Analysis
-
max time kernel
140s -
max time network
147s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
19-12-2023 17:08
Static task
static1
Behavioral task
behavioral1
Sample
65d4ab7652d5f4a306e511f723e336fb.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
65d4ab7652d5f4a306e511f723e336fb.exe
Resource
win10v2004-20231215-en
General
-
Target
65d4ab7652d5f4a306e511f723e336fb.exe
-
Size
35KB
-
MD5
65d4ab7652d5f4a306e511f723e336fb
-
SHA1
bc25a2ca1acfdd19d7e407e2d6bf527d5068f2a2
-
SHA256
3495c80437180450e22a75f6931ad3d70ad78ea19b458f961461d7e8e041165b
-
SHA512
aa07f9a451d471272915c0469fe3419a2143be09de26bb5776c8e42bc161e67e2402494cbe0c21acbe2a590197cce4cceab95bed6e3762f027d5a83861976420
-
SSDEEP
768:lwbYGCv4nuEcJpQK4TQbtKvXwXgA9lJJea+yGCJQqeWnAEv2647Do:lwbYP4nuEApQK4TQbtY2gA9DX+ytBO6
Malware Config
Signatures
-
Sakula payload 4 IoCs
Processes:
resource yara_rule behavioral1/memory/2300-11-0x0000000000400000-0x000000000041A000-memory.dmp family_sakula behavioral1/memory/1128-12-0x0000000000400000-0x000000000041A000-memory.dmp family_sakula behavioral1/memory/1128-19-0x0000000000400000-0x000000000041A000-memory.dmp family_sakula behavioral1/memory/2300-24-0x0000000000400000-0x000000000041A000-memory.dmp family_sakula -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 2704 cmd.exe -
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 2300 MediaCenter.exe -
Loads dropped DLL 2 IoCs
Processes:
65d4ab7652d5f4a306e511f723e336fb.exepid process 1128 65d4ab7652d5f4a306e511f723e336fb.exe 1128 65d4ab7652d5f4a306e511f723e336fb.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
65d4ab7652d5f4a306e511f723e336fb.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 65d4ab7652d5f4a306e511f723e336fb.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
65d4ab7652d5f4a306e511f723e336fb.exedescription pid process Token: SeIncBasePriorityPrivilege 1128 65d4ab7652d5f4a306e511f723e336fb.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
65d4ab7652d5f4a306e511f723e336fb.execmd.exedescription pid process target process PID 1128 wrote to memory of 2300 1128 65d4ab7652d5f4a306e511f723e336fb.exe MediaCenter.exe PID 1128 wrote to memory of 2300 1128 65d4ab7652d5f4a306e511f723e336fb.exe MediaCenter.exe PID 1128 wrote to memory of 2300 1128 65d4ab7652d5f4a306e511f723e336fb.exe MediaCenter.exe PID 1128 wrote to memory of 2300 1128 65d4ab7652d5f4a306e511f723e336fb.exe MediaCenter.exe PID 1128 wrote to memory of 2704 1128 65d4ab7652d5f4a306e511f723e336fb.exe cmd.exe PID 1128 wrote to memory of 2704 1128 65d4ab7652d5f4a306e511f723e336fb.exe cmd.exe PID 1128 wrote to memory of 2704 1128 65d4ab7652d5f4a306e511f723e336fb.exe cmd.exe PID 1128 wrote to memory of 2704 1128 65d4ab7652d5f4a306e511f723e336fb.exe cmd.exe PID 2704 wrote to memory of 2608 2704 cmd.exe PING.EXE PID 2704 wrote to memory of 2608 2704 cmd.exe PING.EXE PID 2704 wrote to memory of 2608 2704 cmd.exe PING.EXE PID 2704 wrote to memory of 2608 2704 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\65d4ab7652d5f4a306e511f723e336fb.exe"C:\Users\Admin\AppData\Local\Temp\65d4ab7652d5f4a306e511f723e336fb.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1128 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:2300 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\65d4ab7652d5f4a306e511f723e336fb.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:2704 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:2608
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeFilesize
35KB
MD5f1146b8022f5efd39b578d47e3958081
SHA13c0e7bcce56b4d5e62f3afa8ee004b34e8365d12
SHA256fcd957cc2a194b92d6fa83b1056fadbc06a9d87e801b36ccd605a5900684cf52
SHA512c8e63084612624ca09a3de1a6778ad425e90573897cce1000c0ae3913591686b55f59c54bdfa6ae76504d97d8acdde7d18f0909b7951623ccaceaf7386d42f12
-
memory/1128-9-0x0000000000220000-0x000000000023A000-memory.dmpFilesize
104KB
-
memory/1128-10-0x0000000000220000-0x000000000023A000-memory.dmpFilesize
104KB
-
memory/1128-0-0x0000000000400000-0x000000000041A000-memory.dmpFilesize
104KB
-
memory/1128-12-0x0000000000400000-0x000000000041A000-memory.dmpFilesize
104KB
-
memory/1128-16-0x0000000000220000-0x000000000023A000-memory.dmpFilesize
104KB
-
memory/1128-19-0x0000000000400000-0x000000000041A000-memory.dmpFilesize
104KB
-
memory/2300-11-0x0000000000400000-0x000000000041A000-memory.dmpFilesize
104KB
-
memory/2300-24-0x0000000000400000-0x000000000041A000-memory.dmpFilesize
104KB