Analysis
-
max time kernel
134s -
max time network
108s -
platform
windows7_x64 -
resource
win7-20230220-en -
resource tags
arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system -
submitted
05-04-2023 01:17
Behavioral task
behavioral1
Sample
07d5d6f916da9da2e1d1add3eb927b4c5b89e093d41baecdff209e728ecab710.exe
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
07d5d6f916da9da2e1d1add3eb927b4c5b89e093d41baecdff209e728ecab710.exe
Resource
win10v2004-20230220-en
General
-
Target
07d5d6f916da9da2e1d1add3eb927b4c5b89e093d41baecdff209e728ecab710.exe
-
Size
212KB
-
MD5
2318575bbff6e228b9453eeb841ba952
-
SHA1
191e925300fe778355c91c14f6e95631cf94b831
-
SHA256
07d5d6f916da9da2e1d1add3eb927b4c5b89e093d41baecdff209e728ecab710
-
SHA512
8cb12fec7144cb2cad287dd34f82d92d853fb03ea2f82d795923a1c92dcf8361366f5bdfe5d7628b7cce3f5fc4aef8a185b569368aad08e4dc776667423a3b30
-
SSDEEP
1536:XcQFl29mEkE0L1rDEKrxZKF2zf9g2Pl7W/MwbxMX++pLz30rtr8gjXjp0danBj:r29DkEGRQixVSjLc330BYgjXjpDnBj
Malware Config
Extracted
sakula
www.polarroute.com
Signatures
-
Sakula payload 5 IoCs
Processes:
resource yara_rule \Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula behavioral1/memory/2004-61-0x0000000000400000-0x0000000000435000-memory.dmp family_sakula behavioral1/memory/2008-59-0x0000000000400000-0x0000000000435000-memory.dmp family_sakula behavioral1/memory/2008-62-0x0000000000400000-0x0000000000435000-memory.dmp family_sakula -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 1736 cmd.exe -
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 2004 MediaCenter.exe -
Loads dropped DLL 1 IoCs
Processes:
07d5d6f916da9da2e1d1add3eb927b4c5b89e093d41baecdff209e728ecab710.exepid process 2008 07d5d6f916da9da2e1d1add3eb927b4c5b89e093d41baecdff209e728ecab710.exe -
Processes:
resource yara_rule \Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe upx C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe upx behavioral1/memory/2004-61-0x0000000000400000-0x0000000000435000-memory.dmp upx behavioral1/memory/2008-59-0x0000000000400000-0x0000000000435000-memory.dmp upx behavioral1/memory/2008-62-0x0000000000400000-0x0000000000435000-memory.dmp upx -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
07d5d6f916da9da2e1d1add3eb927b4c5b89e093d41baecdff209e728ecab710.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 07d5d6f916da9da2e1d1add3eb927b4c5b89e093d41baecdff209e728ecab710.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
07d5d6f916da9da2e1d1add3eb927b4c5b89e093d41baecdff209e728ecab710.exedescription pid process Token: SeIncBasePriorityPrivilege 2008 07d5d6f916da9da2e1d1add3eb927b4c5b89e093d41baecdff209e728ecab710.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
07d5d6f916da9da2e1d1add3eb927b4c5b89e093d41baecdff209e728ecab710.execmd.exedescription pid process target process PID 2008 wrote to memory of 2004 2008 07d5d6f916da9da2e1d1add3eb927b4c5b89e093d41baecdff209e728ecab710.exe MediaCenter.exe PID 2008 wrote to memory of 2004 2008 07d5d6f916da9da2e1d1add3eb927b4c5b89e093d41baecdff209e728ecab710.exe MediaCenter.exe PID 2008 wrote to memory of 2004 2008 07d5d6f916da9da2e1d1add3eb927b4c5b89e093d41baecdff209e728ecab710.exe MediaCenter.exe PID 2008 wrote to memory of 2004 2008 07d5d6f916da9da2e1d1add3eb927b4c5b89e093d41baecdff209e728ecab710.exe MediaCenter.exe PID 2008 wrote to memory of 1736 2008 07d5d6f916da9da2e1d1add3eb927b4c5b89e093d41baecdff209e728ecab710.exe cmd.exe PID 2008 wrote to memory of 1736 2008 07d5d6f916da9da2e1d1add3eb927b4c5b89e093d41baecdff209e728ecab710.exe cmd.exe PID 2008 wrote to memory of 1736 2008 07d5d6f916da9da2e1d1add3eb927b4c5b89e093d41baecdff209e728ecab710.exe cmd.exe PID 2008 wrote to memory of 1736 2008 07d5d6f916da9da2e1d1add3eb927b4c5b89e093d41baecdff209e728ecab710.exe cmd.exe PID 1736 wrote to memory of 808 1736 cmd.exe PING.EXE PID 1736 wrote to memory of 808 1736 cmd.exe PING.EXE PID 1736 wrote to memory of 808 1736 cmd.exe PING.EXE PID 1736 wrote to memory of 808 1736 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\07d5d6f916da9da2e1d1add3eb927b4c5b89e093d41baecdff209e728ecab710.exe"C:\Users\Admin\AppData\Local\Temp\07d5d6f916da9da2e1d1add3eb927b4c5b89e093d41baecdff209e728ecab710.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\07d5d6f916da9da2e1d1add3eb927b4c5b89e093d41baecdff209e728ecab710.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeFilesize
212KB
MD563438c5280da16bff64ea033b8d722a3
SHA12f64f7c24b91e8e12f9c18e51c49673103a052dd
SHA2569164ec236da33697f5975a361eac27bce948c14cda25583ba83e5a320e4deba6
SHA51256c874ba5d770d00cf7b3a51e4dc77481b4a76461a0080661468e0cfbd0f19d72cc5eaf51202131e2db3a15e243d808cdd3d72ae16d223924276e22c3146ecd1
-
\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeFilesize
212KB
MD563438c5280da16bff64ea033b8d722a3
SHA12f64f7c24b91e8e12f9c18e51c49673103a052dd
SHA2569164ec236da33697f5975a361eac27bce948c14cda25583ba83e5a320e4deba6
SHA51256c874ba5d770d00cf7b3a51e4dc77481b4a76461a0080661468e0cfbd0f19d72cc5eaf51202131e2db3a15e243d808cdd3d72ae16d223924276e22c3146ecd1
-
memory/2004-61-0x0000000000400000-0x0000000000435000-memory.dmpFilesize
212KB
-
memory/2008-60-0x00000000003A0000-0x00000000003D5000-memory.dmpFilesize
212KB
-
memory/2008-59-0x0000000000400000-0x0000000000435000-memory.dmpFilesize
212KB
-
memory/2008-62-0x0000000000400000-0x0000000000435000-memory.dmpFilesize
212KB