Analysis
-
max time kernel
125s -
max time network
128s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system -
submitted
05-04-2023 01:17
Behavioral task
behavioral1
Sample
07d5d6f916da9da2e1d1add3eb927b4c5b89e093d41baecdff209e728ecab710.exe
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
07d5d6f916da9da2e1d1add3eb927b4c5b89e093d41baecdff209e728ecab710.exe
Resource
win10v2004-20230220-en
General
-
Target
07d5d6f916da9da2e1d1add3eb927b4c5b89e093d41baecdff209e728ecab710.exe
-
Size
212KB
-
MD5
2318575bbff6e228b9453eeb841ba952
-
SHA1
191e925300fe778355c91c14f6e95631cf94b831
-
SHA256
07d5d6f916da9da2e1d1add3eb927b4c5b89e093d41baecdff209e728ecab710
-
SHA512
8cb12fec7144cb2cad287dd34f82d92d853fb03ea2f82d795923a1c92dcf8361366f5bdfe5d7628b7cce3f5fc4aef8a185b569368aad08e4dc776667423a3b30
-
SSDEEP
1536:XcQFl29mEkE0L1rDEKrxZKF2zf9g2Pl7W/MwbxMX++pLz30rtr8gjXjp0danBj:r29DkEGRQixVSjLc330BYgjXjpDnBj
Malware Config
Extracted
sakula
www.polarroute.com
Signatures
-
Sakula payload 7 IoCs
Processes:
resource yara_rule behavioral2/memory/4188-133-0x0000000000400000-0x0000000000435000-memory.dmp family_sakula C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula behavioral2/memory/1596-138-0x0000000000400000-0x0000000000435000-memory.dmp family_sakula behavioral2/memory/4188-139-0x0000000000400000-0x0000000000435000-memory.dmp family_sakula behavioral2/memory/1596-140-0x0000000000400000-0x0000000000435000-memory.dmp family_sakula behavioral2/memory/4188-141-0x0000000000400000-0x0000000000435000-memory.dmp family_sakula -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
07d5d6f916da9da2e1d1add3eb927b4c5b89e093d41baecdff209e728ecab710.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\Control Panel\International\Geo\Nation 07d5d6f916da9da2e1d1add3eb927b4c5b89e093d41baecdff209e728ecab710.exe -
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 1596 MediaCenter.exe -
Processes:
resource yara_rule behavioral2/memory/4188-133-0x0000000000400000-0x0000000000435000-memory.dmp upx C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe upx C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe upx behavioral2/memory/1596-138-0x0000000000400000-0x0000000000435000-memory.dmp upx behavioral2/memory/4188-139-0x0000000000400000-0x0000000000435000-memory.dmp upx behavioral2/memory/1596-140-0x0000000000400000-0x0000000000435000-memory.dmp upx behavioral2/memory/4188-141-0x0000000000400000-0x0000000000435000-memory.dmp upx -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
07d5d6f916da9da2e1d1add3eb927b4c5b89e093d41baecdff209e728ecab710.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 07d5d6f916da9da2e1d1add3eb927b4c5b89e093d41baecdff209e728ecab710.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
07d5d6f916da9da2e1d1add3eb927b4c5b89e093d41baecdff209e728ecab710.exedescription pid process Token: SeIncBasePriorityPrivilege 4188 07d5d6f916da9da2e1d1add3eb927b4c5b89e093d41baecdff209e728ecab710.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
07d5d6f916da9da2e1d1add3eb927b4c5b89e093d41baecdff209e728ecab710.execmd.exedescription pid process target process PID 4188 wrote to memory of 1596 4188 07d5d6f916da9da2e1d1add3eb927b4c5b89e093d41baecdff209e728ecab710.exe MediaCenter.exe PID 4188 wrote to memory of 1596 4188 07d5d6f916da9da2e1d1add3eb927b4c5b89e093d41baecdff209e728ecab710.exe MediaCenter.exe PID 4188 wrote to memory of 1596 4188 07d5d6f916da9da2e1d1add3eb927b4c5b89e093d41baecdff209e728ecab710.exe MediaCenter.exe PID 4188 wrote to memory of 4176 4188 07d5d6f916da9da2e1d1add3eb927b4c5b89e093d41baecdff209e728ecab710.exe cmd.exe PID 4188 wrote to memory of 4176 4188 07d5d6f916da9da2e1d1add3eb927b4c5b89e093d41baecdff209e728ecab710.exe cmd.exe PID 4188 wrote to memory of 4176 4188 07d5d6f916da9da2e1d1add3eb927b4c5b89e093d41baecdff209e728ecab710.exe cmd.exe PID 4176 wrote to memory of 2964 4176 cmd.exe PING.EXE PID 4176 wrote to memory of 2964 4176 cmd.exe PING.EXE PID 4176 wrote to memory of 2964 4176 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\07d5d6f916da9da2e1d1add3eb927b4c5b89e093d41baecdff209e728ecab710.exe"C:\Users\Admin\AppData\Local\Temp\07d5d6f916da9da2e1d1add3eb927b4c5b89e093d41baecdff209e728ecab710.exe"1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\07d5d6f916da9da2e1d1add3eb927b4c5b89e093d41baecdff209e728ecab710.exe"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeFilesize
212KB
MD57d7718ad29c10a90a3f0a5e2ac2bb485
SHA1eeed0c16fb189cb6432a816546e3333fe5c00a3a
SHA256d3042aa577292c583e13afdb2ff21d860a1fc7282e795ce6ac248c508807caac
SHA5125bcb58e6da46afc457961fddfb9a14391843ffbe80929973bac854e0b39838ed5f58ef59325c43cd205234c4a4ae6a58707766b5e026e3e9b9dba067818ed621
-
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeFilesize
212KB
MD57d7718ad29c10a90a3f0a5e2ac2bb485
SHA1eeed0c16fb189cb6432a816546e3333fe5c00a3a
SHA256d3042aa577292c583e13afdb2ff21d860a1fc7282e795ce6ac248c508807caac
SHA5125bcb58e6da46afc457961fddfb9a14391843ffbe80929973bac854e0b39838ed5f58ef59325c43cd205234c4a4ae6a58707766b5e026e3e9b9dba067818ed621
-
memory/1596-138-0x0000000000400000-0x0000000000435000-memory.dmpFilesize
212KB
-
memory/1596-140-0x0000000000400000-0x0000000000435000-memory.dmpFilesize
212KB
-
memory/4188-133-0x0000000000400000-0x0000000000435000-memory.dmpFilesize
212KB
-
memory/4188-139-0x0000000000400000-0x0000000000435000-memory.dmpFilesize
212KB
-
memory/4188-141-0x0000000000400000-0x0000000000435000-memory.dmpFilesize
212KB