Analysis Overview
SHA256
c8d256633a89c310ecbc4288105534f21d4f1df31b08da061cd9e47bdf724a51
Threat Level: Known bad
The file c8d256633a89c310ecbc4288105534f21d4f1df31b08da061cd9e47bdf724a51.exe was found to be: Known bad.
Malicious Activity Summary
Sakula payload
Sakula family
Sakula
Executes dropped EXE
Deletes itself
Loads dropped DLL
Adds Run key to start application
System Location Discovery: System Language Discovery
Unsigned PE
Enumerates physical storage devices
System Network Configuration Discovery: Internet Connection Discovery
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
Runs ping.exe
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-21 10:55
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-21 10:55
Reported
2024-11-21 10:58
Platform
win7-20240903-en
Max time kernel
148s
Max time network
155s
Command Line
Signatures
Sakula
Sakula family
Sakula payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\c8d256633a89c310ecbc4288105534f21d4f1df31b08da061cd9e47bdf724a51.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\c8d256633a89c310ecbc4288105534f21d4f1df31b08da061cd9e47bdf724a51.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" | C:\Users\Admin\AppData\Local\Temp\c8d256633a89c310ecbc4288105534f21d4f1df31b08da061cd9e47bdf724a51.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\PING.EXE | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\c8d256633a89c310ecbc4288105534f21d4f1df31b08da061cd9e47bdf724a51.exe | N/A |
System Network Configuration Discovery: Internet Connection Discovery
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
Runs ping.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\c8d256633a89c310ecbc4288105534f21d4f1df31b08da061cd9e47bdf724a51.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\c8d256633a89c310ecbc4288105534f21d4f1df31b08da061cd9e47bdf724a51.exe
"C:\Users\Admin\AppData\Local\Temp\c8d256633a89c310ecbc4288105534f21d4f1df31b08da061cd9e47bdf724a51.exe"
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\c8d256633a89c310ecbc4288105534f21d4f1df31b08da061cd9e47bdf724a51.exe"
C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | citrix.vipreclod.com | udp |
| TH | 184.22.175.13:80 | tcp | |
| TH | 184.22.175.13:80 | tcp | |
| TH | 184.22.175.13:80 | tcp |
Files
memory/2128-0-0x0000000000400000-0x000000000041A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
| MD5 | eb6cfe8fba073f320cd523ad33da19db |
| SHA1 | c704b2a2de6ffbc4a0c9103d86ae6a4acda967b6 |
| SHA256 | c68a75ceab71321cfe7ad17ac6040c1264bb525101ee71c65f048914c2d85a3d |
| SHA512 | e288cddc466e12b340d8974c08ff6968ba3850404488f63f11a0890bee4add8c3f7132a7355861815ea8b49afdfb60abbf631cdf263069851ae225501adca5d5 |
memory/2244-11-0x0000000000400000-0x000000000041A000-memory.dmp
memory/2128-10-0x00000000002A0000-0x00000000002BA000-memory.dmp
memory/2128-9-0x00000000002A0000-0x00000000002BA000-memory.dmp
memory/2128-12-0x0000000000400000-0x000000000041A000-memory.dmp
memory/2128-13-0x00000000002A0000-0x00000000002BA000-memory.dmp
memory/2244-15-0x0000000000400000-0x000000000041A000-memory.dmp
memory/2128-14-0x00000000002A0000-0x00000000002BA000-memory.dmp
memory/2128-23-0x00000000002A0000-0x00000000002BA000-memory.dmp
memory/2128-22-0x0000000000400000-0x000000000041A000-memory.dmp
memory/2244-28-0x0000000000400000-0x000000000041A000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-11-21 10:55
Reported
2024-11-21 10:58
Platform
win10v2004-20241007-en
Max time kernel
30s
Max time network
142s
Command Line
Signatures
Sakula
Sakula family
Sakula payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" | C:\Users\Admin\AppData\Local\Temp\c8d256633a89c310ecbc4288105534f21d4f1df31b08da061cd9e47bdf724a51.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\c8d256633a89c310ecbc4288105534f21d4f1df31b08da061cd9e47bdf724a51.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe | N/A |
System Network Configuration Discovery: Internet Connection Discovery
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
Runs ping.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\c8d256633a89c310ecbc4288105534f21d4f1df31b08da061cd9e47bdf724a51.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1080 wrote to memory of 3448 | N/A | C:\Users\Admin\AppData\Local\Temp\c8d256633a89c310ecbc4288105534f21d4f1df31b08da061cd9e47bdf724a51.exe | C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe |
| PID 1080 wrote to memory of 3448 | N/A | C:\Users\Admin\AppData\Local\Temp\c8d256633a89c310ecbc4288105534f21d4f1df31b08da061cd9e47bdf724a51.exe | C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe |
| PID 1080 wrote to memory of 3448 | N/A | C:\Users\Admin\AppData\Local\Temp\c8d256633a89c310ecbc4288105534f21d4f1df31b08da061cd9e47bdf724a51.exe | C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\c8d256633a89c310ecbc4288105534f21d4f1df31b08da061cd9e47bdf724a51.exe
"C:\Users\Admin\AppData\Local\Temp\c8d256633a89c310ecbc4288105534f21d4f1df31b08da061cd9e47bdf724a51.exe"
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\c8d256633a89c310ecbc4288105534f21d4f1df31b08da061cd9e47bdf724a51.exe"
C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | citrix.vipreclod.com | udp |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 136.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 154.239.44.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | citrix.vipreclod.com | udp |
| US | 8.8.8.8:53 | 53.210.109.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | citrix.vipreclod.com | udp |
| US | 8.8.8.8:53 | citrix.vipreclod.com | udp |
| TH | 184.22.175.13:80 | tcp | |
| US | 8.8.8.8:53 | 11.227.111.52.in-addr.arpa | udp |
| TH | 184.22.175.13:80 | tcp |
Files
memory/1080-0-0x0000000000400000-0x000000000041A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
| MD5 | 982528c03d15e2d89ac05c9bd1098cc8 |
| SHA1 | f2c1483108147e61e54394f54ded615f19bcce7a |
| SHA256 | 82b19f9ef5baae0f69da4ce60801b530089c3e0b5ea9ed0ef745ce20d7de2389 |
| SHA512 | 65f0c9e2fbd70b49784686469a1a5672bd8f3a8aac0211ae17c9ee25a127a6f2785a0f11598af746c58eca9c5739eb3d04e2481f7b06dc2468d501affb4acad6 |
memory/1080-5-0x0000000000400000-0x000000000041A000-memory.dmp
memory/3448-7-0x0000000000400000-0x000000000041A000-memory.dmp
memory/1080-12-0x0000000000400000-0x000000000041A000-memory.dmp
memory/3448-17-0x0000000000400000-0x000000000041A000-memory.dmp