sakula | 4d21da09b2ca0226c812692ab7cba60af1c8d58ff97dda500df2f850b2c38ef2

General

Target

4d21da09b2ca0226c812692ab7cba60af1c8d58ff97dda500df2f850b2c38ef2.exe
Size

137KB
MD5

3f0ba1cd12bab7ba5875d1b02e45dfcf
SHA1

a5dfa8bbf1643274d0ef0902626172019173bf52
SHA256

4d21da09b2ca0226c812692ab7cba60af1c8d58ff97dda500df2f850b2c38ef2
SHA512

c221fb23fc92a4d2550defcaea6f422a33e7035506ede6b0193ebc10aab5561e08c8bb7fe38852faf8996e954c6c17e2b66b4600db92e5e5be83d9d79f233884

Score

10^/10

sakula persistence rat trojan upx

Malware Config

Signatures

Sakula
Sakula is a remote access trojan with various capabilities.
trojan rat sakula

ACProtect 1.3x - 1.4x DLL software 2 IoCs

Detects file using ACProtect software.

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MicroSoftSecurityLogin.ocx	acprotect
\Users\Admin\AppData\Local\Temp\MicroMedia\MicroSoftSecurityLogin.ocx	acprotect

Drops file in Drivers directory 1 IoCs

Processes:

MediaCenter.exe

description ioc process

File opened for modification C:\Windows\system32\drivers\etc\hosts MediaCenter.exe
Executes dropped EXE 1 IoCs

Processes:

MediaCenter.exe

pid process

1052 MediaCenter.exe

description	ioc	process
File opened for modification	C:\Windows\system32\drivers\etc\hosts	MediaCenter.exe

pid	process
1052	MediaCenter.exe

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MicroSoftSecurityLogin.ocx	upx
\Users\Admin\AppData\Local\Temp\MicroMedia\MicroSoftSecurityLogin.ocx	upx

Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

560 cmd.exe

pid	process
560	cmd.exe

Loads dropped DLL 3 IoCs

Processes:

4d21da09b2ca0226c812692ab7cba60af1c8d58ff97dda500df2f850b2c38ef2.exeregsvr32.exe

pid	process
612	4d21da09b2ca0226c812692ab7cba60af1c8d58ff97dda500df2f850b2c38ef2.exe
612	4d21da09b2ca0226c812692ab7cba60af1c8d58ff97dda500df2f850b2c38ef2.exe
548	regsvr32.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

MediaCenter.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe"	MediaCenter.exe

Modifies registry class 64 IoCs

Processes:

