Analysis
-
max time kernel
139s -
max time network
152s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
12-02-2022 12:03
Static task
static1
Behavioral task
behavioral1
Sample
0293b23c5ce17c34b0373bddd4f3ff03e9abd2a88816fb4d87eb5a61745af836.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
0293b23c5ce17c34b0373bddd4f3ff03e9abd2a88816fb4d87eb5a61745af836.exe
Resource
win10v2004-en-20220112
General
-
Target
0293b23c5ce17c34b0373bddd4f3ff03e9abd2a88816fb4d87eb5a61745af836.exe
-
Size
216KB
-
MD5
2bd394aef3becbf778964d64663c6201
-
SHA1
147c708e0d1fd203e1db0ab728b08f503777a2e9
-
SHA256
0293b23c5ce17c34b0373bddd4f3ff03e9abd2a88816fb4d87eb5a61745af836
-
SHA512
1acf4a30cff5bfd384b1617188f4ec8191c4c0cb9cfb03423547317abac9e3848ae692f78566bd078b2d9bc17fd5bf5b2b36a4d766c7a0c3411ed7904255299d
Malware Config
Signatures
-
Sakula Payload 4 IoCs
Processes:
resource yara_rule \Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula behavioral1/memory/1864-58-0x0000000000400000-0x0000000000420000-memory.dmp family_sakula behavioral1/memory/1816-59-0x0000000000400000-0x0000000000420000-memory.dmp family_sakula -
suricata: ET MALWARE SUSPICIOUS UA (iexplore)
suricata: ET MALWARE SUSPICIOUS UA (iexplore)
-
suricata: ET MALWARE Sakula/Mivast RAT CnC Beacon 1
suricata: ET MALWARE Sakula/Mivast RAT CnC Beacon 1
-
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 1816 MediaCenter.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 812 cmd.exe -
Loads dropped DLL 1 IoCs
Processes:
0293b23c5ce17c34b0373bddd4f3ff03e9abd2a88816fb4d87eb5a61745af836.exepid process 1864 0293b23c5ce17c34b0373bddd4f3ff03e9abd2a88816fb4d87eb5a61745af836.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
0293b23c5ce17c34b0373bddd4f3ff03e9abd2a88816fb4d87eb5a61745af836.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 0293b23c5ce17c34b0373bddd4f3ff03e9abd2a88816fb4d87eb5a61745af836.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
0293b23c5ce17c34b0373bddd4f3ff03e9abd2a88816fb4d87eb5a61745af836.exedescription pid process Token: SeIncBasePriorityPrivilege 1864 0293b23c5ce17c34b0373bddd4f3ff03e9abd2a88816fb4d87eb5a61745af836.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
0293b23c5ce17c34b0373bddd4f3ff03e9abd2a88816fb4d87eb5a61745af836.execmd.exedescription pid process target process PID 1864 wrote to memory of 1816 1864 0293b23c5ce17c34b0373bddd4f3ff03e9abd2a88816fb4d87eb5a61745af836.exe MediaCenter.exe PID 1864 wrote to memory of 1816 1864 0293b23c5ce17c34b0373bddd4f3ff03e9abd2a88816fb4d87eb5a61745af836.exe MediaCenter.exe PID 1864 wrote to memory of 1816 1864 0293b23c5ce17c34b0373bddd4f3ff03e9abd2a88816fb4d87eb5a61745af836.exe MediaCenter.exe PID 1864 wrote to memory of 1816 1864 0293b23c5ce17c34b0373bddd4f3ff03e9abd2a88816fb4d87eb5a61745af836.exe MediaCenter.exe PID 1864 wrote to memory of 812 1864 0293b23c5ce17c34b0373bddd4f3ff03e9abd2a88816fb4d87eb5a61745af836.exe cmd.exe PID 1864 wrote to memory of 812 1864 0293b23c5ce17c34b0373bddd4f3ff03e9abd2a88816fb4d87eb5a61745af836.exe cmd.exe PID 1864 wrote to memory of 812 1864 0293b23c5ce17c34b0373bddd4f3ff03e9abd2a88816fb4d87eb5a61745af836.exe cmd.exe PID 1864 wrote to memory of 812 1864 0293b23c5ce17c34b0373bddd4f3ff03e9abd2a88816fb4d87eb5a61745af836.exe cmd.exe PID 812 wrote to memory of 1980 812 cmd.exe PING.EXE PID 812 wrote to memory of 1980 812 cmd.exe PING.EXE PID 812 wrote to memory of 1980 812 cmd.exe PING.EXE PID 812 wrote to memory of 1980 812 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\0293b23c5ce17c34b0373bddd4f3ff03e9abd2a88816fb4d87eb5a61745af836.exe"C:\Users\Admin\AppData\Local\Temp\0293b23c5ce17c34b0373bddd4f3ff03e9abd2a88816fb4d87eb5a61745af836.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1864 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:1816 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\0293b23c5ce17c34b0373bddd4f3ff03e9abd2a88816fb4d87eb5a61745af836.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:812 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:1980
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
3dca8503e1c25267bc22c597e38ae8f8
SHA11ad721a90bfec4f30658791d3d17b382b087c795
SHA256db10a5d8c8335f79527cae8d61274eb05b488319dd3d056a5cab9535609f73a6
SHA5122071822fbe391c436ae3183875581c265c134e103249a775f6a8eb133f12ee89d39ba520b112033ec2ab2edc2807f5dc728d1439f55534bbf115a83827a4481a
-
\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
3dca8503e1c25267bc22c597e38ae8f8
SHA11ad721a90bfec4f30658791d3d17b382b087c795
SHA256db10a5d8c8335f79527cae8d61274eb05b488319dd3d056a5cab9535609f73a6
SHA5122071822fbe391c436ae3183875581c265c134e103249a775f6a8eb133f12ee89d39ba520b112033ec2ab2edc2807f5dc728d1439f55534bbf115a83827a4481a
-
memory/1816-59-0x0000000000400000-0x0000000000420000-memory.dmpFilesize
128KB
-
memory/1864-54-0x0000000076041000-0x0000000076043000-memory.dmpFilesize
8KB
-
memory/1864-58-0x0000000000400000-0x0000000000420000-memory.dmpFilesize
128KB