Analysis
-
max time kernel
161s -
max time network
180s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
12-02-2022 04:57
Static task
static1
Behavioral task
behavioral1
Sample
13fa1c56a86cddf736b7e85523e6ce1550c29bfb88418433d4ba2ad3e90573ef.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
13fa1c56a86cddf736b7e85523e6ce1550c29bfb88418433d4ba2ad3e90573ef.exe
Resource
win10v2004-en-20220113
General
-
Target
13fa1c56a86cddf736b7e85523e6ce1550c29bfb88418433d4ba2ad3e90573ef.exe
-
Size
188KB
-
MD5
bf2365b497a8e5eda567745049f341ac
-
SHA1
8f913e094412b0c8b7135c232b21e356bd1cc88d
-
SHA256
13fa1c56a86cddf736b7e85523e6ce1550c29bfb88418433d4ba2ad3e90573ef
-
SHA512
787ab8a7ed9e271e7e33a91b73c66fbd57a7508f8e89293696d8bbbaa1e166e5a45a1d0ce0ecb7ab9c86068b1c4556e24eee1da55ac7696ba3ddfa4cc4bfa65f
Malware Config
Signatures
-
Sakula Payload 4 IoCs
Processes:
resource yara_rule \Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula behavioral1/memory/860-59-0x0000000000400000-0x0000000000420000-memory.dmp family_sakula behavioral1/memory/1596-60-0x0000000000400000-0x0000000000420000-memory.dmp family_sakula -
suricata: ET MALWARE SUSPICIOUS UA (iexplore)
suricata: ET MALWARE SUSPICIOUS UA (iexplore)
-
suricata: ET MALWARE Sakula/Mivast RAT CnC Beacon 1
suricata: ET MALWARE Sakula/Mivast RAT CnC Beacon 1
-
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 1596 MediaCenter.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 1384 cmd.exe -
Loads dropped DLL 1 IoCs
Processes:
13fa1c56a86cddf736b7e85523e6ce1550c29bfb88418433d4ba2ad3e90573ef.exepid process 860 13fa1c56a86cddf736b7e85523e6ce1550c29bfb88418433d4ba2ad3e90573ef.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
13fa1c56a86cddf736b7e85523e6ce1550c29bfb88418433d4ba2ad3e90573ef.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 13fa1c56a86cddf736b7e85523e6ce1550c29bfb88418433d4ba2ad3e90573ef.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
13fa1c56a86cddf736b7e85523e6ce1550c29bfb88418433d4ba2ad3e90573ef.exedescription pid process Token: SeIncBasePriorityPrivilege 860 13fa1c56a86cddf736b7e85523e6ce1550c29bfb88418433d4ba2ad3e90573ef.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
13fa1c56a86cddf736b7e85523e6ce1550c29bfb88418433d4ba2ad3e90573ef.execmd.exedescription pid process target process PID 860 wrote to memory of 1596 860 13fa1c56a86cddf736b7e85523e6ce1550c29bfb88418433d4ba2ad3e90573ef.exe MediaCenter.exe PID 860 wrote to memory of 1596 860 13fa1c56a86cddf736b7e85523e6ce1550c29bfb88418433d4ba2ad3e90573ef.exe MediaCenter.exe PID 860 wrote to memory of 1596 860 13fa1c56a86cddf736b7e85523e6ce1550c29bfb88418433d4ba2ad3e90573ef.exe MediaCenter.exe PID 860 wrote to memory of 1596 860 13fa1c56a86cddf736b7e85523e6ce1550c29bfb88418433d4ba2ad3e90573ef.exe MediaCenter.exe PID 860 wrote to memory of 1384 860 13fa1c56a86cddf736b7e85523e6ce1550c29bfb88418433d4ba2ad3e90573ef.exe cmd.exe PID 860 wrote to memory of 1384 860 13fa1c56a86cddf736b7e85523e6ce1550c29bfb88418433d4ba2ad3e90573ef.exe cmd.exe PID 860 wrote to memory of 1384 860 13fa1c56a86cddf736b7e85523e6ce1550c29bfb88418433d4ba2ad3e90573ef.exe cmd.exe PID 860 wrote to memory of 1384 860 13fa1c56a86cddf736b7e85523e6ce1550c29bfb88418433d4ba2ad3e90573ef.exe cmd.exe PID 1384 wrote to memory of 1852 1384 cmd.exe PING.EXE PID 1384 wrote to memory of 1852 1384 cmd.exe PING.EXE PID 1384 wrote to memory of 1852 1384 cmd.exe PING.EXE PID 1384 wrote to memory of 1852 1384 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\13fa1c56a86cddf736b7e85523e6ce1550c29bfb88418433d4ba2ad3e90573ef.exe"C:\Users\Admin\AppData\Local\Temp\13fa1c56a86cddf736b7e85523e6ce1550c29bfb88418433d4ba2ad3e90573ef.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:860 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:1596 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\13fa1c56a86cddf736b7e85523e6ce1550c29bfb88418433d4ba2ad3e90573ef.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:1384 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:1852
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
aa92bbe151275bfd4b7dbd85a90ea439
SHA1b1040cedb07a2646f36893480803566a21bb7cdc
SHA256c1662bed80866513894393df6a8108405173d3e0714820a712eba98c3c76d4bf
SHA512218e811f291abc97bb23c2398bae63b4e2325511a4d5bea498c1263570fcd1054a14833b991f44c80e48cf459807bfdd67a20871383dc597f299ca50a7a05e9e
-
MD5
aa92bbe151275bfd4b7dbd85a90ea439
SHA1b1040cedb07a2646f36893480803566a21bb7cdc
SHA256c1662bed80866513894393df6a8108405173d3e0714820a712eba98c3c76d4bf
SHA512218e811f291abc97bb23c2398bae63b4e2325511a4d5bea498c1263570fcd1054a14833b991f44c80e48cf459807bfdd67a20871383dc597f299ca50a7a05e9e