Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
111s -
max time network
95s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
07/01/2025, 09:26
Behavioral task
behavioral1
Sample
828fe990bf5f2a6bc95e105b306ddc922d08ec558ccc622c842687686aae88e5.exe
Resource
win7-20241010-en
General
-
Target
828fe990bf5f2a6bc95e105b306ddc922d08ec558ccc622c842687686aae88e5.exe
-
Size
43KB
-
MD5
91f7ac93c9f17621e40244f38750f346
-
SHA1
534779a8c74ea87b773781302e2b9b9e4f2fe0c1
-
SHA256
828fe990bf5f2a6bc95e105b306ddc922d08ec558ccc622c842687686aae88e5
-
SHA512
8c5346b30dac6cf31750f3d63769aaca6b8dd2945f4ddb736f96d6ed0f81a89255e752dc1d161b825f0e92d4c11047748cd7d1e875ec011ac87d256b3ea4dd1f
-
SSDEEP
768:+U9XnKJv8KrtPNxT4oreP7cIK3yQpdk6x8pf9m4P/S0hVvIZiGDZ6RO8nHE8taqa:+U9abrtX4oocIK3yQkaY9z/S0hhy6k8U
Malware Config
Signatures
-
Sakula family
-
Sakula payload 4 IoCs
resource yara_rule behavioral2/memory/2076-6-0x0000000000480000-0x000000000049F000-memory.dmp family_sakula behavioral2/memory/1016-8-0x0000000000F50000-0x0000000000F6F000-memory.dmp family_sakula behavioral2/memory/2076-14-0x0000000000480000-0x000000000049F000-memory.dmp family_sakula behavioral2/memory/1016-18-0x0000000000F50000-0x0000000000F6F000-memory.dmp family_sakula -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation 828fe990bf5f2a6bc95e105b306ddc922d08ec558ccc622c842687686aae88e5.exe -
Executes dropped EXE 1 IoCs
pid Process 1016 MediaCenter.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 828fe990bf5f2a6bc95e105b306ddc922d08ec558ccc622c842687686aae88e5.exe -
resource yara_rule behavioral2/memory/2076-0-0x0000000000480000-0x000000000049F000-memory.dmp upx behavioral2/files/0x0009000000023c59-3.dat upx behavioral2/memory/1016-4-0x0000000000F50000-0x0000000000F6F000-memory.dmp upx behavioral2/memory/2076-6-0x0000000000480000-0x000000000049F000-memory.dmp upx behavioral2/memory/1016-8-0x0000000000F50000-0x0000000000F6F000-memory.dmp upx behavioral2/memory/2076-14-0x0000000000480000-0x000000000049F000-memory.dmp upx behavioral2/memory/1016-18-0x0000000000F50000-0x0000000000F6F000-memory.dmp upx -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language PING.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 828fe990bf5f2a6bc95e105b306ddc922d08ec558ccc622c842687686aae88e5.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language MediaCenter.exe -
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs
Adversaries may check for Internet connectivity on compromised systems.
pid Process 3988 cmd.exe 4552 PING.EXE -
Runs ping.exe 1 TTPs 1 IoCs
pid Process 4552 PING.EXE -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeIncBasePriorityPrivilege 2076 828fe990bf5f2a6bc95e105b306ddc922d08ec558ccc622c842687686aae88e5.exe -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 2076 wrote to memory of 1016 2076 828fe990bf5f2a6bc95e105b306ddc922d08ec558ccc622c842687686aae88e5.exe 83 PID 2076 wrote to memory of 1016 2076 828fe990bf5f2a6bc95e105b306ddc922d08ec558ccc622c842687686aae88e5.exe 83 PID 2076 wrote to memory of 1016 2076 828fe990bf5f2a6bc95e105b306ddc922d08ec558ccc622c842687686aae88e5.exe 83 PID 2076 wrote to memory of 3988 2076 828fe990bf5f2a6bc95e105b306ddc922d08ec558ccc622c842687686aae88e5.exe 99 PID 2076 wrote to memory of 3988 2076 828fe990bf5f2a6bc95e105b306ddc922d08ec558ccc622c842687686aae88e5.exe 99 PID 2076 wrote to memory of 3988 2076 828fe990bf5f2a6bc95e105b306ddc922d08ec558ccc622c842687686aae88e5.exe 99 PID 3988 wrote to memory of 4552 3988 cmd.exe 101 PID 3988 wrote to memory of 4552 3988 cmd.exe 101 PID 3988 wrote to memory of 4552 3988 cmd.exe 101
Processes
-
C:\Users\Admin\AppData\Local\Temp\828fe990bf5f2a6bc95e105b306ddc922d08ec558ccc622c842687686aae88e5.exe"C:\Users\Admin\AppData\Local\Temp\828fe990bf5f2a6bc95e105b306ddc922d08ec558ccc622c842687686aae88e5.exe"1⤵
- Checks computer location settings
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2076 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1016
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\828fe990bf5f2a6bc95e105b306ddc922d08ec558ccc622c842687686aae88e5.exe"2⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Suspicious use of WriteProcessMemory
PID:3988 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:4552
-
-
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
43KB
MD537eea3c08477097be9e3dc872fde0920
SHA115e97f318a8fe0110d1b8c308aeae75c538f7f52
SHA256c8e5643b2bf5f2761a81c3ee16b68d785d6a840fdc7e1a7b8ad71e43cd71da1e
SHA5123df0d0155de90983de7c3eea09dc5bc70a8885b7480ddb59b07c642c64ea7cb523af6a37c2a026b7667c2dc35cc855c92fef4565891b9ba0ac27bb3c1a14c64e