bf3b720b594dffc9beaf98e51f00f7c05fdde0a4ef554eb54611d8497b185348

General
Target

bf3b720b594dffc9beaf98e51f00f7c05fdde0a4ef554eb54611d8497b185348.exe

Filesize

150KB

Completed

22-09-2021 13:29

Score
10/10
MD5

9640c0c25e279327d12a52a5e596724d

SHA1

81efd5b75ec8e7e4fc5a063a2ab26bb1e21f8b4c

SHA256

bf3b720b594dffc9beaf98e51f00f7c05fdde0a4ef554eb54611d8497b185348

Malware Config
Signatures 10

Filter: none

Defense Evasion
Discovery
Persistence
  • Sakula

    Description

    Sakula is a remote access trojan with various capabilities.

  • Sakula Payload

    Reported IOCs

    resourceyara_rule
    behavioral2/files/0x000100000001ab42-115.datfamily_sakula
    behavioral2/files/0x000100000001ab42-116.datfamily_sakula
  • suricata: ET MALWARE SUSPICIOUS UA (iexplore)

    Description

    suricata: ET MALWARE SUSPICIOUS UA (iexplore)

    Tags

  • suricata: ET MALWARE Sakula/Mivast RAT CnC Beacon 1

    Description

    suricata: ET MALWARE Sakula/Mivast RAT CnC Beacon 1

    Tags

  • Executes dropped EXE
    MediaCenter.exe

    Reported IOCs

    pidprocess
    672MediaCenter.exe
  • Adds Run key to start application
    bf3b720b594dffc9beaf98e51f00f7c05fdde0a4ef554eb54611d8497b185348.exe

    TTPs

    Registry Run Keys / Startup FolderModify Registry

    Reported IOCs

    descriptioniocprocess
    Set value (str)\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe"bf3b720b594dffc9beaf98e51f00f7c05fdde0a4ef554eb54611d8497b185348.exe
  • Enumerates physical storage devices

    Description

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

    TTPs

    System Information Discovery
  • Runs ping.exe
    PING.EXE

    TTPs

    Remote System Discovery

    Reported IOCs

    pidprocess
    1376PING.EXE
  • Suspicious use of AdjustPrivilegeToken
    bf3b720b594dffc9beaf98e51f00f7c05fdde0a4ef554eb54611d8497b185348.exe

    Reported IOCs

    descriptionpidprocess
    Token: SeIncBasePriorityPrivilege604bf3b720b594dffc9beaf98e51f00f7c05fdde0a4ef554eb54611d8497b185348.exe
  • Suspicious use of WriteProcessMemory
    bf3b720b594dffc9beaf98e51f00f7c05fdde0a4ef554eb54611d8497b185348.execmd.exe

    Reported IOCs

    descriptionpidprocesstarget process
    PID 604 wrote to memory of 672604bf3b720b594dffc9beaf98e51f00f7c05fdde0a4ef554eb54611d8497b185348.exeMediaCenter.exe
    PID 604 wrote to memory of 672604bf3b720b594dffc9beaf98e51f00f7c05fdde0a4ef554eb54611d8497b185348.exeMediaCenter.exe
    PID 604 wrote to memory of 672604bf3b720b594dffc9beaf98e51f00f7c05fdde0a4ef554eb54611d8497b185348.exeMediaCenter.exe
    PID 604 wrote to memory of 1124604bf3b720b594dffc9beaf98e51f00f7c05fdde0a4ef554eb54611d8497b185348.execmd.exe
    PID 604 wrote to memory of 1124604bf3b720b594dffc9beaf98e51f00f7c05fdde0a4ef554eb54611d8497b185348.execmd.exe
    PID 604 wrote to memory of 1124604bf3b720b594dffc9beaf98e51f00f7c05fdde0a4ef554eb54611d8497b185348.execmd.exe
    PID 1124 wrote to memory of 13761124cmd.exePING.EXE
    PID 1124 wrote to memory of 13761124cmd.exePING.EXE
    PID 1124 wrote to memory of 13761124cmd.exePING.EXE
Processes 4
  • C:\Users\Admin\AppData\Local\Temp\bf3b720b594dffc9beaf98e51f00f7c05fdde0a4ef554eb54611d8497b185348.exe
    "C:\Users\Admin\AppData\Local\Temp\bf3b720b594dffc9beaf98e51f00f7c05fdde0a4ef554eb54611d8497b185348.exe"
    Adds Run key to start application
    Suspicious use of AdjustPrivilegeToken
    Suspicious use of WriteProcessMemory
    PID:604
    • C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
      C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
      Executes dropped EXE
      PID:672
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\bf3b720b594dffc9beaf98e51f00f7c05fdde0a4ef554eb54611d8497b185348.exe"
      Suspicious use of WriteProcessMemory
      PID:1124
      • C:\Windows\SysWOW64\PING.EXE
        ping 127.0.0.1
        Runs ping.exe
        PID:1376
Network
MITRE ATT&CK Matrix
Collection
    Command and Control
      Credential Access
        Defense Evasion
        Execution
          Exfiltration
            Impact
              Initial Access
                Lateral Movement
                  Privilege Escalation
                    Replay Monitor
                    00:00 00:00
                    Downloads
                    • C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe

                      MD5

                      3950c1257b748c88d59da52eb30da835

                      SHA1

                      1452a51b66b2b5f6bd2a360859837cc363f12f28

                      SHA256

                      5199fb482f75b7b988714ba09512566a51ea0fc1171d2976541e8c5c0499b5b6

                      SHA512

                      b56ee018e502683b98c3eb9d5b4c079ee29e476047c9060b2615b69f6f48f04ad9ece8a5bde1610cdae5a1a3aa83e5f6db852b4950d40002489999b0fd003e02

                    • C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe

                      MD5

                      3950c1257b748c88d59da52eb30da835

                      SHA1

                      1452a51b66b2b5f6bd2a360859837cc363f12f28

                      SHA256

                      5199fb482f75b7b988714ba09512566a51ea0fc1171d2976541e8c5c0499b5b6

                      SHA512

                      b56ee018e502683b98c3eb9d5b4c079ee29e476047c9060b2615b69f6f48f04ad9ece8a5bde1610cdae5a1a3aa83e5f6db852b4950d40002489999b0fd003e02

                    • memory/672-114-0x0000000000000000-mapping.dmp

                    • memory/1124-117-0x0000000000000000-mapping.dmp

                    • memory/1376-118-0x0000000000000000-mapping.dmp