Analysis
-
max time kernel
142s -
max time network
149s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
31-01-2022 01:05
Static task
static1
Behavioral task
behavioral1
Sample
59a7c19afa4baa80c90eec1a6f21311983029e923d1b0a483daf206dab991fc4.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
59a7c19afa4baa80c90eec1a6f21311983029e923d1b0a483daf206dab991fc4.exe
Resource
win10-en-20211208
General
-
Target
59a7c19afa4baa80c90eec1a6f21311983029e923d1b0a483daf206dab991fc4.exe
-
Size
123KB
-
MD5
07b62497e41898c22e5d5351607aac8e
-
SHA1
d85860554ea5718bbcbe877c1310c301a8d2d2ad
-
SHA256
59a7c19afa4baa80c90eec1a6f21311983029e923d1b0a483daf206dab991fc4
-
SHA512
72e32b134e72ba1b1bca0e6faa79c40e1f76766faefb11995788f26e2289f0aa32a2a1fde9db0a6037ccbfc8cebbc83118ee4199679719c239230c0dd7b6a28a
Malware Config
Signatures
-
Sakula Payload 5 IoCs
Processes:
resource yara_rule \Users\Admin\AppData\Local\Temp\pdfforie.exe family_sakula C:\Users\Admin\AppData\Local\Temp\pdfforie.exe family_sakula C:\Users\Admin\AppData\Local\Temp\pdfforie.exe family_sakula \Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula -
suricata: ET MALWARE SUSPICIOUS UA (iexplore)
suricata: ET MALWARE SUSPICIOUS UA (iexplore)
-
suricata: ET MALWARE Sakula/Mivast RAT CnC Beacon 1
suricata: ET MALWARE Sakula/Mivast RAT CnC Beacon 1
-
Executes dropped EXE 2 IoCs
Processes:
pdfforie.exeMediaCenter.exepid process 2032 pdfforie.exe 760 MediaCenter.exe -
Loads dropped DLL 2 IoCs
Processes:
59a7c19afa4baa80c90eec1a6f21311983029e923d1b0a483daf206dab991fc4.exepdfforie.exepid process 1660 59a7c19afa4baa80c90eec1a6f21311983029e923d1b0a483daf206dab991fc4.exe 2032 pdfforie.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
pdfforie.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" pdfforie.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Processes:
iexplore.exeIEXPLORE.EXEdescription ioc process Key created \REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Internet Explorer\Main iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Internet Explorer\GPU iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000029a8fa03d77d0143b95f148165a5bc9200000000020000000000106600000001000020000000d47b626f58aa402aa5768d7ac60bb465f88cf2d5bdf7332b02fe0124a1eaf2c8000000000e800000000200002000000028628e8f3e65e690f1a008aeb23cf91fe0a03b7e2fe7b959df65451f96aab04790000000275a5346852cdc2206dcf8f2971ec52accd3eff5f9ff588456144845e370c61eac839c68a388234e6187ed7017cef99eb9fc4635cf04e1a4a6b1360b88413ae2ab89ea5bcef3047561b0b7b5548e416ded58d8c7a14b8238d5e177e19e45883c477474f2ebb5d901564ab32e6191684e8c07b7efc5442311d15e7c73c2cf1bd0d78ee676bdbb575ad103169384561d2f40000000a11a0f4cd82680e8df12d7bb8d8bbd4fad376263521e17f1dff8f81245b7aa0250c372096324bf5617c7ca4f78f33f84a7265c5e8469a9e22005674436bf4ff7 iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "350366327" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Internet Explorer\Zoom iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch IEXPLORE.EXE Set value (data) \REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000029a8fa03d77d0143b95f148165a5bc92000000000200000000001066000000010000200000009b87b9335b1e5b7f1166e27fc59b1d72f4efa2bf9d212bf89a7d6b06ef356b17000000000e8000000002000020000000f7638af11520c6de4003dfba85daa659663815e3a01c1e38161a3655eda3426d2000000035263f3e78cc4ded045722b7c664485f2bdcd380587e1f92beeb1bb04a6f027540000000c01ec8ba89290d9bac70521f339dc15c1c7cf27ccf6e941f14ef23c136c7d9e82c8ab6466dab5166a3134dd4875f7d4d9834135e94c82bc1d95ceabc75983743 iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Internet Explorer\IETld\LowMic iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Internet Explorer\IntelliForms iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{AC3913C1-8249-11EC-92F6-46595837F587} = "0" iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\ iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Internet Explorer\InternetRegistry iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Internet Explorer\Toolbar iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 7067a48d5616d801 iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1" iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Internet Explorer\DomainSuggestion iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Internet Explorer\LowRegistry iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Internet Explorer\PageSetup iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch iexplore.exe -
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
pdfforie.exedescription pid process Token: SeIncBasePriorityPrivilege 2032 pdfforie.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
Processes:
iexplore.exepid process 756 iexplore.exe -
Suspicious use of SetWindowsHookEx 6 IoCs
Processes:
iexplore.exeIEXPLORE.EXEpid process 756 iexplore.exe 756 iexplore.exe 392 IEXPLORE.EXE 392 IEXPLORE.EXE 392 IEXPLORE.EXE 392 IEXPLORE.EXE -
Suspicious use of WriteProcessMemory 24 IoCs
Processes:
59a7c19afa4baa80c90eec1a6f21311983029e923d1b0a483daf206dab991fc4.exepdfforie.exeiexplore.execmd.exedescription pid process target process PID 1660 wrote to memory of 2032 1660 59a7c19afa4baa80c90eec1a6f21311983029e923d1b0a483daf206dab991fc4.exe pdfforie.exe PID 1660 wrote to memory of 2032 1660 59a7c19afa4baa80c90eec1a6f21311983029e923d1b0a483daf206dab991fc4.exe pdfforie.exe PID 1660 wrote to memory of 2032 1660 59a7c19afa4baa80c90eec1a6f21311983029e923d1b0a483daf206dab991fc4.exe pdfforie.exe PID 1660 wrote to memory of 2032 1660 59a7c19afa4baa80c90eec1a6f21311983029e923d1b0a483daf206dab991fc4.exe pdfforie.exe PID 1660 wrote to memory of 756 1660 59a7c19afa4baa80c90eec1a6f21311983029e923d1b0a483daf206dab991fc4.exe iexplore.exe PID 1660 wrote to memory of 756 1660 59a7c19afa4baa80c90eec1a6f21311983029e923d1b0a483daf206dab991fc4.exe iexplore.exe PID 1660 wrote to memory of 756 1660 59a7c19afa4baa80c90eec1a6f21311983029e923d1b0a483daf206dab991fc4.exe iexplore.exe PID 1660 wrote to memory of 756 1660 59a7c19afa4baa80c90eec1a6f21311983029e923d1b0a483daf206dab991fc4.exe iexplore.exe PID 2032 wrote to memory of 760 2032 pdfforie.exe MediaCenter.exe PID 2032 wrote to memory of 760 2032 pdfforie.exe MediaCenter.exe PID 2032 wrote to memory of 760 2032 pdfforie.exe MediaCenter.exe PID 2032 wrote to memory of 760 2032 pdfforie.exe MediaCenter.exe PID 756 wrote to memory of 392 756 iexplore.exe IEXPLORE.EXE PID 756 wrote to memory of 392 756 iexplore.exe IEXPLORE.EXE PID 756 wrote to memory of 392 756 iexplore.exe IEXPLORE.EXE PID 756 wrote to memory of 392 756 iexplore.exe IEXPLORE.EXE PID 2032 wrote to memory of 1956 2032 pdfforie.exe cmd.exe PID 2032 wrote to memory of 1956 2032 pdfforie.exe cmd.exe PID 2032 wrote to memory of 1956 2032 pdfforie.exe cmd.exe PID 2032 wrote to memory of 1956 2032 pdfforie.exe cmd.exe PID 1956 wrote to memory of 912 1956 cmd.exe PING.EXE PID 1956 wrote to memory of 912 1956 cmd.exe PING.EXE PID 1956 wrote to memory of 912 1956 cmd.exe PING.EXE PID 1956 wrote to memory of 912 1956 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\59a7c19afa4baa80c90eec1a6f21311983029e923d1b0a483daf206dab991fc4.exe"C:\Users\Admin\AppData\Local\Temp\59a7c19afa4baa80c90eec1a6f21311983029e923d1b0a483daf206dab991fc4.