Analysis
-
max time kernel
117s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
20-12-2023 14:25
Behavioral task
behavioral1
Sample
c6a39b44ecdb5f32e9b9081ce3556ab5.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
c6a39b44ecdb5f32e9b9081ce3556ab5.exe
Resource
win10v2004-20231215-en
General
-
Target
c6a39b44ecdb5f32e9b9081ce3556ab5.exe
-
Size
321KB
-
MD5
c6a39b44ecdb5f32e9b9081ce3556ab5
-
SHA1
0a26d32fcb9ccad529df099652a4bdee5457942a
-
SHA256
f04d0a101eb79d7d065c7921fa22849b8f060bde7ae350b0746d422f5eb99b73
-
SHA512
b5fe29fb559d3c2939ffe4ec7932705001f46f832818fab56fdb3b11f8fb55afc3430fab12a8fcc982fbd1b88c60ed950c18782c374492b84f1eb4925cd83169
-
SSDEEP
1536:aoaj1hJL1S9t0MIeboal8bCKxo7h0RP0jwHVz30rtroZeBsCXKTnhxJv:F0hpgz6xGhTjwHN30BE8BsZhX
Malware Config
Signatures
-
Sakula payload 1 IoCs
Processes:
resource yara_rule \Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 2680 cmd.exe -
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 1564 MediaCenter.exe -
Loads dropped DLL 2 IoCs
Processes:
c6a39b44ecdb5f32e9b9081ce3556ab5.exepid process 1708 c6a39b44ecdb5f32e9b9081ce3556ab5.exe 1708 c6a39b44ecdb5f32e9b9081ce3556ab5.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
c6a39b44ecdb5f32e9b9081ce3556ab5.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" c6a39b44ecdb5f32e9b9081ce3556ab5.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
c6a39b44ecdb5f32e9b9081ce3556ab5.exedescription pid process Token: SeIncBasePriorityPrivilege 1708 c6a39b44ecdb5f32e9b9081ce3556ab5.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
c6a39b44ecdb5f32e9b9081ce3556ab5.execmd.exedescription pid process target process PID 1708 wrote to memory of 1564 1708 c6a39b44ecdb5f32e9b9081ce3556ab5.exe MediaCenter.exe PID 1708 wrote to memory of 1564 1708 c6a39b44ecdb5f32e9b9081ce3556ab5.exe MediaCenter.exe PID 1708 wrote to memory of 1564 1708 c6a39b44ecdb5f32e9b9081ce3556ab5.exe MediaCenter.exe PID 1708 wrote to memory of 1564 1708 c6a39b44ecdb5f32e9b9081ce3556ab5.exe MediaCenter.exe PID 1708 wrote to memory of 2680 1708 c6a39b44ecdb5f32e9b9081ce3556ab5.exe cmd.exe PID 1708 wrote to memory of 2680 1708 c6a39b44ecdb5f32e9b9081ce3556ab5.exe cmd.exe PID 1708 wrote to memory of 2680 1708 c6a39b44ecdb5f32e9b9081ce3556ab5.exe cmd.exe PID 1708 wrote to memory of 2680 1708 c6a39b44ecdb5f32e9b9081ce3556ab5.exe cmd.exe PID 2680 wrote to memory of 2708 2680 cmd.exe PING.EXE PID 2680 wrote to memory of 2708 2680 cmd.exe PING.EXE PID 2680 wrote to memory of 2708 2680 cmd.exe PING.EXE PID 2680 wrote to memory of 2708 2680 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\c6a39b44ecdb5f32e9b9081ce3556ab5.exe"C:\Users\Admin\AppData\Local\Temp\c6a39b44ecdb5f32e9b9081ce3556ab5.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1708 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:1564 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\c6a39b44ecdb5f32e9b9081ce3556ab5.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:2680 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:2708
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeFilesize
321KB
MD5a84476c29a22c2bc517e4f232e5ea109
SHA10238fb4453cbba476c1a19bcdb17f4486c838aa0
SHA2569b4a031acacc4e06675287cde97263b3a2d04dd3378b00398f98f1943490c21d
SHA512f21fd490eab596e16b5813b6a766b4cff72d66d7a0a5bf20355558fa282edb5ee5895fd7dbc1dce62cec91cfbba8946f781c1eb1b8a32eee87cf29bbfc412792