Analysis
-
max time kernel
134s -
max time network
178s -
platform
windows7_x64 -
resource
win7-20220414-en -
resource tags
arch:x64arch:x86image:win7-20220414-enlocale:en-usos:windows7-x64system -
submitted
16-07-2022 08:13
Behavioral task
behavioral1
Sample
virussign.exe
Resource
win7-20220414-en
General
-
Target
virussign.exe
-
Size
212KB
-
MD5
1bc0e4769e7c8d200892a2b1450961e0
-
SHA1
08b0805ed34458af16a73e494999ad2e8ba83655
-
SHA256
7a3c203d3668423e2bf6e11568ceeac3c5081d06f304db0db39fea341833323e
-
SHA512
406170bf43063a2b18359560d73ef0c3bb0726d3f0d180d3aa02e504ac0cda3eb408606f8932ed35e4e0a84f1d04cbe0fa6212d910a33089dc496d8dd644a502
Malware Config
Signatures
-
Sakula payload 5 IoCs
Processes:
resource yara_rule \Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula behavioral1/memory/1516-59-0x0000000000400000-0x0000000000435000-memory.dmp family_sakula behavioral1/memory/972-61-0x0000000000400000-0x0000000000435000-memory.dmp family_sakula behavioral1/memory/1516-63-0x0000000000400000-0x0000000000435000-memory.dmp family_sakula -
suricata: ET MALWARE SUSPICIOUS UA (iexplore)
suricata: ET MALWARE SUSPICIOUS UA (iexplore)
-
suricata: ET MALWARE Sakula/Mivast RAT CnC Beacon 1
suricata: ET MALWARE Sakula/Mivast RAT CnC Beacon 1
-
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 972 MediaCenter.exe -
Processes:
resource yara_rule \Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe upx C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe upx behavioral1/memory/1516-59-0x0000000000400000-0x0000000000435000-memory.dmp upx behavioral1/memory/972-61-0x0000000000400000-0x0000000000435000-memory.dmp upx behavioral1/memory/1516-63-0x0000000000400000-0x0000000000435000-memory.dmp upx -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 1684 cmd.exe -
Loads dropped DLL 1 IoCs
Processes:
virussign.exepid process 1516 virussign.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
virussign.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" virussign.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
virussign.exedescription pid process Token: SeIncBasePriorityPrivilege 1516 virussign.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
virussign.execmd.exedescription pid process target process PID 1516 wrote to memory of 972 1516 virussign.exe MediaCenter.exe PID 1516 wrote to memory of 972 1516 virussign.exe MediaCenter.exe PID 1516 wrote to memory of 972 1516 virussign.exe MediaCenter.exe PID 1516 wrote to memory of 972 1516 virussign.exe MediaCenter.exe PID 1516 wrote to memory of 1684 1516 virussign.exe cmd.exe PID 1516 wrote to memory of 1684 1516 virussign.exe cmd.exe PID 1516 wrote to memory of 1684 1516 virussign.exe cmd.exe PID 1516 wrote to memory of 1684 1516 virussign.exe cmd.exe PID 1684 wrote to memory of 1204 1684 cmd.exe PING.EXE PID 1684 wrote to memory of 1204 1684 cmd.exe PING.EXE PID 1684 wrote to memory of 1204 1684 cmd.exe PING.EXE PID 1684 wrote to memory of 1204 1684 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\virussign.exe"C:\Users\Admin\AppData\Local\Temp\virussign.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\virussign.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeFilesize
212KB
MD578e8d366a9398e0122b01f5e7fcd11a9
SHA107beb008010de20198cad3ecad910547656f1f23
SHA25695123cffb519372a9ef0d5eddd69e8349724d401a4d77f4a17010594f0f897eb
SHA51221b4ffac9850a36ff2fa1a38832faea842034bd1cf79de84830c5527dc2d1cfb2532b0f7269f1ec8bcb72ad56f84052d466a7b623087bf00601912858227f1d4
-
\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeFilesize
212KB
MD578e8d366a9398e0122b01f5e7fcd11a9
SHA107beb008010de20198cad3ecad910547656f1f23
SHA25695123cffb519372a9ef0d5eddd69e8349724d401a4d77f4a17010594f0f897eb
SHA51221b4ffac9850a36ff2fa1a38832faea842034bd1cf79de84830c5527dc2d1cfb2532b0f7269f1ec8bcb72ad56f84052d466a7b623087bf00601912858227f1d4
-
memory/972-56-0x0000000000000000-mapping.dmp
-
memory/972-61-0x0000000000400000-0x0000000000435000-memory.dmpFilesize
212KB
-
memory/1204-64-0x0000000000000000-mapping.dmp
-
memory/1516-54-0x0000000074DE1000-0x0000000074DE3000-memory.dmpFilesize
8KB
-
memory/1516-59-0x0000000000400000-0x0000000000435000-memory.dmpFilesize
212KB
-
memory/1516-60-0x0000000000440000-0x0000000000475000-memory.dmpFilesize
212KB
-
memory/1516-63-0x0000000000400000-0x0000000000435000-memory.dmpFilesize
212KB
-
memory/1684-62-0x0000000000000000-mapping.dmp