regsvr32.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{9A2AA809-5F01-456E-883F-F37C1513FEF7}\ToolboxBitmap32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{9A2AA809-5F01-456E-883F-F37C1513FEF7}\MiscStatus	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{623BF701-D62F-4D1D-BBF8-88A84101DA38}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{5B3188BE-42C4-4826-85E6-66206941C8AD}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BEA13025-5E7F-4B89-ACAC-CBD6D86536CC}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BEA13025-5E7F-4B89-ACAC-CBD6D86536CC}\ProxyStubClsid32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{9A2AA809-5F01-456E-883F-F37C1513FEF7}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\SECURE.SecureCtrl.1\CLSID\ = "{9A2AA809-5F01-456E-883F-F37C1513FEF7}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{9A2AA809-5F01-456E-883F-F37C1513FEF7}\MiscStatus\1\ = "132241"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{9A2AA809-5F01-456E-883F-F37C1513FEF7}\Control\	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{5B3188BE-42C4-4826-85E6-66206941C8AD}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{BEA13025-5E7F-4B89-ACAC-CBD6D86536CC}\TypeLib\ = "{623BF701-D62F-4D1D-BBF8-88A84101DA38}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BEA13025-5E7F-4B89-ACAC-CBD6D86536CC}\ = "_DSecureEvents"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{7ECC23E8-41D6-492E-BFF6-8551E11CF286}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{623BF701-D62F-4D1D-BBF8-88A84101DA38}\1.0\FLAGS\ = "2"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{623BF701-D62F-4D1D-BBF8-88A84101DA38}\1.0\0	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{623BF701-D62F-4D1D-BBF8-88A84101DA38}\1.0\0\win32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MicroSoftSecurityLogin.ocx"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{623BF701-D62F-4D1D-BBF8-88A84101DA38}\1.0\HELPDIR\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{BEA13025-5E7F-4B89-ACAC-CBD6D86536CC}\ProxyStubClsid32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{9A2AA809-5F01-456E-883F-F37C1513FEF7}\Control	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{5B3188BE-42C4-4826-85E6-66206941C8AD}\ProxyStubClsid32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{BEA13025-5E7F-4B89-ACAC-CBD6D86536CC}\TypeLib	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{9A2AA809-5F01-456E-883F-F37C1513FEF7}\TypeLib\ = "{623BF701-D62F-4D1D-BBF8-88A84101DA38}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{BEA13025-5E7F-4B89-ACAC-CBD6D86536CC}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{9A2AA809-5F01-456E-883F-F37C1513FEF7}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BEA13025-5E7F-4B89-ACAC-CBD6D86536CC}\TypeLib\Version = "1.0"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{9A2AA809-5F01-456E-883F-F37C1513FEF7}\ProgID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{5B3188BE-42C4-4826-85E6-66206941C8AD}\TypeLib\ = "{623BF701-D62F-4D1D-BBF8-88A84101DA38}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{5B3188BE-42C4-4826-85E6-66206941C8AD}\ProxyStubClsid32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{5B3188BE-42C4-4826-85E6-66206941C8AD}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\SECURE.SecureCtrl.1	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{9A2AA809-5F01-456E-883F-F37C1513FEF7}\MiscStatus\1	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{7ECC23E8-41D6-492E-BFF6-8551E11CF286}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MICROM~1\\MICROS~1.OCX"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\SECURE.SecureCtrl.1\ = "Secure Control"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{9A2AA809-5F01-456E-883F-F37C1513FEF7}\TypeLib	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BEA13025-5E7F-4B89-ACAC-CBD6D86536CC}\TypeLib	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BEA13025-5E7F-4B89-ACAC-CBD6D86536CC}\TypeLib\ = "{623BF701-D62F-4D1D-BBF8-88A84101DA38}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{7ECC23E8-41D6-492E-BFF6-8551E11CF286}\ = "Secure Property Page"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\SECURE.SecureCtrl.1\CLSID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{9A2AA809-5F01-456E-883F-F37C1513FEF7}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{5B3188BE-42C4-4826-85E6-66206941C8AD}\TypeLib\Version = "1.0"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{BEA13025-5E7F-4B89-ACAC-CBD6D86536CC}\ = "_DSecureEvents"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{623BF701-D62F-4D1D-BBF8-88A84101DA38}\1.0\FLAGS	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{5B3188BE-42C4-4826-85E6-66206941C8AD}\TypeLib\Version = "1.0"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{5B3188BE-42C4-4826-85E6-66206941C8AD}\ = "_DSecure"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{BEA13025-5E7F-4B89-ACAC-CBD6D86536CC}\TypeLib\Version = "1.0"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{5B3188BE-42C4-4826-85E6-66206941C8AD}\TypeLib	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{5B3188BE-42C4-4826-85E6-66206941C8AD}\TypeLib	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{9A2AA809-5F01-456E-883F-F37C1513FEF7}\ProgID\ = "SECURE.SecureCtrl.1"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{9A2AA809-5F01-456E-883F-F37C1513FEF7}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MICROM~1\\MICROS~1.OCX"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{5B3188BE-42C4-4826-85E6-66206941C8AD}\ = "_DSecure"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{5B3188BE-42C4-4826-85E6-66206941C8AD}\TypeLib\ = "{623BF701-D62F-4D1D-BBF8-88A84101DA38}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BEA13025-5E7F-4B89-ACAC-CBD6D86536CC}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{9A2AA809-5F01-456E-883F-F37C1513FEF7}\Version\ = "1.0"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{BEA13025-5E7F-4B89-ACAC-CBD6D86536CC}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{9A2AA809-5F01-456E-883F-F37C1513FEF7}\ToolboxBitmap32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MICROM~1\\MICROS~1.OCX, 1"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{9A2AA809-5F01-456E-883F-F37C1513FEF7}\Version	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{5B3188BE-42C4-4826-85E6-66206941C8AD}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{7ECC23E8-41D6-492E-BFF6-8551E11CF286}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{9A2AA809-5F01-456E-883F-F37C1513FEF7}\ = "Secure Control"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{623BF701-D62F-4D1D-BBF8-88A84101DA38}\1.0	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{623BF701-D62F-4D1D-BBF8-88A84101DA38}\1.0\ = "secure ActiveX Control module"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{623BF701-D62F-4D1D-BBF8-88A84101DA38}\1.0\0\win32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{623BF701-D62F-4D1D-BBF8-88A84101DA38}\1.0\HELPDIR	regsvr32.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

