Analysis
-
max time kernel
144s -
max time network
148s -
platform
windows7_x64 -
resource
win7-20231129-en -
resource tags
arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system -
submitted
19-12-2023 21:54
Behavioral task
behavioral1
Sample
ad71a9ef02733c8507056b82aa3d54ed.exe
Resource
win7-20231129-en
Behavioral task
behavioral2
Sample
ad71a9ef02733c8507056b82aa3d54ed.exe
Resource
win10v2004-20231215-en
General
-
Target
ad71a9ef02733c8507056b82aa3d54ed.exe
-
Size
79KB
-
MD5
ad71a9ef02733c8507056b82aa3d54ed
-
SHA1
fdcfd7a9b31daa3b06815c0aa8ebc4e8732fd269
-
SHA256
1aed112100ecb52dbe26f299139d0d02a31b6bc184abeb37568c6d247c19ce3c
-
SHA512
2673f62fe670083b052a998573d258b43bef365e91f6cfa548f3a3e2be020a3ab8ceb9c8266554cb5910792cbca0fb825bb16d0945c9ce8d6f9d00a5c713da10
-
SSDEEP
1536:Zoaj1hJL1S9t0MIeboal8bCKxo7h0RP0jwHVz30rtro8:K0hpgz6xGhTjwHN30BE8
Malware Config
Signatures
-
Sakula payload 1 IoCs
Processes:
resource yara_rule \Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 2664 cmd.exe -
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 1884 MediaCenter.exe -
Loads dropped DLL 2 IoCs
Processes:
ad71a9ef02733c8507056b82aa3d54ed.exepid process 2224 ad71a9ef02733c8507056b82aa3d54ed.exe 2224 ad71a9ef02733c8507056b82aa3d54ed.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
ad71a9ef02733c8507056b82aa3d54ed.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" ad71a9ef02733c8507056b82aa3d54ed.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
ad71a9ef02733c8507056b82aa3d54ed.exedescription pid process Token: SeIncBasePriorityPrivilege 2224 ad71a9ef02733c8507056b82aa3d54ed.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
ad71a9ef02733c8507056b82aa3d54ed.execmd.exedescription pid process target process PID 2224 wrote to memory of 1884 2224 ad71a9ef02733c8507056b82aa3d54ed.exe MediaCenter.exe PID 2224 wrote to memory of 1884 2224 ad71a9ef02733c8507056b82aa3d54ed.exe MediaCenter.exe PID 2224 wrote to memory of 1884 2224 ad71a9ef02733c8507056b82aa3d54ed.exe MediaCenter.exe PID 2224 wrote to memory of 1884 2224 ad71a9ef02733c8507056b82aa3d54ed.exe MediaCenter.exe PID 2224 wrote to memory of 2664 2224 ad71a9ef02733c8507056b82aa3d54ed.exe cmd.exe PID 2224 wrote to memory of 2664 2224 ad71a9ef02733c8507056b82aa3d54ed.exe cmd.exe PID 2224 wrote to memory of 2664 2224 ad71a9ef02733c8507056b82aa3d54ed.exe cmd.exe PID 2224 wrote to memory of 2664 2224 ad71a9ef02733c8507056b82aa3d54ed.exe cmd.exe PID 2664 wrote to memory of 2724 2664 cmd.exe PING.EXE PID 2664 wrote to memory of 2724 2664 cmd.exe PING.EXE PID 2664 wrote to memory of 2724 2664 cmd.exe PING.EXE PID 2664 wrote to memory of 2724 2664 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\ad71a9ef02733c8507056b82aa3d54ed.exe"C:\Users\Admin\AppData\Local\Temp\ad71a9ef02733c8507056b82aa3d54ed.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2224 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:1884 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\ad71a9ef02733c8507056b82aa3d54ed.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:2664 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:2724
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeFilesize
79KB
MD597fd3d985b618a7076a3955942eac48b
SHA140624774b2ecb92d9401f4324c575d79425f48ff
SHA2561309835317e183eb30404dab5c07746b00816c5067668cf886b786d41c6d94b5
SHA512f17e72b8ee7e7a6dc5d42884ac2c175b714f580ece895f18fb9937ad1d153a84f801e4c4c6170c38656dc489994bbfe2117519b581a7a46d900ebb7f27135cfc