Analysis
-
max time kernel
158s -
max time network
168s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
12-02-2022 11:29
Static task
static1
Behavioral task
behavioral1
Sample
0442fd04f0dc2dceecf8b97687f22867a94d71b49f49fa3a0af3d72c688fa9e6.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
0442fd04f0dc2dceecf8b97687f22867a94d71b49f49fa3a0af3d72c688fa9e6.exe
Resource
win10v2004-en-20220113
General
-
Target
0442fd04f0dc2dceecf8b97687f22867a94d71b49f49fa3a0af3d72c688fa9e6.exe
-
Size
176KB
-
MD5
d81712621366d35c3840dc00c438977e
-
SHA1
07d2c810d49a729a442a3f22bc8651a83b45d9ff
-
SHA256
0442fd04f0dc2dceecf8b97687f22867a94d71b49f49fa3a0af3d72c688fa9e6
-
SHA512
f36e06ccad4eda8a09a3b2964ad0a05b80951ac6c5062bf8e0c0d48bac8b7e3d24ca5780ba4521e219f32799fc789ad7a5a1f5becc980dc35de319e9fb520fc7
Malware Config
Signatures
-
Sakula Payload 4 IoCs
Processes:
resource yara_rule \Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula behavioral1/memory/948-58-0x0000000000400000-0x0000000000420000-memory.dmp family_sakula behavioral1/memory/1704-59-0x0000000000400000-0x0000000000420000-memory.dmp family_sakula -
suricata: ET MALWARE SUSPICIOUS UA (iexplore)
suricata: ET MALWARE SUSPICIOUS UA (iexplore)
-
suricata: ET MALWARE Sakula/Mivast RAT CnC Beacon 1
suricata: ET MALWARE Sakula/Mivast RAT CnC Beacon 1
-
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 1704 MediaCenter.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 784 cmd.exe -
Loads dropped DLL 1 IoCs
Processes:
0442fd04f0dc2dceecf8b97687f22867a94d71b49f49fa3a0af3d72c688fa9e6.exepid process 948 0442fd04f0dc2dceecf8b97687f22867a94d71b49f49fa3a0af3d72c688fa9e6.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
0442fd04f0dc2dceecf8b97687f22867a94d71b49f49fa3a0af3d72c688fa9e6.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 0442fd04f0dc2dceecf8b97687f22867a94d71b49f49fa3a0af3d72c688fa9e6.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
0442fd04f0dc2dceecf8b97687f22867a94d71b49f49fa3a0af3d72c688fa9e6.exedescription pid process Token: SeIncBasePriorityPrivilege 948 0442fd04f0dc2dceecf8b97687f22867a94d71b49f49fa3a0af3d72c688fa9e6.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
0442fd04f0dc2dceecf8b97687f22867a94d71b49f49fa3a0af3d72c688fa9e6.execmd.exedescription pid process target process PID 948 wrote to memory of 1704 948 0442fd04f0dc2dceecf8b97687f22867a94d71b49f49fa3a0af3d72c688fa9e6.exe MediaCenter.exe PID 948 wrote to memory of 1704 948 0442fd04f0dc2dceecf8b97687f22867a94d71b49f49fa3a0af3d72c688fa9e6.exe MediaCenter.exe PID 948 wrote to memory of 1704 948 0442fd04f0dc2dceecf8b97687f22867a94d71b49f49fa3a0af3d72c688fa9e6.exe MediaCenter.exe PID 948 wrote to memory of 1704 948 0442fd04f0dc2dceecf8b97687f22867a94d71b49f49fa3a0af3d72c688fa9e6.exe MediaCenter.exe PID 948 wrote to memory of 784 948 0442fd04f0dc2dceecf8b97687f22867a94d71b49f49fa3a0af3d72c688fa9e6.exe cmd.exe PID 948 wrote to memory of 784 948 0442fd04f0dc2dceecf8b97687f22867a94d71b49f49fa3a0af3d72c688fa9e6.exe cmd.exe PID 948 wrote to memory of 784 948 0442fd04f0dc2dceecf8b97687f22867a94d71b49f49fa3a0af3d72c688fa9e6.exe cmd.exe PID 948 wrote to memory of 784 948 0442fd04f0dc2dceecf8b97687f22867a94d71b49f49fa3a0af3d72c688fa9e6.exe cmd.exe PID 784 wrote to memory of 2008 784 cmd.exe PING.EXE PID 784 wrote to memory of 2008 784 cmd.exe PING.EXE PID 784 wrote to memory of 2008 784 cmd.exe PING.EXE PID 784 wrote to memory of 2008 784 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\0442fd04f0dc2dceecf8b97687f22867a94d71b49f49fa3a0af3d72c688fa9e6.exe"C:\Users\Admin\AppData\Local\Temp\0442fd04f0dc2dceecf8b97687f22867a94d71b49f49fa3a0af3d72c688fa9e6.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:948 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:1704 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\0442fd04f0dc2dceecf8b97687f22867a94d71b49f49fa3a0af3d72c688fa9e6.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:784 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:2008
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
dc005ffeb62832d232cafd5cffee5a61
SHA16c60fc35fde1d62b471799ab673d37a5fab13658
SHA256ff347d78954acc519a7676b2e6b27dc0a1b89440bd58032172cccad3b11473b0
SHA512ef93b9d7337ba303846a220e661e0e9fc015205329bae547df06f5b1dfb2f925609338951bc092b05752bc100fcf8012f2b6a89a3057c6501ca4494087388a9f
-
\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
dc005ffeb62832d232cafd5cffee5a61
SHA16c60fc35fde1d62b471799ab673d37a5fab13658
SHA256ff347d78954acc519a7676b2e6b27dc0a1b89440bd58032172cccad3b11473b0
SHA512ef93b9d7337ba303846a220e661e0e9fc015205329bae547df06f5b1dfb2f925609338951bc092b05752bc100fcf8012f2b6a89a3057c6501ca4494087388a9f
-
memory/948-54-0x0000000075601000-0x0000000075603000-memory.dmpFilesize
8KB
-
memory/948-58-0x0000000000400000-0x0000000000420000-memory.dmpFilesize
128KB
-
memory/1704-59-0x0000000000400000-0x0000000000420000-memory.dmpFilesize
128KB