Analysis
-
max time kernel
120s -
max time network
124s -
platform
windows7_x64 -
resource
win7-20230712-en -
resource tags
arch:x64arch:x86image:win7-20230712-enlocale:en-usos:windows7-x64system -
submitted
07-08-2023 08:07
Behavioral task
behavioral1
Sample
3587c83089c747e1501fc3813d6ee84747d37904c378ba139573180fe8946037.exe
Resource
win7-20230712-en
Behavioral task
behavioral2
Sample
3587c83089c747e1501fc3813d6ee84747d37904c378ba139573180fe8946037.exe
Resource
win10v2004-20230703-en
General
-
Target
3587c83089c747e1501fc3813d6ee84747d37904c378ba139573180fe8946037.exe
-
Size
5.5MB
-
MD5
b754f770ce9f4583b64fcf321bb150cf
-
SHA1
65481e1292d110684ac23ba03d0059a114a90809
-
SHA256
3587c83089c747e1501fc3813d6ee84747d37904c378ba139573180fe8946037
-
SHA512
9ada07124881defadc7c83480eb68fd39d3754a448534a1b00ce30e2a00d30173aaf2be0c2e9a084f521bdb14f37a915cdaf6cab26ae736f287ae7a478959061
-
SSDEEP
6144:H29qRfVSndj30Bk+ZSyPhlpUnSYK062o+J8+J4+JZ+JQ+J9J1+J9J++J9J2Ju+Jq:TRfQnBWkyBGr
Malware Config
Extracted
sakula
www.polarroute.com
Signatures
-
Sakula payload 5 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula behavioral1/memory/2144-58-0x0000000000400000-0x00000000009B5000-memory.dmp family_sakula \Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula behavioral1/memory/1576-60-0x0000000000400000-0x00000000009B5000-memory.dmp family_sakula behavioral1/memory/2144-62-0x0000000000400000-0x00000000009B5000-memory.dmp family_sakula -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 2336 cmd.exe -
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 1576 MediaCenter.exe -
Loads dropped DLL 1 IoCs
Processes:
3587c83089c747e1501fc3813d6ee84747d37904c378ba139573180fe8946037.exepid process 2144 3587c83089c747e1501fc3813d6ee84747d37904c378ba139573180fe8946037.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
3587c83089c747e1501fc3813d6ee84747d37904c378ba139573180fe8946037.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 3587c83089c747e1501fc3813d6ee84747d37904c378ba139573180fe8946037.exe -
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
3587c83089c747e1501fc3813d6ee84747d37904c378ba139573180fe8946037.exedescription pid process Token: SeIncBasePriorityPrivilege 2144 3587c83089c747e1501fc3813d6ee84747d37904c378ba139573180fe8946037.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
3587c83089c747e1501fc3813d6ee84747d37904c378ba139573180fe8946037.execmd.exedescription pid process target process PID 2144 wrote to memory of 1576 2144 3587c83089c747e1501fc3813d6ee84747d37904c378ba139573180fe8946037.exe MediaCenter.exe PID 2144 wrote to memory of 1576 2144 3587c83089c747e1501fc3813d6ee84747d37904c378ba139573180fe8946037.exe MediaCenter.exe PID 2144 wrote to memory of 1576 2144 3587c83089c747e1501fc3813d6ee84747d37904c378ba139573180fe8946037.exe MediaCenter.exe PID 2144 wrote to memory of 1576 2144 3587c83089c747e1501fc3813d6ee84747d37904c378ba139573180fe8946037.exe MediaCenter.exe PID 2144 wrote to memory of 2336 2144 3587c83089c747e1501fc3813d6ee84747d37904c378ba139573180fe8946037.exe cmd.exe PID 2144 wrote to memory of 2336 2144 3587c83089c747e1501fc3813d6ee84747d37904c378ba139573180fe8946037.exe cmd.exe PID 2144 wrote to memory of 2336 2144 3587c83089c747e1501fc3813d6ee84747d37904c378ba139573180fe8946037.exe cmd.exe PID 2144 wrote to memory of 2336 2144 3587c83089c747e1501fc3813d6ee84747d37904c378ba139573180fe8946037.exe cmd.exe PID 2336 wrote to memory of 2580 2336 cmd.exe PING.EXE PID 2336 wrote to memory of 2580 2336 cmd.exe PING.EXE PID 2336 wrote to memory of 2580 2336 cmd.exe PING.EXE PID 2336 wrote to memory of 2580 2336 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\3587c83089c747e1501fc3813d6ee84747d37904c378ba139573180fe8946037.exe"C:\Users\Admin\AppData\Local\Temp\3587c83089c747e1501fc3813d6ee84747d37904c378ba139573180fe8946037.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2144 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:1576 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\3587c83089c747e1501fc3813d6ee84747d37904c378ba139573180fe8946037.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:2336 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:2580
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeFilesize
5.5MB
MD5c8231f4314d6d75568e4289b4c3860cf
SHA1e5a21a5637be6368fbffbff1e19a1c85526983e0
SHA2565ce4db604e9168da4f86a7eeedfa4231e980c5ac6337174154929192ca57a726
SHA512fdac5b555c077b7499293a526e6d067c93ebf58077c70276079cddcc77726096682500f88de6759f0f225fb85500ef3a3160668a3c5824a6249d564bff936d22
-
\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeFilesize
5.5MB
MD5c8231f4314d6d75568e4289b4c3860cf
SHA1e5a21a5637be6368fbffbff1e19a1c85526983e0
SHA2565ce4db604e9168da4f86a7eeedfa4231e980c5ac6337174154929192ca57a726
SHA512fdac5b555c077b7499293a526e6d067c93ebf58077c70276079cddcc77726096682500f88de6759f0f225fb85500ef3a3160668a3c5824a6249d564bff936d22
-
memory/1576-60-0x0000000000400000-0x00000000009B5000-memory.dmpFilesize
5.7MB
-
memory/2144-58-0x0000000000400000-0x00000000009B5000-memory.dmpFilesize
5.7MB
-
memory/2144-62-0x0000000000400000-0x00000000009B5000-memory.dmpFilesize
5.7MB
-
memory/2144-61-0x00000000028D0000-0x0000000002E85000-memory.dmpFilesize
5.7MB
-
memory/2144-63-0x00000000028D0000-0x0000000002E85000-memory.dmpFilesize
5.7MB