Analysis
-
max time kernel
137s -
max time network
157s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
12-02-2022 11:38
Static task
static1
Behavioral task
behavioral1
Sample
03e2a822055cdcc288d98d88974fd24cd278c0afd2522bc8b3dd65363f23c81a.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
03e2a822055cdcc288d98d88974fd24cd278c0afd2522bc8b3dd65363f23c81a.exe
Resource
win10v2004-en-20220113
General
-
Target
03e2a822055cdcc288d98d88974fd24cd278c0afd2522bc8b3dd65363f23c81a.exe
-
Size
216KB
-
MD5
ad986b0ddfc4e6e52b02f95093affc49
-
SHA1
5731643bf3e4dce4e581ba29b2686e6db156b6cd
-
SHA256
03e2a822055cdcc288d98d88974fd24cd278c0afd2522bc8b3dd65363f23c81a
-
SHA512
6a095b3f548d8b2f14cd50b6c7ca8389276767017affc86ded6e39966fbe4cdcb2e4b34fe27514c0d0342cd075aee028d24240c598ffdadaf0453cad86e40a86
Malware Config
Signatures
-
Sakula Payload 4 IoCs
Processes:
resource yara_rule \Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula behavioral1/memory/1532-59-0x0000000000400000-0x0000000000420000-memory.dmp family_sakula behavioral1/memory/1540-60-0x0000000000400000-0x0000000000420000-memory.dmp family_sakula -
suricata: ET MALWARE SUSPICIOUS UA (iexplore)
suricata: ET MALWARE SUSPICIOUS UA (iexplore)
-
suricata: ET MALWARE Sakula/Mivast RAT CnC Beacon 1
suricata: ET MALWARE Sakula/Mivast RAT CnC Beacon 1
-
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 1540 MediaCenter.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 1560 cmd.exe -
Loads dropped DLL 1 IoCs
Processes:
03e2a822055cdcc288d98d88974fd24cd278c0afd2522bc8b3dd65363f23c81a.exepid process 1532 03e2a822055cdcc288d98d88974fd24cd278c0afd2522bc8b3dd65363f23c81a.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
03e2a822055cdcc288d98d88974fd24cd278c0afd2522bc8b3dd65363f23c81a.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 03e2a822055cdcc288d98d88974fd24cd278c0afd2522bc8b3dd65363f23c81a.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
03e2a822055cdcc288d98d88974fd24cd278c0afd2522bc8b3dd65363f23c81a.exedescription pid process Token: SeIncBasePriorityPrivilege 1532 03e2a822055cdcc288d98d88974fd24cd278c0afd2522bc8b3dd65363f23c81a.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
03e2a822055cdcc288d98d88974fd24cd278c0afd2522bc8b3dd65363f23c81a.execmd.exedescription pid process target process PID 1532 wrote to memory of 1540 1532 03e2a822055cdcc288d98d88974fd24cd278c0afd2522bc8b3dd65363f23c81a.exe MediaCenter.exe PID 1532 wrote to memory of 1540 1532 03e2a822055cdcc288d98d88974fd24cd278c0afd2522bc8b3dd65363f23c81a.exe MediaCenter.exe PID 1532 wrote to memory of 1540 1532 03e2a822055cdcc288d98d88974fd24cd278c0afd2522bc8b3dd65363f23c81a.exe MediaCenter.exe PID 1532 wrote to memory of 1540 1532 03e2a822055cdcc288d98d88974fd24cd278c0afd2522bc8b3dd65363f23c81a.exe MediaCenter.exe PID 1532 wrote to memory of 1560 1532 03e2a822055cdcc288d98d88974fd24cd278c0afd2522bc8b3dd65363f23c81a.exe cmd.exe PID 1532 wrote to memory of 1560 1532 03e2a822055cdcc288d98d88974fd24cd278c0afd2522bc8b3dd65363f23c81a.exe cmd.exe PID 1532 wrote to memory of 1560 1532 03e2a822055cdcc288d98d88974fd24cd278c0afd2522bc8b3dd65363f23c81a.exe cmd.exe PID 1532 wrote to memory of 1560 1532 03e2a822055cdcc288d98d88974fd24cd278c0afd2522bc8b3dd65363f23c81a.exe cmd.exe PID 1560 wrote to memory of 1556 1560 cmd.exe PING.EXE PID 1560 wrote to memory of 1556 1560 cmd.exe PING.EXE PID 1560 wrote to memory of 1556 1560 cmd.exe PING.EXE PID 1560 wrote to memory of 1556 1560 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\03e2a822055cdcc288d98d88974fd24cd278c0afd2522bc8b3dd65363f23c81a.exe"C:\Users\Admin\AppData\Local\Temp\03e2a822055cdcc288d98d88974fd24cd278c0afd2522bc8b3dd65363f23c81a.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1532 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:1540 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\03e2a822055cdcc288d98d88974fd24cd278c0afd2522bc8b3dd65363f23c81a.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:1560 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:1556
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
c9cfaff2765db7426646aa93260c1c97
SHA151e3ed113c271eb3d396db7e2ba54b79d1647520
SHA2566ccd28411560bc7ea58e031c4482c3a128f53061741926aa3a9e5311a4121fda
SHA512be0c9ffde84b9c418281f16ab6049dc838fecab19f52516ea09481995e44b1b395bafc653070b907bccd37cac09fa8601e19b6073551cd5504575dcc58d18f4a
-
\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
c9cfaff2765db7426646aa93260c1c97
SHA151e3ed113c271eb3d396db7e2ba54b79d1647520
SHA2566ccd28411560bc7ea58e031c4482c3a128f53061741926aa3a9e5311a4121fda
SHA512be0c9ffde84b9c418281f16ab6049dc838fecab19f52516ea09481995e44b1b395bafc653070b907bccd37cac09fa8601e19b6073551cd5504575dcc58d18f4a
-
memory/1532-55-0x0000000074F11000-0x0000000074F13000-memory.dmpFilesize
8KB
-
memory/1532-59-0x0000000000400000-0x0000000000420000-memory.dmpFilesize
128KB
-
memory/1540-60-0x0000000000400000-0x0000000000420000-memory.dmpFilesize
128KB