4d21da09b2ca0226c812692ab7cba60af1c8d58ff97dda500df2f850b2c38ef2.exe

description pid process

Token: SeIncBasePriorityPrivilege 612 4d21da09b2ca0226c812692ab7cba60af1c8d58ff97dda500df2f850b2c38ef2.exe

description	pid	process
Token: SeIncBasePriorityPrivilege	612	4d21da09b2ca0226c812692ab7cba60af1c8d58ff97dda500df2f850b2c38ef2.exe

Suspicious use of WriteProcessMemory 15 IoCs

Processes:

4d21da09b2ca0226c812692ab7cba60af1c8d58ff97dda500df2f850b2c38ef2.exeMediaCenter.exe

description	pid	process	target process
PID 612 wrote to memory of 1052	612	4d21da09b2ca0226c812692ab7cba60af1c8d58ff97dda500df2f850b2c38ef2.exe	MediaCenter.exe
PID 612 wrote to memory of 1052	612	4d21da09b2ca0226c812692ab7cba60af1c8d58ff97dda500df2f850b2c38ef2.exe	MediaCenter.exe
PID 612 wrote to memory of 1052	612	4d21da09b2ca0226c812692ab7cba60af1c8d58ff97dda500df2f850b2c38ef2.exe	MediaCenter.exe
PID 612 wrote to memory of 1052	612	4d21da09b2ca0226c812692ab7cba60af1c8d58ff97dda500df2f850b2c38ef2.exe	MediaCenter.exe
PID 612 wrote to memory of 560	612	4d21da09b2ca0226c812692ab7cba60af1c8d58ff97dda500df2f850b2c38ef2.exe	cmd.exe
PID 612 wrote to memory of 560	612	4d21da09b2ca0226c812692ab7cba60af1c8d58ff97dda500df2f850b2c38ef2.exe	cmd.exe
PID 612 wrote to memory of 560	612	4d21da09b2ca0226c812692ab7cba60af1c8d58ff97dda500df2f850b2c38ef2.exe	cmd.exe
PID 612 wrote to memory of 560	612	4d21da09b2ca0226c812692ab7cba60af1c8d58ff97dda500df2f850b2c38ef2.exe	cmd.exe
PID 1052 wrote to memory of 548	1052	MediaCenter.exe	regsvr32.exe
PID 1052 wrote to memory of 548	1052	MediaCenter.exe	regsvr32.exe
PID 1052 wrote to memory of 548	1052	MediaCenter.exe	regsvr32.exe
PID 1052 wrote to memory of 548	1052	MediaCenter.exe	regsvr32.exe
PID 1052 wrote to memory of 548	1052	MediaCenter.exe	regsvr32.exe
PID 1052 wrote to memory of 548	1052	MediaCenter.exe	regsvr32.exe
PID 1052 wrote to memory of 548	1052	MediaCenter.exe	regsvr32.exe

C:\Users\Admin\AppData\Local\Temp\4d21da09b2ca0226c812692ab7cba60af1c8d58ff97dda500df2f850b2c38ef2.exe
"C:\Users\Admin\AppData\Local\Temp\4d21da09b2ca0226c812692ab7cba60af1c8d58ff97dda500df2f850b2c38ef2.exe"
1⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:612

