Analysis
-
max time kernel
143s -
max time network
149s -
platform
windows7_x64 -
resource
win7v20210408 -
submitted
22-09-2021 13:24
Static task
static1
Behavioral task
behavioral1
Sample
bf3b720b594dffc9beaf98e51f00f7c05fdde0a4ef554eb54611d8497b185348.exe
Resource
win7v20210408
Behavioral task
behavioral2
Sample
bf3b720b594dffc9beaf98e51f00f7c05fdde0a4ef554eb54611d8497b185348.exe
Resource
win10v20210408
General
-
Target
bf3b720b594dffc9beaf98e51f00f7c05fdde0a4ef554eb54611d8497b185348.exe
-
Size
150KB
-
MD5
9640c0c25e279327d12a52a5e596724d
-
SHA1
81efd5b75ec8e7e4fc5a063a2ab26bb1e21f8b4c
-
SHA256
bf3b720b594dffc9beaf98e51f00f7c05fdde0a4ef554eb54611d8497b185348
-
SHA512
eda7bc138ce9656e80e4aa27990c1275795a92dac4fd7c93f8cb594e31b066bf1751fa7640b75db0f71986cf35beb324822959d679cfd1b6d0102d6e79f94bf7
Malware Config
Signatures
-
Sakula Payload 2 IoCs
resource yara_rule behavioral1/files/0x00040000000130d3-61.dat family_sakula behavioral1/files/0x00040000000130d3-63.dat family_sakula -
suricata: ET MALWARE SUSPICIOUS UA (iexplore)
suricata: ET MALWARE SUSPICIOUS UA (iexplore)
-
suricata: ET MALWARE Sakula/Mivast RAT CnC Beacon 1
suricata: ET MALWARE Sakula/Mivast RAT CnC Beacon 1
-
Executes dropped EXE 1 IoCs
pid Process 1864 MediaCenter.exe -
Deletes itself 1 IoCs
pid Process 1724 cmd.exe -
Loads dropped DLL 1 IoCs
pid Process 1308 bf3b720b594dffc9beaf98e51f00f7c05fdde0a4ef554eb54611d8497b185348.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" bf3b720b594dffc9beaf98e51f00f7c05fdde0a4ef554eb54611d8497b185348.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
pid Process 1780 PING.EXE -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeIncBasePriorityPrivilege 1308 bf3b720b594dffc9beaf98e51f00f7c05fdde0a4ef554eb54611d8497b185348.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 1308 wrote to memory of 1864 1308 bf3b720b594dffc9beaf98e51f00f7c05fdde0a4ef554eb54611d8497b185348.exe 25 PID 1308 wrote to memory of 1864 1308 bf3b720b594dffc9beaf98e51f00f7c05fdde0a4ef554eb54611d8497b185348.exe 25 PID 1308 wrote to memory of 1864 1308 bf3b720b594dffc9beaf98e51f00f7c05fdde0a4ef554eb54611d8497b185348.exe 25 PID 1308 wrote to memory of 1864 1308 bf3b720b594dffc9beaf98e51f00f7c05fdde0a4ef554eb54611d8497b185348.exe 25 PID 1308 wrote to memory of 1724 1308 bf3b720b594dffc9beaf98e51f00f7c05fdde0a4ef554eb54611d8497b185348.exe 28 PID 1308 wrote to memory of 1724 1308 bf3b720b594dffc9beaf98e51f00f7c05fdde0a4ef554eb54611d8497b185348.exe 28 PID 1308 wrote to memory of 1724 1308 bf3b720b594dffc9beaf98e51f00f7c05fdde0a4ef554eb54611d8497b185348.exe 28 PID 1308 wrote to memory of 1724 1308 bf3b720b594dffc9beaf98e51f00f7c05fdde0a4ef554eb54611d8497b185348.exe 28 PID 1724 wrote to memory of 1780 1724 cmd.exe 30 PID 1724 wrote to memory of 1780 1724 cmd.exe 30 PID 1724 wrote to memory of 1780 1724 cmd.exe 30 PID 1724 wrote to memory of 1780 1724 cmd.exe 30
Processes
-
C:\Users\Admin\AppData\Local\Temp\bf3b720b594dffc9beaf98e51f00f7c05fdde0a4ef554eb54611d8497b185348.exe"C:\Users\Admin\AppData\Local\Temp\bf3b720b594dffc9beaf98e51f00f7c05fdde0a4ef554eb54611d8497b185348.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1308 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:1864
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\bf3b720b594dffc9beaf98e51f00f7c05fdde0a4ef554eb54611d8497b185348.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:1724 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:1780
-
-