Analysis
-
max time kernel
131s -
max time network
143s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
12-02-2022 04:57
Static task
static1
Behavioral task
behavioral1
Sample
13f78839c5c9b4a66175133f569fdb5385e35ccf35e3eff641fe509f307882de.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
13f78839c5c9b4a66175133f569fdb5385e35ccf35e3eff641fe509f307882de.exe
Resource
win10v2004-en-20220113
General
-
Target
13f78839c5c9b4a66175133f569fdb5385e35ccf35e3eff641fe509f307882de.exe
-
Size
89KB
-
MD5
dd24df840cd4e63c67a3717f554eb44e
-
SHA1
513e20711a13d4009fdf2e0b0935ea106fd76717
-
SHA256
13f78839c5c9b4a66175133f569fdb5385e35ccf35e3eff641fe509f307882de
-
SHA512
3560545fe77c377d9149462e4fcd83c050b3b38f5a862ab5b177d60b33492af34633ec514d02b5e3a758568a38a238739532cca9eba55eff81b909f031ee1f29
Malware Config
Signatures
-
Sakula Payload 2 IoCs
Processes:
resource yara_rule \Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula -
suricata: ET MALWARE SUSPICIOUS UA (iexplore)
suricata: ET MALWARE SUSPICIOUS UA (iexplore)
-
suricata: ET MALWARE Sakula/Mivast RAT CnC Beacon 1
suricata: ET MALWARE Sakula/Mivast RAT CnC Beacon 1
-
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 1892 MediaCenter.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 1596 cmd.exe -
Loads dropped DLL 1 IoCs
Processes:
13f78839c5c9b4a66175133f569fdb5385e35ccf35e3eff641fe509f307882de.exepid process 1088 13f78839c5c9b4a66175133f569fdb5385e35ccf35e3eff641fe509f307882de.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
13f78839c5c9b4a66175133f569fdb5385e35ccf35e3eff641fe509f307882de.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 13f78839c5c9b4a66175133f569fdb5385e35ccf35e3eff641fe509f307882de.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
13f78839c5c9b4a66175133f569fdb5385e35ccf35e3eff641fe509f307882de.exedescription pid process Token: SeIncBasePriorityPrivilege 1088 13f78839c5c9b4a66175133f569fdb5385e35ccf35e3eff641fe509f307882de.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
13f78839c5c9b4a66175133f569fdb5385e35ccf35e3eff641fe509f307882de.execmd.exedescription pid process target process PID 1088 wrote to memory of 1892 1088 13f78839c5c9b4a66175133f569fdb5385e35ccf35e3eff641fe509f307882de.exe MediaCenter.exe PID 1088 wrote to memory of 1892 1088 13f78839c5c9b4a66175133f569fdb5385e35ccf35e3eff641fe509f307882de.exe MediaCenter.exe PID 1088 wrote to memory of 1892 1088 13f78839c5c9b4a66175133f569fdb5385e35ccf35e3eff641fe509f307882de.exe MediaCenter.exe PID 1088 wrote to memory of 1892 1088 13f78839c5c9b4a66175133f569fdb5385e35ccf35e3eff641fe509f307882de.exe MediaCenter.exe PID 1088 wrote to memory of 1596 1088 13f78839c5c9b4a66175133f569fdb5385e35ccf35e3eff641fe509f307882de.exe cmd.exe PID 1088 wrote to memory of 1596 1088 13f78839c5c9b4a66175133f569fdb5385e35ccf35e3eff641fe509f307882de.exe cmd.exe PID 1088 wrote to memory of 1596 1088 13f78839c5c9b4a66175133f569fdb5385e35ccf35e3eff641fe509f307882de.exe cmd.exe PID 1088 wrote to memory of 1596 1088 13f78839c5c9b4a66175133f569fdb5385e35ccf35e3eff641fe509f307882de.exe cmd.exe PID 1596 wrote to memory of 1636 1596 cmd.exe PING.EXE PID 1596 wrote to memory of 1636 1596 cmd.exe PING.EXE PID 1596 wrote to memory of 1636 1596 cmd.exe PING.EXE PID 1596 wrote to memory of 1636 1596 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\13f78839c5c9b4a66175133f569fdb5385e35ccf35e3eff641fe509f307882de.exe"C:\Users\Admin\AppData\Local\Temp\13f78839c5c9b4a66175133f569fdb5385e35ccf35e3eff641fe509f307882de.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1088 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:1892 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\13f78839c5c9b4a66175133f569fdb5385e35ccf35e3eff641fe509f307882de.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:1596 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:1636
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
073de83435b69a862fa9cad1a19c5696
SHA1b8f09abb559ff54dd9d3e07385819812391351cc
SHA256ee9c2af1e310112d6c3516387df20a90133d109a96f5cf4d1d434de2b11cc999
SHA512e40e5acf02ea1640c93837c3f41aafd1c5f743562cd05745fef3ece7ca5f88f3a53353a480114eb9cff94fb4748f8462ff7c52cc8858df7a147bbcf15803eccb
-
MD5
073de83435b69a862fa9cad1a19c5696
SHA1b8f09abb559ff54dd9d3e07385819812391351cc
SHA256ee9c2af1e310112d6c3516387df20a90133d109a96f5cf4d1d434de2b11cc999
SHA512e40e5acf02ea1640c93837c3f41aafd1c5f743562cd05745fef3ece7ca5f88f3a53353a480114eb9cff94fb4748f8462ff7c52cc8858df7a147bbcf15803eccb