Analysis
-
max time kernel
132s -
max time network
134s -
platform
windows10_x64 -
resource
win10v20210408 -
submitted
22-09-2021 13:24
Static task
static1
Behavioral task
behavioral1
Sample
bf3b720b594dffc9beaf98e51f00f7c05fdde0a4ef554eb54611d8497b185348.exe
Resource
win7v20210408
Behavioral task
behavioral2
Sample
bf3b720b594dffc9beaf98e51f00f7c05fdde0a4ef554eb54611d8497b185348.exe
Resource
win10v20210408
General
-
Target
bf3b720b594dffc9beaf98e51f00f7c05fdde0a4ef554eb54611d8497b185348.exe
-
Size
150KB
-
MD5
9640c0c25e279327d12a52a5e596724d
-
SHA1
81efd5b75ec8e7e4fc5a063a2ab26bb1e21f8b4c
-
SHA256
bf3b720b594dffc9beaf98e51f00f7c05fdde0a4ef554eb54611d8497b185348
-
SHA512
eda7bc138ce9656e80e4aa27990c1275795a92dac4fd7c93f8cb594e31b066bf1751fa7640b75db0f71986cf35beb324822959d679cfd1b6d0102d6e79f94bf7
Malware Config
Signatures
-
Sakula Payload 2 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula -
suricata: ET MALWARE SUSPICIOUS UA (iexplore)
suricata: ET MALWARE SUSPICIOUS UA (iexplore)
-
suricata: ET MALWARE Sakula/Mivast RAT CnC Beacon 1
suricata: ET MALWARE Sakula/Mivast RAT CnC Beacon 1
-
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 672 MediaCenter.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
bf3b720b594dffc9beaf98e51f00f7c05fdde0a4ef554eb54611d8497b185348.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" bf3b720b594dffc9beaf98e51f00f7c05fdde0a4ef554eb54611d8497b185348.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
bf3b720b594dffc9beaf98e51f00f7c05fdde0a4ef554eb54611d8497b185348.exedescription pid process Token: SeIncBasePriorityPrivilege 604 bf3b720b594dffc9beaf98e51f00f7c05fdde0a4ef554eb54611d8497b185348.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
bf3b720b594dffc9beaf98e51f00f7c05fdde0a4ef554eb54611d8497b185348.execmd.exedescription pid process target process PID 604 wrote to memory of 672 604 bf3b720b594dffc9beaf98e51f00f7c05fdde0a4ef554eb54611d8497b185348.exe MediaCenter.exe PID 604 wrote to memory of 672 604 bf3b720b594dffc9beaf98e51f00f7c05fdde0a4ef554eb54611d8497b185348.exe MediaCenter.exe PID 604 wrote to memory of 672 604 bf3b720b594dffc9beaf98e51f00f7c05fdde0a4ef554eb54611d8497b185348.exe MediaCenter.exe PID 604 wrote to memory of 1124 604 bf3b720b594dffc9beaf98e51f00f7c05fdde0a4ef554eb54611d8497b185348.exe cmd.exe PID 604 wrote to memory of 1124 604 bf3b720b594dffc9beaf98e51f00f7c05fdde0a4ef554eb54611d8497b185348.exe cmd.exe PID 604 wrote to memory of 1124 604 bf3b720b594dffc9beaf98e51f00f7c05fdde0a4ef554eb54611d8497b185348.exe cmd.exe PID 1124 wrote to memory of 1376 1124 cmd.exe PING.EXE PID 1124 wrote to memory of 1376 1124 cmd.exe PING.EXE PID 1124 wrote to memory of 1376 1124 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\bf3b720b594dffc9beaf98e51f00f7c05fdde0a4ef554eb54611d8497b185348.exe"C:\Users\Admin\AppData\Local\Temp\bf3b720b594dffc9beaf98e51f00f7c05fdde0a4ef554eb54611d8497b185348.exe"1⤵
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\bf3b720b594dffc9beaf98e51f00f7c05fdde0a4ef554eb54611d8497b185348.exe"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
3950c1257b748c88d59da52eb30da835
SHA11452a51b66b2b5f6bd2a360859837cc363f12f28
SHA2565199fb482f75b7b988714ba09512566a51ea0fc1171d2976541e8c5c0499b5b6
SHA512b56ee018e502683b98c3eb9d5b4c079ee29e476047c9060b2615b69f6f48f04ad9ece8a5bde1610cdae5a1a3aa83e5f6db852b4950d40002489999b0fd003e02
-
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
3950c1257b748c88d59da52eb30da835
SHA11452a51b66b2b5f6bd2a360859837cc363f12f28
SHA2565199fb482f75b7b988714ba09512566a51ea0fc1171d2976541e8c5c0499b5b6
SHA512b56ee018e502683b98c3eb9d5b4c079ee29e476047c9060b2615b69f6f48f04ad9ece8a5bde1610cdae5a1a3aa83e5f6db852b4950d40002489999b0fd003e02
-
memory/672-114-0x0000000000000000-mapping.dmp
-
memory/1124-117-0x0000000000000000-mapping.dmp
-
memory/1376-118-0x0000000000000000-mapping.dmp