Analysis
-
max time kernel
135s -
max time network
151s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
12-02-2022 11:58
Static task
static1
Behavioral task
behavioral1
Sample
02da7bb3f9c8b5b09362211267344b6016e74e4a18ef3a821455c78ebac5d493.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
02da7bb3f9c8b5b09362211267344b6016e74e4a18ef3a821455c78ebac5d493.exe
Resource
win10v2004-en-20220112
General
-
Target
02da7bb3f9c8b5b09362211267344b6016e74e4a18ef3a821455c78ebac5d493.exe
-
Size
89KB
-
MD5
a7b458591eb645b5d5d7abb84ebccbfb
-
SHA1
a68a805de941e415819ec4e560d6e6e739c75164
-
SHA256
02da7bb3f9c8b5b09362211267344b6016e74e4a18ef3a821455c78ebac5d493
-
SHA512
3ee577dc7d0c87e45256558542953bdf249b6a0f8b4a31d5dd3f2bd4daa42cb1627d92cff9a899439a9fce12d139e842e8c7170950b91837a42beb1b36e909d5
Malware Config
Signatures
-
Sakula Payload 2 IoCs
Processes:
resource yara_rule \Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula -
suricata: ET MALWARE SUSPICIOUS UA (iexplore)
suricata: ET MALWARE SUSPICIOUS UA (iexplore)
-
suricata: ET MALWARE Sakula/Mivast RAT CnC Beacon 1
suricata: ET MALWARE Sakula/Mivast RAT CnC Beacon 1
-
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 948 MediaCenter.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 1696 cmd.exe -
Loads dropped DLL 1 IoCs
Processes:
02da7bb3f9c8b5b09362211267344b6016e74e4a18ef3a821455c78ebac5d493.exepid process 1768 02da7bb3f9c8b5b09362211267344b6016e74e4a18ef3a821455c78ebac5d493.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
02da7bb3f9c8b5b09362211267344b6016e74e4a18ef3a821455c78ebac5d493.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 02da7bb3f9c8b5b09362211267344b6016e74e4a18ef3a821455c78ebac5d493.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
02da7bb3f9c8b5b09362211267344b6016e74e4a18ef3a821455c78ebac5d493.exedescription pid process Token: SeIncBasePriorityPrivilege 1768 02da7bb3f9c8b5b09362211267344b6016e74e4a18ef3a821455c78ebac5d493.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
02da7bb3f9c8b5b09362211267344b6016e74e4a18ef3a821455c78ebac5d493.execmd.exedescription pid process target process PID 1768 wrote to memory of 948 1768 02da7bb3f9c8b5b09362211267344b6016e74e4a18ef3a821455c78ebac5d493.exe MediaCenter.exe PID 1768 wrote to memory of 948 1768 02da7bb3f9c8b5b09362211267344b6016e74e4a18ef3a821455c78ebac5d493.exe MediaCenter.exe PID 1768 wrote to memory of 948 1768 02da7bb3f9c8b5b09362211267344b6016e74e4a18ef3a821455c78ebac5d493.exe MediaCenter.exe PID 1768 wrote to memory of 948 1768 02da7bb3f9c8b5b09362211267344b6016e74e4a18ef3a821455c78ebac5d493.exe MediaCenter.exe PID 1768 wrote to memory of 1696 1768 02da7bb3f9c8b5b09362211267344b6016e74e4a18ef3a821455c78ebac5d493.exe cmd.exe PID 1768 wrote to memory of 1696 1768 02da7bb3f9c8b5b09362211267344b6016e74e4a18ef3a821455c78ebac5d493.exe cmd.exe PID 1768 wrote to memory of 1696 1768 02da7bb3f9c8b5b09362211267344b6016e74e4a18ef3a821455c78ebac5d493.exe cmd.exe PID 1768 wrote to memory of 1696 1768 02da7bb3f9c8b5b09362211267344b6016e74e4a18ef3a821455c78ebac5d493.exe cmd.exe PID 1696 wrote to memory of 1084 1696 cmd.exe PING.EXE PID 1696 wrote to memory of 1084 1696 cmd.exe PING.EXE PID 1696 wrote to memory of 1084 1696 cmd.exe PING.EXE PID 1696 wrote to memory of 1084 1696 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\02da7bb3f9c8b5b09362211267344b6016e74e4a18ef3a821455c78ebac5d493.exe"C:\Users\Admin\AppData\Local\Temp\02da7bb3f9c8b5b09362211267344b6016e74e4a18ef3a821455c78ebac5d493.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1768 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:948 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\02da7bb3f9c8b5b09362211267344b6016e74e4a18ef3a821455c78ebac5d493.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:1696 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:1084
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
e5f52abb6011233af93ccc2006e6776d
SHA1d8a9abcf5ee34fba87768025be2efbeb6d053706
SHA2562dc8dddacc0e8df9f22b2b462441811d5645a4ca2e5a46b333fa05a7780d0123
SHA512d2f75d62be765e512e843ad14a8a3acb084c7aa79e0f11ca0bc36fed10eee6383fe25f14479ec8c32094243fecfdf552d24b984cec76552499276e7f4044412c
-
\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
e5f52abb6011233af93ccc2006e6776d
SHA1d8a9abcf5ee34fba87768025be2efbeb6d053706
SHA2562dc8dddacc0e8df9f22b2b462441811d5645a4ca2e5a46b333fa05a7780d0123
SHA512d2f75d62be765e512e843ad14a8a3acb084c7aa79e0f11ca0bc36fed10eee6383fe25f14479ec8c32094243fecfdf552d24b984cec76552499276e7f4044412c
-
memory/1768-55-0x00000000762C1000-0x00000000762C3000-memory.dmpFilesize
8KB