Analysis
-
max time kernel
156s -
max time network
180s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
12-02-2022 10:55
Static task
static1
Behavioral task
behavioral1
Sample
05d0d205051d74c73e5c88c78663a7a3b796d91668938aaab02f399a51b63ddb.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
05d0d205051d74c73e5c88c78663a7a3b796d91668938aaab02f399a51b63ddb.exe
Resource
win10v2004-en-20220112
General
-
Target
05d0d205051d74c73e5c88c78663a7a3b796d91668938aaab02f399a51b63ddb.exe
-
Size
188KB
-
MD5
bf2412da2f63eada23ba9e783c4cdd30
-
SHA1
1e4e7e19ad79374006cec1893ad3790452de9175
-
SHA256
05d0d205051d74c73e5c88c78663a7a3b796d91668938aaab02f399a51b63ddb
-
SHA512
26c026f4374ddf690adee32c1c21670fe24955305b00c362f7ce032fc4d81d04a0245dc72c30d3fd51613e60b94b56e661528d34e8bfd12d062efecb05934926
Malware Config
Signatures
-
Sakula Payload 4 IoCs
Processes:
resource yara_rule \Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula behavioral1/memory/1464-59-0x0000000000400000-0x0000000000420000-memory.dmp family_sakula behavioral1/memory/1288-60-0x0000000000400000-0x0000000000420000-memory.dmp family_sakula -
suricata: ET MALWARE SUSPICIOUS UA (iexplore)
suricata: ET MALWARE SUSPICIOUS UA (iexplore)
-
suricata: ET MALWARE Sakula/Mivast RAT CnC Beacon 1
suricata: ET MALWARE Sakula/Mivast RAT CnC Beacon 1
-
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 1288 MediaCenter.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 956 cmd.exe -
Loads dropped DLL 1 IoCs
Processes:
05d0d205051d74c73e5c88c78663a7a3b796d91668938aaab02f399a51b63ddb.exepid process 1464 05d0d205051d74c73e5c88c78663a7a3b796d91668938aaab02f399a51b63ddb.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
05d0d205051d74c73e5c88c78663a7a3b796d91668938aaab02f399a51b63ddb.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 05d0d205051d74c73e5c88c78663a7a3b796d91668938aaab02f399a51b63ddb.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
05d0d205051d74c73e5c88c78663a7a3b796d91668938aaab02f399a51b63ddb.exedescription pid process Token: SeIncBasePriorityPrivilege 1464 05d0d205051d74c73e5c88c78663a7a3b796d91668938aaab02f399a51b63ddb.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
05d0d205051d74c73e5c88c78663a7a3b796d91668938aaab02f399a51b63ddb.execmd.exedescription pid process target process PID 1464 wrote to memory of 1288 1464 05d0d205051d74c73e5c88c78663a7a3b796d91668938aaab02f399a51b63ddb.exe MediaCenter.exe PID 1464 wrote to memory of 1288 1464 05d0d205051d74c73e5c88c78663a7a3b796d91668938aaab02f399a51b63ddb.exe MediaCenter.exe PID 1464 wrote to memory of 1288 1464 05d0d205051d74c73e5c88c78663a7a3b796d91668938aaab02f399a51b63ddb.exe MediaCenter.exe PID 1464 wrote to memory of 1288 1464 05d0d205051d74c73e5c88c78663a7a3b796d91668938aaab02f399a51b63ddb.exe MediaCenter.exe PID 1464 wrote to memory of 956 1464 05d0d205051d74c73e5c88c78663a7a3b796d91668938aaab02f399a51b63ddb.exe cmd.exe PID 1464 wrote to memory of 956 1464 05d0d205051d74c73e5c88c78663a7a3b796d91668938aaab02f399a51b63ddb.exe cmd.exe PID 1464 wrote to memory of 956 1464 05d0d205051d74c73e5c88c78663a7a3b796d91668938aaab02f399a51b63ddb.exe cmd.exe PID 1464 wrote to memory of 956 1464 05d0d205051d74c73e5c88c78663a7a3b796d91668938aaab02f399a51b63ddb.exe cmd.exe PID 956 wrote to memory of 1040 956 cmd.exe PING.EXE PID 956 wrote to memory of 1040 956 cmd.exe PING.EXE PID 956 wrote to memory of 1040 956 cmd.exe PING.EXE PID 956 wrote to memory of 1040 956 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\05d0d205051d74c73e5c88c78663a7a3b796d91668938aaab02f399a51b63ddb.exe"C:\Users\Admin\AppData\Local\Temp\05d0d205051d74c73e5c88c78663a7a3b796d91668938aaab02f399a51b63ddb.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1464 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:1288 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\05d0d205051d74c73e5c88c78663a7a3b796d91668938aaab02f399a51b63ddb.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:956 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:1040
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
220a80761fe0b5f1a8f9829831b2773e
SHA11ea7b044e97769982687c8a4f568f03bb1eec143
SHA2568bc8d2d763fedf74607d3d43ec28ba1f543362ba078bf23d89d8c9f9d98d9093
SHA512d2407bb191214ecdf2fea8014f462de75f1265fa464026e11c4d2a07327f5fec8a774dd9a3494b338892408e499ff7bf499dc8609caea445654138eff75f1be5
-
\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
220a80761fe0b5f1a8f9829831b2773e
SHA11ea7b044e97769982687c8a4f568f03bb1eec143
SHA2568bc8d2d763fedf74607d3d43ec28ba1f543362ba078bf23d89d8c9f9d98d9093
SHA512d2407bb191214ecdf2fea8014f462de75f1265fa464026e11c4d2a07327f5fec8a774dd9a3494b338892408e499ff7bf499dc8609caea445654138eff75f1be5
-
memory/1288-60-0x0000000000400000-0x0000000000420000-memory.dmpFilesize
128KB
-
memory/1464-55-0x0000000075F81000-0x0000000075F83000-memory.dmpFilesize
8KB
-
memory/1464-59-0x0000000000400000-0x0000000000420000-memory.dmpFilesize
128KB