bf3b720b594dffc9beaf98e51f00f7c05fdde0a4ef554eb54611d8497b185348

General
Target

bf3b720b594dffc9beaf98e51f00f7c05fdde0a4ef554eb54611d8497b185348.exe

Filesize

150KB

Completed

22-09-2021 13:29

Score
10/10
MD5

9640c0c25e279327d12a52a5e596724d

SHA1

81efd5b75ec8e7e4fc5a063a2ab26bb1e21f8b4c

SHA256

bf3b720b594dffc9beaf98e51f00f7c05fdde0a4ef554eb54611d8497b185348

Malware Config
Signatures 12

Filter: none

Defense Evasion
Discovery
Persistence
  • Sakula

    Description

    Sakula is a remote access trojan with various capabilities.

  • Sakula Payload

    Reported IOCs

    resourceyara_rule
    behavioral1/files/0x00040000000130d3-61.datfamily_sakula
    behavioral1/files/0x00040000000130d3-63.datfamily_sakula
  • suricata: ET MALWARE SUSPICIOUS UA (iexplore)

    Description

    suricata: ET MALWARE SUSPICIOUS UA (iexplore)

    Tags

  • suricata: ET MALWARE Sakula/Mivast RAT CnC Beacon 1

    Description

    suricata: ET MALWARE Sakula/Mivast RAT CnC Beacon 1

    Tags

  • Executes dropped EXE
    MediaCenter.exe

    Reported IOCs

    pidprocess
    1864MediaCenter.exe
  • Deletes itself
    cmd.exe

    Reported IOCs

    pidprocess
    1724cmd.exe
  • Loads dropped DLL
    bf3b720b594dffc9beaf98e51f00f7c05fdde0a4ef554eb54611d8497b185348.exe

    Reported IOCs

    pidprocess
    1308bf3b720b594dffc9beaf98e51f00f7c05fdde0a4ef554eb54611d8497b185348.exe
  • Adds Run key to start application
    bf3b720b594dffc9beaf98e51f00f7c05fdde0a4ef554eb54611d8497b185348.exe

    TTPs

    Registry Run Keys / Startup FolderModify Registry

    Reported IOCs

    descriptioniocprocess
    Set value (str)\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe"bf3b720b594dffc9beaf98e51f00f7c05fdde0a4ef554eb54611d8497b185348.exe
  • Enumerates physical storage devices

    Description

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

    TTPs

    System Information Discovery
  • Runs ping.exe
    PING.EXE

    TTPs

    Remote System Discovery

    Reported IOCs

    pidprocess
    1780PING.EXE
  • Suspicious use of AdjustPrivilegeToken
    bf3b720b594dffc9beaf98e51f00f7c05fdde0a4ef554eb54611d8497b185348.exe

    Reported IOCs

    descriptionpidprocess
    Token: SeIncBasePriorityPrivilege1308bf3b720b594dffc9beaf98e51f00f7c05fdde0a4ef554eb54611d8497b185348.exe
  • Suspicious use of WriteProcessMemory
    bf3b720b594dffc9beaf98e51f00f7c05fdde0a4ef554eb54611d8497b185348.execmd.exe

    Reported IOCs

    descriptionpidprocesstarget process
    PID 1308 wrote to memory of 18641308bf3b720b594dffc9beaf98e51f00f7c05fdde0a4ef554eb54611d8497b185348.exeMediaCenter.exe
    PID 1308 wrote to memory of 18641308bf3b720b594dffc9beaf98e51f00f7c05fdde0a4ef554eb54611d8497b185348.exeMediaCenter.exe
    PID 1308 wrote to memory of 18641308bf3b720b594dffc9beaf98e51f00f7c05fdde0a4ef554eb54611d8497b185348.exeMediaCenter.exe
    PID 1308 wrote to memory of 18641308bf3b720b594dffc9beaf98e51f00f7c05fdde0a4ef554eb54611d8497b185348.exeMediaCenter.exe
    PID 1308 wrote to memory of 17241308bf3b720b594dffc9beaf98e51f00f7c05fdde0a4ef554eb54611d8497b185348.execmd.exe
    PID 1308 wrote to memory of 17241308bf3b720b594dffc9beaf98e51f00f7c05fdde0a4ef554eb54611d8497b185348.execmd.exe
    PID 1308 wrote to memory of 17241308bf3b720b594dffc9beaf98e51f00f7c05fdde0a4ef554eb54611d8497b185348.execmd.exe
    PID 1308 wrote to memory of 17241308bf3b720b594dffc9beaf98e51f00f7c05fdde0a4ef554eb54611d8497b185348.execmd.exe
    PID 1724 wrote to memory of 17801724cmd.exePING.EXE
    PID 1724 wrote to memory of 17801724cmd.exePING.EXE
    PID 1724 wrote to memory of 17801724cmd.exePING.EXE
    PID 1724 wrote to memory of 17801724cmd.exePING.EXE
Processes 4
  • C:\Users\Admin\AppData\Local\Temp\bf3b720b594dffc9beaf98e51f00f7c05fdde0a4ef554eb54611d8497b185348.exe
    "C:\Users\Admin\AppData\Local\Temp\bf3b720b594dffc9beaf98e51f00f7c05fdde0a4ef554eb54611d8497b185348.exe"
    Loads dropped DLL
    Adds Run key to start application
    Suspicious use of AdjustPrivilegeToken
    Suspicious use of WriteProcessMemory
    PID:1308
    • C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
      C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
      Executes dropped EXE
      PID:1864
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\bf3b720b594dffc9beaf98e51f00f7c05fdde0a4ef554eb54611d8497b185348.exe"
      Deletes itself
      Suspicious use of WriteProcessMemory
      PID:1724
      • C:\Windows\SysWOW64\PING.EXE
        ping 127.0.0.1
        Runs ping.exe
        PID:1780
Network
MITRE ATT&CK Matrix
Collection
    Command and Control
      Credential Access
        Defense Evasion
        Execution
          Exfiltration
            Impact
              Initial Access
                Lateral Movement
                  Privilege Escalation
                    Replay Monitor
                    00:00 00:00
                    Downloads
                    • C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe

                      MD5

                      9e1c69bc4bff30d3a84eead5de8196ba

                      SHA1

                      772f429ff6f34678dbfd6ee6d9ef4f446a98c58c

                      SHA256

                      02fa201468ab8f2dbaa28a9004884f80e86631a2f5227c447c76935429377e48

                      SHA512

                      acb88b4598c42897f15a876a5ac9523a567e65ded6e1b40b52644a65a1bf5b3731b6b18d5efe182eef091592b0a9638253b7ae3dbfdf4fdb4eb5f347da2b78d8

                    • \Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe

                      MD5

                      9e1c69bc4bff30d3a84eead5de8196ba

                      SHA1

                      772f429ff6f34678dbfd6ee6d9ef4f446a98c58c

                      SHA256

                      02fa201468ab8f2dbaa28a9004884f80e86631a2f5227c447c76935429377e48

                      SHA512

                      acb88b4598c42897f15a876a5ac9523a567e65ded6e1b40b52644a65a1bf5b3731b6b18d5efe182eef091592b0a9638253b7ae3dbfdf4fdb4eb5f347da2b78d8

                    • memory/1308-60-0x0000000075AD1000-0x0000000075AD3000-memory.dmp

                    • memory/1724-65-0x0000000000000000-mapping.dmp

                    • memory/1780-66-0x0000000000000000-mapping.dmp

                    • memory/1864-62-0x0000000000000000-mapping.dmp