Analysis
-
max time kernel
144s -
max time network
155s -
platform
windows10-2004_x64 -
resource
win10v2004-20230703-en -
resource tags
arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system -
submitted
07-08-2023 09:23
Behavioral task
behavioral1
Sample
56146eaf36e94f63c3aa267da50b966c977e697219df6e6bbab96591c0531a8d.exe
Resource
win7-20230712-en
Behavioral task
behavioral2
Sample
56146eaf36e94f63c3aa267da50b966c977e697219df6e6bbab96591c0531a8d.exe
Resource
win10v2004-20230703-en
General
-
Target
56146eaf36e94f63c3aa267da50b966c977e697219df6e6bbab96591c0531a8d.exe
-
Size
4.2MB
-
MD5
6bb5ca02a0d6ddaf5466da634523d810
-
SHA1
60cf5acfc85682d9c9c923de48a969b4bbe74b71
-
SHA256
56146eaf36e94f63c3aa267da50b966c977e697219df6e6bbab96591c0531a8d
-
SHA512
711f4a776f7906ded65b4a51f0378c5bb20b7cabf8dd0275b6595ed306904d761d3361a297184b826c4257f20effee398416fce669ebe7bb6ae68f013b8c14ab
-
SSDEEP
6144:N29qRfVSndj30Bk+7D2q49FZvV7RWJJWJQWJnWJfWJIWJAJN1WJAJcWJAJxWJAJM:FRfQntCX9
Malware Config
Extracted
sakula
www.polarroute.com
Signatures
-
Sakula payload 6 IoCs
Processes:
resource yara_rule behavioral2/memory/1680-133-0x0000000000400000-0x0000000000853000-memory.dmp family_sakula C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula behavioral2/memory/2524-138-0x0000000000400000-0x0000000000853000-memory.dmp family_sakula behavioral2/memory/2524-139-0x0000000000400000-0x0000000000853000-memory.dmp family_sakula behavioral2/memory/1680-140-0x0000000000400000-0x0000000000853000-memory.dmp family_sakula -
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 2524 MediaCenter.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
56146eaf36e94f63c3aa267da50b966c977e697219df6e6bbab96591c0531a8d.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 56146eaf36e94f63c3aa267da50b966c977e697219df6e6bbab96591c0531a8d.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 4016 2524 WerFault.exe MediaCenter.exe -
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
56146eaf36e94f63c3aa267da50b966c977e697219df6e6bbab96591c0531a8d.exedescription pid process Token: SeIncBasePriorityPrivilege 1680 56146eaf36e94f63c3aa267da50b966c977e697219df6e6bbab96591c0531a8d.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
56146eaf36e94f63c3aa267da50b966c977e697219df6e6bbab96591c0531a8d.execmd.exedescription pid process target process PID 1680 wrote to memory of 2524 1680 56146eaf36e94f63c3aa267da50b966c977e697219df6e6bbab96591c0531a8d.exe MediaCenter.exe PID 1680 wrote to memory of 2524 1680 56146eaf36e94f63c3aa267da50b966c977e697219df6e6bbab96591c0531a8d.exe MediaCenter.exe PID 1680 wrote to memory of 2524 1680 56146eaf36e94f63c3aa267da50b966c977e697219df6e6bbab96591c0531a8d.exe MediaCenter.exe PID 1680 wrote to memory of 4024 1680 56146eaf36e94f63c3aa267da50b966c977e697219df6e6bbab96591c0531a8d.exe cmd.exe PID 1680 wrote to memory of 4024 1680 56146eaf36e94f63c3aa267da50b966c977e697219df6e6bbab96591c0531a8d.exe cmd.exe PID 1680 wrote to memory of 4024 1680 56146eaf36e94f63c3aa267da50b966c977e697219df6e6bbab96591c0531a8d.exe cmd.exe PID 4024 wrote to memory of 2256 4024 cmd.exe PING.EXE PID 4024 wrote to memory of 2256 4024 cmd.exe PING.EXE PID 4024 wrote to memory of 2256 4024 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\56146eaf36e94f63c3aa267da50b966c977e697219df6e6bbab96591c0531a8d.exe"C:\Users\Admin\AppData\Local\Temp\56146eaf36e94f63c3aa267da50b966c977e697219df6e6bbab96591c0531a8d.exe"1⤵
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1680 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:2524 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2524 -s 2123⤵
- Program crash
PID:4016 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\56146eaf36e94f63c3aa267da50b966c977e697219df6e6bbab96591c0531a8d.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:4024 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:2256
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2524 -ip 25241⤵PID:4692
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeFilesize
4.2MB
MD59541e5bc8244aa5aa0ffd4cf5cb71e34
SHA1adf52c92dc3e976a30c5afe85a068031cc0517f7
SHA256551eef26ee0af9626974824b9bc235b897d6dfc9150af1197740cb401f8c7e45
SHA512cb6f9a2b1b71dd4fb49538d259329b2fef58569f1fe898b7621edd9200b8c0d6de09571420b919b917ecb598267e3f05ba8e9b7b8da65a63ef69edca25cdfe26
-
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeFilesize
4.2MB
MD59541e5bc8244aa5aa0ffd4cf5cb71e34
SHA1adf52c92dc3e976a30c5afe85a068031cc0517f7
SHA256551eef26ee0af9626974824b9bc235b897d6dfc9150af1197740cb401f8c7e45
SHA512cb6f9a2b1b71dd4fb49538d259329b2fef58569f1fe898b7621edd9200b8c0d6de09571420b919b917ecb598267e3f05ba8e9b7b8da65a63ef69edca25cdfe26
-
memory/1680-133-0x0000000000400000-0x0000000000853000-memory.dmpFilesize
4.3MB
-
memory/1680-140-0x0000000000400000-0x0000000000853000-memory.dmpFilesize
4.3MB
-
memory/2524-138-0x0000000000400000-0x0000000000853000-memory.dmpFilesize
4.3MB
-
memory/2524-139-0x0000000000400000-0x0000000000853000-memory.dmpFilesize
4.3MB