Analysis
-
max time kernel
142s -
max time network
146s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
20-12-2023 14:54
Static task
static1
Behavioral task
behavioral1
Sample
ce8c1911a886bc7436a29c9cf1d3eda0.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
ce8c1911a886bc7436a29c9cf1d3eda0.exe
Resource
win10v2004-20231215-en
General
-
Target
ce8c1911a886bc7436a29c9cf1d3eda0.exe
-
Size
58KB
-
MD5
ce8c1911a886bc7436a29c9cf1d3eda0
-
SHA1
6920e448daedc98b491a8e3f77e7111e6bf08e1d
-
SHA256
7cd60851cc47135d43af81f7fb8809515616c3708bb918d019ae4681155083b3
-
SHA512
349f4fec09445666e1a56f5c0a209adb93fc245632e1175a5490c2cec16a2d5efeb86047acfce4c7c895ebaa26abc551170c58923862eaf903d0bf8ecc584117
-
SSDEEP
1536:iZioIoCwbYP4nuEApQK4TQbtY2gA9DX+ytBO8c3G3eTJ/p:iEoIlwIguEA4c5DgA9DOyq0eFB
Malware Config
Signatures
-
Sakula payload 4 IoCs
Processes:
resource yara_rule behavioral1/memory/1848-1-0x0000000000400000-0x000000000041A000-memory.dmp family_sakula behavioral1/memory/624-11-0x0000000000400000-0x000000000041A000-memory.dmp family_sakula behavioral1/memory/1848-20-0x0000000000400000-0x000000000041A000-memory.dmp family_sakula behavioral1/memory/624-25-0x0000000000400000-0x000000000041A000-memory.dmp family_sakula -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 2568 cmd.exe -
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 624 MediaCenter.exe -
Loads dropped DLL 2 IoCs
Processes:
ce8c1911a886bc7436a29c9cf1d3eda0.exepid process 1848 ce8c1911a886bc7436a29c9cf1d3eda0.exe 1848 ce8c1911a886bc7436a29c9cf1d3eda0.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
ce8c1911a886bc7436a29c9cf1d3eda0.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" ce8c1911a886bc7436a29c9cf1d3eda0.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
ce8c1911a886bc7436a29c9cf1d3eda0.exedescription pid process Token: SeIncBasePriorityPrivilege 1848 ce8c1911a886bc7436a29c9cf1d3eda0.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
ce8c1911a886bc7436a29c9cf1d3eda0.execmd.exedescription pid process target process PID 1848 wrote to memory of 624 1848 ce8c1911a886bc7436a29c9cf1d3eda0.exe MediaCenter.exe PID 1848 wrote to memory of 624 1848 ce8c1911a886bc7436a29c9cf1d3eda0.exe MediaCenter.exe PID 1848 wrote to memory of 624 1848 ce8c1911a886bc7436a29c9cf1d3eda0.exe MediaCenter.exe PID 1848 wrote to memory of 624 1848 ce8c1911a886bc7436a29c9cf1d3eda0.exe MediaCenter.exe PID 1848 wrote to memory of 2568 1848 ce8c1911a886bc7436a29c9cf1d3eda0.exe cmd.exe PID 1848 wrote to memory of 2568 1848 ce8c1911a886bc7436a29c9cf1d3eda0.exe cmd.exe PID 1848 wrote to memory of 2568 1848 ce8c1911a886bc7436a29c9cf1d3eda0.exe cmd.exe PID 1848 wrote to memory of 2568 1848 ce8c1911a886bc7436a29c9cf1d3eda0.exe cmd.exe PID 2568 wrote to memory of 2516 2568 cmd.exe PING.EXE PID 2568 wrote to memory of 2516 2568 cmd.exe PING.EXE PID 2568 wrote to memory of 2516 2568 cmd.exe PING.EXE PID 2568 wrote to memory of 2516 2568 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe1⤵
- Executes dropped EXE
PID:624
-
C:\Users\Admin\AppData\Local\Temp\ce8c1911a886bc7436a29c9cf1d3eda0.exe"C:\Users\Admin\AppData\Local\Temp\ce8c1911a886bc7436a29c9cf1d3eda0.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1848 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\ce8c1911a886bc7436a29c9cf1d3eda0.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:2568 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:2516
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
58KB
MD504e43dc64e33e51e3631950ae7817d95
SHA13c10a650bc2b2db3eafefe92de0b526b075c62c7
SHA256eee6fdd62be2622acbbd21c76ec11f2dfdc01a31f2180da7b7c4b43f44d155b9
SHA51229a7292fcc22e1f606f5edb13732d872d8094df57af702a8cb1654b14253ecef7321647a30aa4f8c21f75fe3b12ccbbc23cfc1f602bba8e3371395e28c047b74