Analysis
-
max time kernel
135s -
max time network
158s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
12-02-2022 04:58
Static task
static1
Behavioral task
behavioral1
Sample
13ec0d650792afd673ca20d89ef072456033b4dbd4b07e422017b9bbdaa6d80a.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
13ec0d650792afd673ca20d89ef072456033b4dbd4b07e422017b9bbdaa6d80a.exe
Resource
win10v2004-en-20220112
General
-
Target
13ec0d650792afd673ca20d89ef072456033b4dbd4b07e422017b9bbdaa6d80a.exe
-
Size
92KB
-
MD5
53ee115d935f47012654d3a4a99d724a
-
SHA1
7ab3731d2319854842d52ceb519ca03e244398a9
-
SHA256
13ec0d650792afd673ca20d89ef072456033b4dbd4b07e422017b9bbdaa6d80a
-
SHA512
73c4e95a0b29f5c580ee76141e41acb97b8a5ba92f06b89cae3f1ecd069a1a03f07402aa9a08a5568cf3a8ce91cb742d4e25ac30f309a52add7f2a62d34542eb
Malware Config
Signatures
-
Sakula Payload 2 IoCs
Processes:
resource yara_rule \Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula -
suricata: ET MALWARE SUSPICIOUS UA (iexplore)
suricata: ET MALWARE SUSPICIOUS UA (iexplore)
-
suricata: ET MALWARE Sakula/Mivast RAT CnC Beacon 1
suricata: ET MALWARE Sakula/Mivast RAT CnC Beacon 1
-
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 944 MediaCenter.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 1684 cmd.exe -
Loads dropped DLL 1 IoCs
Processes:
13ec0d650792afd673ca20d89ef072456033b4dbd4b07e422017b9bbdaa6d80a.exepid process 904 13ec0d650792afd673ca20d89ef072456033b4dbd4b07e422017b9bbdaa6d80a.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
13ec0d650792afd673ca20d89ef072456033b4dbd4b07e422017b9bbdaa6d80a.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 13ec0d650792afd673ca20d89ef072456033b4dbd4b07e422017b9bbdaa6d80a.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
13ec0d650792afd673ca20d89ef072456033b4dbd4b07e422017b9bbdaa6d80a.exedescription pid process Token: SeIncBasePriorityPrivilege 904 13ec0d650792afd673ca20d89ef072456033b4dbd4b07e422017b9bbdaa6d80a.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
13ec0d650792afd673ca20d89ef072456033b4dbd4b07e422017b9bbdaa6d80a.execmd.exedescription pid process target process PID 904 wrote to memory of 944 904 13ec0d650792afd673ca20d89ef072456033b4dbd4b07e422017b9bbdaa6d80a.exe MediaCenter.exe PID 904 wrote to memory of 944 904 13ec0d650792afd673ca20d89ef072456033b4dbd4b07e422017b9bbdaa6d80a.exe MediaCenter.exe PID 904 wrote to memory of 944 904 13ec0d650792afd673ca20d89ef072456033b4dbd4b07e422017b9bbdaa6d80a.exe MediaCenter.exe PID 904 wrote to memory of 944 904 13ec0d650792afd673ca20d89ef072456033b4dbd4b07e422017b9bbdaa6d80a.exe MediaCenter.exe PID 904 wrote to memory of 1684 904 13ec0d650792afd673ca20d89ef072456033b4dbd4b07e422017b9bbdaa6d80a.exe cmd.exe PID 904 wrote to memory of 1684 904 13ec0d650792afd673ca20d89ef072456033b4dbd4b07e422017b9bbdaa6d80a.exe cmd.exe PID 904 wrote to memory of 1684 904 13ec0d650792afd673ca20d89ef072456033b4dbd4b07e422017b9bbdaa6d80a.exe cmd.exe PID 904 wrote to memory of 1684 904 13ec0d650792afd673ca20d89ef072456033b4dbd4b07e422017b9bbdaa6d80a.exe cmd.exe PID 1684 wrote to memory of 1088 1684 cmd.exe PING.EXE PID 1684 wrote to memory of 1088 1684 cmd.exe PING.EXE PID 1684 wrote to memory of 1088 1684 cmd.exe PING.EXE PID 1684 wrote to memory of 1088 1684 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\13ec0d650792afd673ca20d89ef072456033b4dbd4b07e422017b9bbdaa6d80a.exe"C:\Users\Admin\AppData\Local\Temp\13ec0d650792afd673ca20d89ef072456033b4dbd4b07e422017b9bbdaa6d80a.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:904 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:944 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\13ec0d650792afd673ca20d89ef072456033b4dbd4b07e422017b9bbdaa6d80a.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:1684 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:1088
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
74c095ade65f665377d3d32aadc720aa
SHA1c4039a73ffefdae7f263edf22f8440e334ab3bda
SHA256296f558bda1db58b439116f7bb94b5f69b22a06afd695170abf8e1801be06162
SHA5120441eb2ea931e0a828e0d70d855e29671f891f19b78c394934fbdb7a5340981bc59dce3a91bc2751650e14f0873cd45f8d1797371f95a1e1b5ec20697f2b738a
-
MD5
74c095ade65f665377d3d32aadc720aa
SHA1c4039a73ffefdae7f263edf22f8440e334ab3bda
SHA256296f558bda1db58b439116f7bb94b5f69b22a06afd695170abf8e1801be06162
SHA5120441eb2ea931e0a828e0d70d855e29671f891f19b78c394934fbdb7a5340981bc59dce3a91bc2751650e14f0873cd45f8d1797371f95a1e1b5ec20697f2b738a