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1660 -
C:\Users\Admin\AppData\Local\Temp\pdfforie.exeC:\Users\Admin\AppData\Local\Temp\pdfforie.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2032 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe3⤵
- Executes dropped EXE
PID:760 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\pdfforie.exe"3⤵
- Suspicious use of WriteProcessMemory
PID:1956 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.14⤵
- Runs ping.exe
PID:912 -
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" https://www.training-at-hps.com/asp/student/cookie.html2⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:756 -
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:756 CREDAT:275457 /prefetch:23⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:392
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
MD52e33321c1f27dd8969f169106b63bb28
SHA171f67556f47aba5d810cadb28035119259cb69b7
SHA256a240149452c0f77686ad8515ecab85d536c42497d34f13d705bb5df9297a4728
SHA51280ed59a6f3b8dc4d847c71da446270aefa05b4d9581afc948c44327f3d85a90a81543c70fd4c4179091bcca27316a36c2673e8bf0591eb57f3a5b7134ab3d87b
-
MD5
bfc4758702b2c245d89ed4ab9682ff46
SHA121dc102330b1357ac4daff41a4994f74fd498de9
SHA256c087f6b5a696d88864e30f16892fed90197bd4b83e2225c3484d4b7cdaaf96e4
SHA51256a10963352f91c24abb70822ad4cd3ae6febf3c363847455f289f6c45880a5b41431bc5ad3b289094bbf43278c3b8c53415a22f4d9f3d0519f178c0d3255932
-
MD5
259ea5f6f3f1209de99d6eb27a301cb7
SHA1ceb0574487e52ddf6a7963e7647f9ad74a42e339
SHA2568239d115f3453c5ff7cdafc7878c9842e14e768a38c00de2f8f45e18659ca951
SHA5126c75dc9a9755546c0e7a8b9a8ba167cc05176760a8dbec26689d4955b9c72243b0e07131e4dc3237a8751b6d831a6015e0f0c04bc3abd050c9d67f55fcec07d7
-
MD5
259ea5f6f3f1209de99d6eb27a301cb7
SHA1ceb0574487e52ddf6a7963e7647f9ad74a42e339
SHA2568239d115f3453c5ff7cdafc7878c9842e14e768a38c00de2f8f45e18659ca951
SHA5126c75dc9a9755546c0e7a8b9a8ba167cc05176760a8dbec26689d4955b9c72243b0e07131e4dc3237a8751b6d831a6015e0f0c04bc3abd050c9d67f55fcec07d7
-
MD5
64f8380b2f08c753d62230e7406f1aea
SHA10badc68c01c6eaa66c8cddb635467467f6847f33
SHA2560e2118e317ccffb88a29c0ad3b69c025f97cd74c64307a7c422896fe29d2890a
SHA512480a011daaf1307ba9787c7b4df6db7171ae6aab35a2999b4ce2613c1895296a2a200685942a77e57660cc475ca2192802ffa4d7f6f6d26746996da758e2e788
-
MD5
bfc4758702b2c245d89ed4ab9682ff46
SHA121dc102330b1357ac4daff41a4994f74fd498de9
SHA256c087f6b5a696d88864e30f16892fed90197bd4b83e2225c3484d4b7cdaaf96e4
SHA51256a10963352f91c24abb70822ad4cd3ae6febf3c363847455f289f6c45880a5b41431bc5ad3b289094bbf43278c3b8c53415a22f4d9f3d0519f178c0d3255932
-
MD5
259ea5f6f3f1209de99d6eb27a301cb7
SHA1ceb0574487e52ddf6a7963e7647f9ad74a42e339
SHA2568239d115f3453c5ff7cdafc7878c9842e14e768a38c00de2f8f45e18659ca951
SHA5126c75dc9a9755546c0e7a8b9a8ba167cc05176760a8dbec26689d4955b9c72243b0e07131e4dc3237a8751b6d831a6015e0f0c04bc3abd050c9d67f55fcec07d7