Analysis
-
max time kernel
143s -
max time network
149s -
platform
windows7_x64 -
resource
win7v20210408 -
submitted
22-09-2021 13:24
Static task
static1
Behavioral task
behavioral1
Sample
bf3b720b594dffc9beaf98e51f00f7c05fdde0a4ef554eb54611d8497b185348.exe
Resource
win7v20210408
Behavioral task
behavioral2
Sample
bf3b720b594dffc9beaf98e51f00f7c05fdde0a4ef554eb54611d8497b185348.exe
Resource
win10v20210408
General
-
Target
bf3b720b594dffc9beaf98e51f00f7c05fdde0a4ef554eb54611d8497b185348.exe
-
Size
150KB
-
MD5
9640c0c25e279327d12a52a5e596724d
-
SHA1
81efd5b75ec8e7e4fc5a063a2ab26bb1e21f8b4c
-
SHA256
bf3b720b594dffc9beaf98e51f00f7c05fdde0a4ef554eb54611d8497b185348
-
SHA512
eda7bc138ce9656e80e4aa27990c1275795a92dac4fd7c93f8cb594e31b066bf1751fa7640b75db0f71986cf35beb324822959d679cfd1b6d0102d6e79f94bf7
Malware Config
Signatures
-
Sakula Payload 2 IoCs
Processes:
resource yara_rule \Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula -
suricata: ET MALWARE SUSPICIOUS UA (iexplore)
suricata: ET MALWARE SUSPICIOUS UA (iexplore)
-
suricata: ET MALWARE Sakula/Mivast RAT CnC Beacon 1
suricata: ET MALWARE Sakula/Mivast RAT CnC Beacon 1
-
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 1864 MediaCenter.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 1724 cmd.exe -
Loads dropped DLL 1 IoCs
Processes:
bf3b720b594dffc9beaf98e51f00f7c05fdde0a4ef554eb54611d8497b185348.exepid process 1308 bf3b720b594dffc9beaf98e51f00f7c05fdde0a4ef554eb54611d8497b185348.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
bf3b720b594dffc9beaf98e51f00f7c05fdde0a4ef554eb54611d8497b185348.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" bf3b720b594dffc9beaf98e51f00f7c05fdde0a4ef554eb54611d8497b185348.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
bf3b720b594dffc9beaf98e51f00f7c05fdde0a4ef554eb54611d8497b185348.exedescription pid process Token: SeIncBasePriorityPrivilege 1308 bf3b720b594dffc9beaf98e51f00f7c05fdde0a4ef554eb54611d8497b185348.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
bf3b720b594dffc9beaf98e51f00f7c05fdde0a4ef554eb54611d8497b185348.execmd.exedescription pid process target process PID 1308 wrote to memory of 1864 1308 bf3b720b594dffc9beaf98e51f00f7c05fdde0a4ef554eb54611d8497b185348.exe MediaCenter.exe PID 1308 wrote to memory of 1864 1308 bf3b720b594dffc9beaf98e51f00f7c05fdde0a4ef554eb54611d8497b185348.exe MediaCenter.exe PID 1308 wrote to memory of 1864 1308 bf3b720b594dffc9beaf98e51f00f7c05fdde0a4ef554eb54611d8497b185348.exe MediaCenter.exe PID 1308 wrote to memory of 1864 1308 bf3b720b594dffc9beaf98e51f00f7c05fdde0a4ef554eb54611d8497b185348.exe MediaCenter.exe PID 1308 wrote to memory of 1724 1308 bf3b720b594dffc9beaf98e51f00f7c05fdde0a4ef554eb54611d8497b185348.exe cmd.exe PID 1308 wrote to memory of 1724 1308 bf3b720b594dffc9beaf98e51f00f7c05fdde0a4ef554eb54611d8497b185348.exe cmd.exe PID 1308 wrote to memory of 1724 1308 bf3b720b594dffc9beaf98e51f00f7c05fdde0a4ef554eb54611d8497b185348.exe cmd.exe PID 1308 wrote to memory of 1724 1308 bf3b720b594dffc9beaf98e51f00f7c05fdde0a4ef554eb54611d8497b185348.exe cmd.exe PID 1724 wrote to memory of 1780 1724 cmd.exe PING.EXE PID 1724 wrote to memory of 1780 1724 cmd.exe PING.EXE PID 1724 wrote to memory of 1780 1724 cmd.exe PING.EXE PID 1724 wrote to memory of 1780 1724 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\bf3b720b594dffc9beaf98e51f00f7c05fdde0a4ef554eb54611d8497b185348.exe"C:\Users\Admin\AppData\Local\Temp\bf3b720b594dffc9beaf98e51f00f7c05fdde0a4ef554eb54611d8497b185348.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\bf3b720b594dffc9beaf98e51f00f7c05fdde0a4ef554eb54611d8497b185348.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
9e1c69bc4bff30d3a84eead5de8196ba
SHA1772f429ff6f34678dbfd6ee6d9ef4f446a98c58c
SHA25602fa201468ab8f2dbaa28a9004884f80e86631a2f5227c447c76935429377e48
SHA512acb88b4598c42897f15a876a5ac9523a567e65ded6e1b40b52644a65a1bf5b3731b6b18d5efe182eef091592b0a9638253b7ae3dbfdf4fdb4eb5f347da2b78d8
-
\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
9e1c69bc4bff30d3a84eead5de8196ba
SHA1772f429ff6f34678dbfd6ee6d9ef4f446a98c58c
SHA25602fa201468ab8f2dbaa28a9004884f80e86631a2f5227c447c76935429377e48
SHA512acb88b4598c42897f15a876a5ac9523a567e65ded6e1b40b52644a65a1bf5b3731b6b18d5efe182eef091592b0a9638253b7ae3dbfdf4fdb4eb5f347da2b78d8
-
memory/1308-60-0x0000000075AD1000-0x0000000075AD3000-memory.dmpFilesize
8KB
-
memory/1724-65-0x0000000000000000-mapping.dmp
-
memory/1780-66-0x0000000000000000-mapping.dmp
-
memory/1864-62-0x0000000000000000-mapping.dmp