C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
2⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1052

C:\Windows\SysWOW64\regsvr32.exe
regsvr32.exe /s C:\Users\Admin\AppData\Local\Temp\MicroMedia\MicroSoftSecurityLogin.ocx
3⤵
- Loads dropped DLL
- Modifies registry class
PID:548

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\4D21DA~1.EXE > nul
2⤵
- Deletes itself
PID:560

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe

MD5
3f0ba1cd12bab7ba5875d1b02e45dfcf

SHA1
a5dfa8bbf1643274d0ef0902626172019173bf52

SHA256
4d21da09b2ca0226c812692ab7cba60af1c8d58ff97dda500df2f850b2c38ef2

SHA512
c221fb23fc92a4d2550defcaea6f422a33e7035506ede6b0193ebc10aab5561e08c8bb7fe38852faf8996e954c6c17e2b66b4600db92e5e5be83d9d79f233884

Download Submit
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe

MD5
3f0ba1cd12bab7ba5875d1b02e45dfcf

SHA1
a5dfa8bbf1643274d0ef0902626172019173bf52

SHA256
4d21da09b2ca0226c812692ab7cba60af1c8d58ff97dda500df2f850b2c38ef2

SHA512
c221fb23fc92a4d2550defcaea6f422a33e7035506ede6b0193ebc10aab5561e08c8bb7fe38852faf8996e954c6c17e2b66b4600db92e5e5be83d9d79f233884

Download Submit
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MicroSoftSecurityLogin.ocx

MD5
bc99d3f41dfca74f2b40ce4d4f959af0

SHA1
ae605ef5075020dc8666d0fc29936e8eeb30d19c

SHA256
4086ae5b9737802b6a93a0466d2daf310ba80af82f52b55148b7382b83167bb5

SHA512
41feda0f3c7b781108a641211124e2e72094722ab6a011fde57498501395b38c43ab10b81be13fdc0165838453b9d02c6f472baa72f1b57bc210c83a2fcfb6b0

Download Submit
\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe

MD5
3f0ba1cd12bab7ba5875d1b02e45dfcf

SHA1
a5dfa8bbf1643274d0ef0902626172019173bf52

SHA256
4d21da09b2ca0226c812692ab7cba60af1c8d58ff97dda500df2f850b2c38ef2

SHA512
c221fb23fc92a4d2550defcaea6f422a33e7035506ede6b0193ebc10aab5561e08c8bb7fe38852faf8996e954c6c17e2b66b4600db92e5e5be83d9d79f233884

Download Submit
\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe

MD5
3f0ba1cd12bab7ba5875d1b02e45dfcf

SHA1
a5dfa8bbf1643274d0ef0902626172019173bf52

SHA256
4d21da09b2ca0226c812692ab7cba60af1c8d58ff97dda500df2f850b2c38ef2

SHA512
c221fb23fc92a4d2550defcaea6f422a33e7035506ede6b0193ebc10aab5561e08c8bb7fe38852faf8996e954c6c17e2b66b4600db92e5e5be83d9d79f233884

Download Submit
\Users\Admin\AppData\Local\Temp\MicroMedia\MicroSoftSecurityLogin.ocx

MD5
bc99d3f41dfca74f2b40ce4d4f959af0

SHA1
ae605ef5075020dc8666d0fc29936e8eeb30d19c

SHA256
4086ae5b9737802b6a93a0466d2daf310ba80af82f52b55148b7382b83167bb5

SHA512
41feda0f3c7b781108a641211124e2e72094722ab6a011fde57498501395b38c43ab10b81be13fdc0165838453b9d02c6f472baa72f1b57bc210c83a2fcfb6b0

Download Submit
memory/612-55-0x0000000075D61000-0x0000000075D63000-memory.dmp

Filesize
8KB

Download
memory/612-56-0x0000000010000000-0x0000000010025000-memory.dmp

Filesize
148KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads