediaCenter.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 1996 cmd.exe -
Loads dropped DLL 1 IoCs
Processes:
06877c9aff6fde0853af791b2f0450ec21c8e2c384991c3b4f54b21707d0b3b8.exepid process 1312 06877c9aff6fde0853af791b2f0450ec21c8e2c384991c3b4f54b21707d0b3b8.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
06877c9aff6fde0853af791b2f0450ec21c8e2c384991c3b4f54b21707d0b3b8.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 06877c9aff6fde0853af791b2f0450ec21c8e2c384991c3b4f54b21707d0b3b8.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
06877c9aff6fde0853af791b2f0450ec21c8e2c384991c3b4f54b21707d0b3b8.exedescription pid process Token: SeIncBasePriorityPrivilege 1312 06877c9aff6fde0853af791b2f0450ec21c8e2c384991c3b4f54b21707d0b3b8.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
06877c9aff6fde0853af791b2f0450ec21c8e2c384991c3b4f54b21707d0b3b8.execmd.exedescription pid process target process PID 1312 wrote to memory of 820 1312 06877c9aff6fde0853af791b2f0450ec21c8e2c384991c3b4f54b21707d0b3b8.exe MediaCenter.exe PID 1312 wrote to memory of 820 1312 06877c9aff6fde0853af791b2f0450ec21c8e2c384991c3b4f54b21707d0b3b8.exe MediaCenter.exe PID 1312 wrote to memory of 820 1312 06877c9aff6fde0853af791b2f0450ec21c8e2c384991c3b4f54b21707d0b3b8.exe MediaCenter.exe PID 1312 wrote to memory of 820 1312 06877c9aff6fde0853af791b2f0450ec21c8e2c384991c3b4f54b21707d0b3b8.exe MediaCenter.exe PID 1312 wrote to memory of 1996 1312 06877c9aff6fde0853af791b2f0450ec21c8e2c384991c3b4f54b21707d0b3b8.exe cmd.exe PID 1312 wrote to memory of 1996 1312 06877c9aff6fde0853af791b2f0450ec21c8e2c384991c3b4f54b21707d0b3b8.exe cmd.exe PID 1312 wrote to memory of 1996 1312 06877c9aff6fde0853af791b2f0450ec21c8e2c384991c3b4f54b21707d0b3b8.exe cmd.exe PID 1312 wrote to memory of 1996 1312 06877c9aff6fde0853af791b2f0450ec21c8e2c384991c3b4f54b21707d0b3b8.exe cmd.exe PID 1996 wrote to memory of 1092 1996 cmd.exe PING.EXE PID 1996 wrote to memory of 1092 1996 cmd.exe PING.EXE PID 1996 wrote to memory of 1092 1996 cmd.exe PING.EXE PID 1996 wrote to memory of 1092 1996 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\06877c9aff6fde0853af791b2f0450ec21c8e2c384991c3b4f54b21707d0b3b8.exe"C:\Users\Admin\AppData\Local\Temp\06877c9aff6fde0853af791b2f0450ec21c8e2c384991c3b4f54b21707d0b3b8.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1312 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:820 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\06877c9aff6fde0853af791b2f0450ec21c8e2c384991c3b4f54b21707d0b3b8.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:1996 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:1092
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
b004d0059f693315c9c0dd4c186d603c
SHA1d6e16928029ecd252d650dd112e6d0b509732c88
SHA256afa87b381169a23ac4846af66f8df8c95fda8fb18e75a560e736e6486d28420c
SHA512730888b483df9ad634c9442f08343879e50ac4b0f690799699a331304e7c5a397efe16ae6b2312a0a5faa8a48ecee7697d9de6e10001ec5c88dad176ad85c9a7
-
\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
b004d0059f693315c9c0dd4c186d603c
SHA1d6e16928029ecd252d650dd112e6d0b509732c88
SHA256afa87b381169a23ac4846af66f8df8c95fda8fb18e75a560e736e6486d28420c
SHA512730888b483df9ad634c9442f08343879e50ac4b0f690799699a331304e7c5a397efe16ae6b2312a0a5faa8a48ecee7697d9de6e10001ec5c88dad176ad85c9a7
-
memory/820-59-0x0000000000400000-0x0000000000420000-memory.dmpFilesize
128KB
-
memory/1312-54-0x0000000076911000-0x0000000076913000-memory.dmpFilesize
8KB
-
memory/1312-58-0x0000000000400000-0x0000000000420000-memory.dmpFilesize
128KB