Analysis
-
max time kernel
141s -
max time network
151s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
12-02-2022 11:11
Static task
static1
Behavioral task
behavioral1
Sample
0514763d49c6070d408b6e80cad6e5c264a24b44471977305301eeb8dec4831a.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
0514763d49c6070d408b6e80cad6e5c264a24b44471977305301eeb8dec4831a.exe
Resource
win10v2004-en-20220112
General
-
Target
0514763d49c6070d408b6e80cad6e5c264a24b44471977305301eeb8dec4831a.exe
-
Size
188KB
-
MD5
bfd2124caa36df62e3fe57ca21f36e8e
-
SHA1
37b2b42a4a072dc47ff3968e021d59e5e02c704d
-
SHA256
0514763d49c6070d408b6e80cad6e5c264a24b44471977305301eeb8dec4831a
-
SHA512
f9ce3cfb028a8b9921bccbccb570869ce1da9baab07fc546e2d8a1e97763bd6cc1ab891a53b223da0518e0b168451c8456fd6775da9b9e693f400d7747a88397
Malware Config
Signatures
-
Sakula Payload 4 IoCs
Processes:
resource yara_rule \Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula behavioral1/memory/1500-58-0x0000000000400000-0x0000000000420000-memory.dmp family_sakula behavioral1/memory/656-59-0x0000000000400000-0x0000000000420000-memory.dmp family_sakula -
suricata: ET MALWARE SUSPICIOUS UA (iexplore)
suricata: ET MALWARE SUSPICIOUS UA (iexplore)
-
suricata: ET MALWARE Sakula/Mivast RAT CnC Beacon 1
suricata: ET MALWARE Sakula/Mivast RAT CnC Beacon 1
-
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 656 MediaCenter.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 396 cmd.exe -
Loads dropped DLL 1 IoCs
Processes:
0514763d49c6070d408b6e80cad6e5c264a24b44471977305301eeb8dec4831a.exepid process 1500 0514763d49c6070d408b6e80cad6e5c264a24b44471977305301eeb8dec4831a.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
0514763d49c6070d408b6e80cad6e5c264a24b44471977305301eeb8dec4831a.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 0514763d49c6070d408b6e80cad6e5c264a24b44471977305301eeb8dec4831a.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
0514763d49c6070d408b6e80cad6e5c264a24b44471977305301eeb8dec4831a.exedescription pid process Token: SeIncBasePriorityPrivilege 1500 0514763d49c6070d408b6e80cad6e5c264a24b44471977305301eeb8dec4831a.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
0514763d49c6070d408b6e80cad6e5c264a24b44471977305301eeb8dec4831a.execmd.exedescription pid process target process PID 1500 wrote to memory of 656 1500 0514763d49c6070d408b6e80cad6e5c264a24b44471977305301eeb8dec4831a.exe MediaCenter.exe PID 1500 wrote to memory of 656 1500 0514763d49c6070d408b6e80cad6e5c264a24b44471977305301eeb8dec4831a.exe MediaCenter.exe PID 1500 wrote to memory of 656 1500 0514763d49c6070d408b6e80cad6e5c264a24b44471977305301eeb8dec4831a.exe MediaCenter.exe PID 1500 wrote to memory of 656 1500 0514763d49c6070d408b6e80cad6e5c264a24b44471977305301eeb8dec4831a.exe MediaCenter.exe PID 1500 wrote to memory of 396 1500 0514763d49c6070d408b6e80cad6e5c264a24b44471977305301eeb8dec4831a.exe cmd.exe PID 1500 wrote to memory of 396 1500 0514763d49c6070d408b6e80cad6e5c264a24b44471977305301eeb8dec4831a.exe cmd.exe PID 1500 wrote to memory of 396 1500 0514763d49c6070d408b6e80cad6e5c264a24b44471977305301eeb8dec4831a.exe cmd.exe PID 1500 wrote to memory of 396 1500 0514763d49c6070d408b6e80cad6e5c264a24b44471977305301eeb8dec4831a.exe cmd.exe PID 396 wrote to memory of 1976 396 cmd.exe PING.EXE PID 396 wrote to memory of 1976 396 cmd.exe PING.EXE PID 396 wrote to memory of 1976 396 cmd.exe PING.EXE PID 396 wrote to memory of 1976 396 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\0514763d49c6070d408b6e80cad6e5c264a24b44471977305301eeb8dec4831a.exe"C:\Users\Admin\AppData\Local\Temp\0514763d49c6070d408b6e80cad6e5c264a24b44471977305301eeb8dec4831a.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1500 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:656 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\0514763d49c6070d408b6e80cad6e5c264a24b44471977305301eeb8dec4831a.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:396 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:1976
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
1e286551f46b80ee9190cea7f8953c22
SHA15826cc16652ee47262b6bac87c89be7de1aa7d85
SHA2566c4135bd3bf882c32a48c2efe6145af8342892b8a8d75563dc7d5f5e813f0123
SHA512ad340e744f8d6fd6cc529251358fef56b2ed3d86f7b63cd2a62a0948caefcab24f35a3bba94e833af593711a203aedba6cbbeebda93de97bb4dc1884f5c9fd1c
-
\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
1e286551f46b80ee9190cea7f8953c22
SHA15826cc16652ee47262b6bac87c89be7de1aa7d85
SHA2566c4135bd3bf882c32a48c2efe6145af8342892b8a8d75563dc7d5f5e813f0123
SHA512ad340e744f8d6fd6cc529251358fef56b2ed3d86f7b63cd2a62a0948caefcab24f35a3bba94e833af593711a203aedba6cbbeebda93de97bb4dc1884f5c9fd1c
-
memory/656-59-0x0000000000400000-0x0000000000420000-memory.dmpFilesize
128KB
-
memory/1500-54-0x0000000074F01000-0x0000000074F03000-memory.dmpFilesize
8KB
-
memory/1500-58-0x0000000000400000-0x0000000000420000-memory.dmpFilesize
128KB