Analysis
-
max time kernel
143s -
max time network
152s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
12-02-2022 05:02
Static task
static1
Behavioral task
behavioral1
Sample
13cd7918b96b5413fae5c52369dd7d3e4cd186b364c0ce772f6da4f9dd1bffc4.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
13cd7918b96b5413fae5c52369dd7d3e4cd186b364c0ce772f6da4f9dd1bffc4.exe
Resource
win10v2004-en-20220113
General
-
Target
13cd7918b96b5413fae5c52369dd7d3e4cd186b364c0ce772f6da4f9dd1bffc4.exe
-
Size
92KB
-
MD5
53b26ba7c8ec25b6828aaa3a776adeab
-
SHA1
498ce435b813cf8502982345a9494c197df1cd3d
-
SHA256
13cd7918b96b5413fae5c52369dd7d3e4cd186b364c0ce772f6da4f9dd1bffc4
-
SHA512
04c627a24eed6a818fdc5f83a4a9513d0a04b1727a00e785136616662cfac2eca7b320cf2c91188da4102db5f81bd84dc0a42a8235568c8cb779f4dac61bd6c6
Malware Config
Signatures
-
Sakula Payload 2 IoCs
Processes:
resource yara_rule \Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula -
suricata: ET MALWARE SUSPICIOUS UA (iexplore)
suricata: ET MALWARE SUSPICIOUS UA (iexplore)
-
suricata: ET MALWARE Sakula/Mivast RAT CnC Beacon 1
suricata: ET MALWARE Sakula/Mivast RAT CnC Beacon 1
-
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 1912 MediaCenter.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 608 cmd.exe -
Loads dropped DLL 1 IoCs
Processes:
13cd7918b96b5413fae5c52369dd7d3e4cd186b364c0ce772f6da4f9dd1bffc4.exepid process 1540 13cd7918b96b5413fae5c52369dd7d3e4cd186b364c0ce772f6da4f9dd1bffc4.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
13cd7918b96b5413fae5c52369dd7d3e4cd186b364c0ce772f6da4f9dd1bffc4.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 13cd7918b96b5413fae5c52369dd7d3e4cd186b364c0ce772f6da4f9dd1bffc4.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
13cd7918b96b5413fae5c52369dd7d3e4cd186b364c0ce772f6da4f9dd1bffc4.exedescription pid process Token: SeIncBasePriorityPrivilege 1540 13cd7918b96b5413fae5c52369dd7d3e4cd186b364c0ce772f6da4f9dd1bffc4.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
13cd7918b96b5413fae5c52369dd7d3e4cd186b364c0ce772f6da4f9dd1bffc4.execmd.exedescription pid process target process PID 1540 wrote to memory of 1912 1540 13cd7918b96b5413fae5c52369dd7d3e4cd186b364c0ce772f6da4f9dd1bffc4.exe MediaCenter.exe PID 1540 wrote to memory of 1912 1540 13cd7918b96b5413fae5c52369dd7d3e4cd186b364c0ce772f6da4f9dd1bffc4.exe MediaCenter.exe PID 1540 wrote to memory of 1912 1540 13cd7918b96b5413fae5c52369dd7d3e4cd186b364c0ce772f6da4f9dd1bffc4.exe MediaCenter.exe PID 1540 wrote to memory of 1912 1540 13cd7918b96b5413fae5c52369dd7d3e4cd186b364c0ce772f6da4f9dd1bffc4.exe MediaCenter.exe PID 1540 wrote to memory of 608 1540 13cd7918b96b5413fae5c52369dd7d3e4cd186b364c0ce772f6da4f9dd1bffc4.exe cmd.exe PID 1540 wrote to memory of 608 1540 13cd7918b96b5413fae5c52369dd7d3e4cd186b364c0ce772f6da4f9dd1bffc4.exe cmd.exe PID 1540 wrote to memory of 608 1540 13cd7918b96b5413fae5c52369dd7d3e4cd186b364c0ce772f6da4f9dd1bffc4.exe cmd.exe PID 1540 wrote to memory of 608 1540 13cd7918b96b5413fae5c52369dd7d3e4cd186b364c0ce772f6da4f9dd1bffc4.exe cmd.exe PID 608 wrote to memory of 1712 608 cmd.exe PING.EXE PID 608 wrote to memory of 1712 608 cmd.exe PING.EXE PID 608 wrote to memory of 1712 608 cmd.exe PING.EXE PID 608 wrote to memory of 1712 608 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\13cd7918b96b5413fae5c52369dd7d3e4cd186b364c0ce772f6da4f9dd1bffc4.exe"C:\Users\Admin\AppData\Local\Temp\13cd7918b96b5413fae5c52369dd7d3e4cd186b364c0ce772f6da4f9dd1bffc4.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1540 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:1912 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\13cd7918b96b5413fae5c52369dd7d3e4cd186b364c0ce772f6da4f9dd1bffc4.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:608 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:1712
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
164b95e164f25c2476370b98f8ee33e3
SHA1236ecfcbeca08c1c817182f4c4f5d731eaec867d
SHA256295c2afa947109427e408911ee7c19534d7f06fdc3a63e485dc6f5d3a2febcb1
SHA5125c4e824386a200d21f57159877d7adbbd4a9ab3d1c82fb3cd72871a7bbc48fccb5be2599ef9bbfa8fb75072259b110cb7d62febc87d57e109f39b39267e535ff
-
MD5
164b95e164f25c2476370b98f8ee33e3
SHA1236ecfcbeca08c1c817182f4c4f5d731eaec867d
SHA256295c2afa947109427e408911ee7c19534d7f06fdc3a63e485dc6f5d3a2febcb1
SHA5125c4e824386a200d21f57159877d7adbbd4a9ab3d1c82fb3cd72871a7bbc48fccb5be2599ef9bbfa8fb75072259b110cb7d62febc87d57e109f39b39267e535ff