Analysis
-
max time kernel
134s -
max time network
142s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
12-02-2022 04:57
Static task
static1
Behavioral task
behavioral1
Sample
13fabf835778305695c523bbd0faaf76e950c5fa99336734518f4ecb117e4e9f.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
13fabf835778305695c523bbd0faaf76e950c5fa99336734518f4ecb117e4e9f.exe
Resource
win10v2004-en-20220113
General
-
Target
13fabf835778305695c523bbd0faaf76e950c5fa99336734518f4ecb117e4e9f.exe
-
Size
92KB
-
MD5
99999f8f9ad28f802df2fa518cd3d0ad
-
SHA1
d872790eec0a76b201271e42d3f192039f67b617
-
SHA256
13fabf835778305695c523bbd0faaf76e950c5fa99336734518f4ecb117e4e9f
-
SHA512
7249a115f2e95feb4606d4f2ee5c1b913364c6f7391cd352d5e75b11884b582754e38421efdd37b1bad38d53c0f28382adedebc0d4ab796ffa2463d8a8409c3e
Malware Config
Signatures
-
Sakula Payload 2 IoCs
Processes:
resource yara_rule \Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula -
suricata: ET MALWARE SUSPICIOUS UA (iexplore)
suricata: ET MALWARE SUSPICIOUS UA (iexplore)
-
suricata: ET MALWARE Sakula/Mivast RAT CnC Beacon 1
suricata: ET MALWARE Sakula/Mivast RAT CnC Beacon 1
-
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 1540 MediaCenter.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 1244 cmd.exe -
Loads dropped DLL 1 IoCs
Processes:
13fabf835778305695c523bbd0faaf76e950c5fa99336734518f4ecb117e4e9f.exepid process 1128 13fabf835778305695c523bbd0faaf76e950c5fa99336734518f4ecb117e4e9f.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
13fabf835778305695c523bbd0faaf76e950c5fa99336734518f4ecb117e4e9f.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 13fabf835778305695c523bbd0faaf76e950c5fa99336734518f4ecb117e4e9f.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
13fabf835778305695c523bbd0faaf76e950c5fa99336734518f4ecb117e4e9f.exedescription pid process Token: SeIncBasePriorityPrivilege 1128 13fabf835778305695c523bbd0faaf76e950c5fa99336734518f4ecb117e4e9f.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
13fabf835778305695c523bbd0faaf76e950c5fa99336734518f4ecb117e4e9f.execmd.exedescription pid process target process PID 1128 wrote to memory of 1540 1128 13fabf835778305695c523bbd0faaf76e950c5fa99336734518f4ecb117e4e9f.exe MediaCenter.exe PID 1128 wrote to memory of 1540 1128 13fabf835778305695c523bbd0faaf76e950c5fa99336734518f4ecb117e4e9f.exe MediaCenter.exe PID 1128 wrote to memory of 1540 1128 13fabf835778305695c523bbd0faaf76e950c5fa99336734518f4ecb117e4e9f.exe MediaCenter.exe PID 1128 wrote to memory of 1540 1128 13fabf835778305695c523bbd0faaf76e950c5fa99336734518f4ecb117e4e9f.exe MediaCenter.exe PID 1128 wrote to memory of 1244 1128 13fabf835778305695c523bbd0faaf76e950c5fa99336734518f4ecb117e4e9f.exe cmd.exe PID 1128 wrote to memory of 1244 1128 13fabf835778305695c523bbd0faaf76e950c5fa99336734518f4ecb117e4e9f.exe cmd.exe PID 1128 wrote to memory of 1244 1128 13fabf835778305695c523bbd0faaf76e950c5fa99336734518f4ecb117e4e9f.exe cmd.exe PID 1128 wrote to memory of 1244 1128 13fabf835778305695c523bbd0faaf76e950c5fa99336734518f4ecb117e4e9f.exe cmd.exe PID 1244 wrote to memory of 1996 1244 cmd.exe PING.EXE PID 1244 wrote to memory of 1996 1244 cmd.exe PING.EXE PID 1244 wrote to memory of 1996 1244 cmd.exe PING.EXE PID 1244 wrote to memory of 1996 1244 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\13fabf835778305695c523bbd0faaf76e950c5fa99336734518f4ecb117e4e9f.exe"C:\Users\Admin\AppData\Local\Temp\13fabf835778305695c523bbd0faaf76e950c5fa99336734518f4ecb117e4e9f.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1128 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:1540 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\13fabf835778305695c523bbd0faaf76e950c5fa99336734518f4ecb117e4e9f.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:1244 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:1996
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
18897c6781bf4a7e45465f4e85789e72
SHA11a74c76432d292a9ccb97bba6f81413196223d2a
SHA256dc6abc2db231b1245fc974c8ea45ce1e55b2512afbf9fd22013b0734983e33f3
SHA51289f9a16b5336a94946ab40c9e64cfd04f65b4c04d85848733ec19d1c5d5b7034e6af4a418e25e2e31110eb5fd032fa755990ec78d4044f603a83f7abea5afe99
-
MD5
18897c6781bf4a7e45465f4e85789e72
SHA11a74c76432d292a9ccb97bba6f81413196223d2a
SHA256dc6abc2db231b1245fc974c8ea45ce1e55b2512afbf9fd22013b0734983e33f3
SHA51289f9a16b5336a94946ab40c9e64cfd04f65b4c04d85848733ec19d1c5d5b7034e6af4a418e25e2e31110eb5fd032fa755990ec78d4044f603a83f7abea5afe99