Analysis
-
max time kernel
141s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
19-12-2023 11:36
Behavioral task
behavioral1
Sample
15978f016058de282291cce05e394fc7.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
15978f016058de282291cce05e394fc7.exe
Resource
win10v2004-20231215-en
General
-
Target
15978f016058de282291cce05e394fc7.exe
-
Size
3.9MB
-
MD5
15978f016058de282291cce05e394fc7
-
SHA1
500b3f5d840422651d20ff1189baa8f30957f1e6
-
SHA256
f5e1b3bcf04e4100a069bc84dd092d7fd7c9bb92efd8f34525651d63a5c8967a
-
SHA512
498657589d32430084a137edf3eadf70d162391f5d4dae89f7598a3cb5e56b48cefdc98d36abd014a1ca3cc75f563cb74e6dd3ccae7b79661bef60379049e2a3
-
SSDEEP
24576:j0Xx/6oTNa1h3Qh3O+ZrIb1Eu8CTPq30pYZMmjjTjuSE5DBMYL:j+5TY76HZ68kQ0paMmjjTjzeaYL
Malware Config
Signatures
-
Sakula payload 2 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
15978f016058de282291cce05e394fc7.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\Control Panel\International\Geo\Nation 15978f016058de282291cce05e394fc7.exe -
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 3040 MediaCenter.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
15978f016058de282291cce05e394fc7.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 15978f016058de282291cce05e394fc7.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
15978f016058de282291cce05e394fc7.exedescription pid process Token: SeIncBasePriorityPrivilege 2716 15978f016058de282291cce05e394fc7.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
15978f016058de282291cce05e394fc7.execmd.exedescription pid process target process PID 2716 wrote to memory of 3040 2716 15978f016058de282291cce05e394fc7.exe MediaCenter.exe PID 2716 wrote to memory of 3040 2716 15978f016058de282291cce05e394fc7.exe MediaCenter.exe PID 2716 wrote to memory of 3040 2716 15978f016058de282291cce05e394fc7.exe MediaCenter.exe PID 2716 wrote to memory of 2404 2716 15978f016058de282291cce05e394fc7.exe cmd.exe PID 2716 wrote to memory of 2404 2716 15978f016058de282291cce05e394fc7.exe cmd.exe PID 2716 wrote to memory of 2404 2716 15978f016058de282291cce05e394fc7.exe cmd.exe PID 2404 wrote to memory of 4060 2404 cmd.exe PING.EXE PID 2404 wrote to memory of 4060 2404 cmd.exe PING.EXE PID 2404 wrote to memory of 4060 2404 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\15978f016058de282291cce05e394fc7.exe"C:\Users\Admin\AppData\Local\Temp\15978f016058de282291cce05e394fc7.exe"1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2716 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:3040 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\15978f016058de282291cce05e394fc7.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:2404 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:4060
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeFilesize
2.6MB
MD52ba836080ef5f625afda150059fec810
SHA1e9c272a1a34e338509388ec3894957c96c967c8f
SHA256e0ac09df967490f439d3d68d0dbff490699d13caf08ebf9efd37adfabbdbdc92
SHA5124df4a6ebb97dd686e483861b5854abb97dc8f0ba53fd4ea8cee4bd82aa91b6a7c54e6deee900b6b6c6c294bd48582feeb5d8cee9b3807d4d7be47f1393ec31b3
-
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeFilesize
3.1MB
MD54daa87df0fd878b2d92dbd041a3a4bc5
SHA1eea33dcd2efdc80cea4f827c99f95b0960e73cef
SHA256169c7d2d6bfd0f3ce17830433fe518f2d9d663775fa4046b9ddfa4c0e6dc2922
SHA512b5b64749f219dd5bf1cbf975cbea2edb8bb8c3cd26072928193db08ec18c5456e040c9de9f92f13372ce2f674a8aa0830da6b71d57ea448492782e802397c05e