Analysis
-
max time kernel
130s -
max time network
139s -
platform
windows10-2004_x64 -
resource
win10v2004-20230915-en -
resource tags
arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system -
submitted
07-10-2023 12:04
Behavioral task
behavioral1
Sample
NEAS.ee2ee71c9cc7f06d1c89adf1a8dd68a0_JC.exe
Resource
win7-20230831-en
Behavioral task
behavioral2
Sample
NEAS.ee2ee71c9cc7f06d1c89adf1a8dd68a0_JC.exe
Resource
win10v2004-20230915-en
General
-
Target
NEAS.ee2ee71c9cc7f06d1c89adf1a8dd68a0_JC.exe
-
Size
144KB
-
MD5
ee2ee71c9cc7f06d1c89adf1a8dd68a0
-
SHA1
8007d6798d96fefffd66c1d3a80a6c932d6e4b8e
-
SHA256
7f971ed52d434ccec2340a459bed7a65981649f322031aabbfe14deeaddb3436
-
SHA512
5b67452743fd1300174b31005e88da3b862d9fb91d684fbdd8c6f49d92a32847e33bd209fd3621039090b09d9c889df122f134ede8c734c72e2504e1fd6090e0
-
SSDEEP
1536:mQFl29mEkE0L1rDEKrxZKF2zf9g2Pl7W/MwbxMX+mdz30rtr8gjXjp09y9x0:929DkEGRQixVSjLa130BYgjXjp+y9S
Malware Config
Extracted
sakula
www.polarroute.com
Signatures
-
Sakula payload 7 IoCs
Processes:
resource yara_rule behavioral2/memory/2788-0-0x0000000000400000-0x0000000000425000-memory.dmp family_sakula C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula behavioral2/memory/2844-5-0x0000000000400000-0x0000000000425000-memory.dmp family_sakula behavioral2/memory/2788-6-0x0000000000400000-0x0000000000425000-memory.dmp family_sakula behavioral2/memory/2844-7-0x0000000000400000-0x0000000000425000-memory.dmp family_sakula behavioral2/memory/2788-8-0x0000000000400000-0x0000000000425000-memory.dmp family_sakula -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
NEAS.ee2ee71c9cc7f06d1c89adf1a8dd68a0_JC.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1141987721-3945596982-3297311814-1000\Control Panel\International\Geo\Nation NEAS.ee2ee71c9cc7f06d1c89adf1a8dd68a0_JC.exe -
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 2844 MediaCenter.exe -
Processes:
resource yara_rule behavioral2/memory/2788-0-0x0000000000400000-0x0000000000425000-memory.dmp upx C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe upx C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe upx behavioral2/memory/2844-5-0x0000000000400000-0x0000000000425000-memory.dmp upx behavioral2/memory/2788-6-0x0000000000400000-0x0000000000425000-memory.dmp upx behavioral2/memory/2844-7-0x0000000000400000-0x0000000000425000-memory.dmp upx behavioral2/memory/2788-8-0x0000000000400000-0x0000000000425000-memory.dmp upx -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
NEAS.ee2ee71c9cc7f06d1c89adf1a8dd68a0_JC.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" NEAS.ee2ee71c9cc7f06d1c89adf1a8dd68a0_JC.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
NEAS.ee2ee71c9cc7f06d1c89adf1a8dd68a0_JC.exedescription pid process Token: SeIncBasePriorityPrivilege 2788 NEAS.ee2ee71c9cc7f06d1c89adf1a8dd68a0_JC.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
NEAS.ee2ee71c9cc7f06d1c89adf1a8dd68a0_JC.execmd.exedescription pid process target process PID 2788 wrote to memory of 2844 2788 NEAS.ee2ee71c9cc7f06d1c89adf1a8dd68a0_JC.exe MediaCenter.exe PID 2788 wrote to memory of 2844 2788 NEAS.ee2ee71c9cc7f06d1c89adf1a8dd68a0_JC.exe MediaCenter.exe PID 2788 wrote to memory of 2844 2788 NEAS.ee2ee71c9cc7f06d1c89adf1a8dd68a0_JC.exe MediaCenter.exe PID 2788 wrote to memory of 4928 2788 NEAS.ee2ee71c9cc7f06d1c89adf1a8dd68a0_JC.exe cmd.exe PID 2788 wrote to memory of 4928 2788 NEAS.ee2ee71c9cc7f06d1c89adf1a8dd68a0_JC.exe cmd.exe PID 2788 wrote to memory of 4928 2788 NEAS.ee2ee71c9cc7f06d1c89adf1a8dd68a0_JC.exe cmd.exe PID 4928 wrote to memory of 3008 4928 cmd.exe PING.EXE PID 4928 wrote to memory of 3008 4928 cmd.exe PING.EXE PID 4928 wrote to memory of 3008 4928 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\NEAS.ee2ee71c9cc7f06d1c89adf1a8dd68a0_JC.exe"C:\Users\Admin\AppData\Local\Temp\NEAS.ee2ee71c9cc7f06d1c89adf1a8dd68a0_JC.exe"1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2788 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:2844 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\NEAS.ee2ee71c9cc7f06d1c89adf1a8dd68a0_JC.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:4928 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:3008
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeFilesize
144KB
MD522f090318f14dcaa294374056f99a1b0
SHA1a5187b2843abdddde59d4ccba5e5bdfde77ee2ea
SHA256ecd499daada95c14cc1650193209f0c4afac9fdfe7fb824b608b3362dedcd5d9
SHA5125dcfd60e4387ed72a34306623c51da24a3904350eabc1040da4b4f5028791e8d5dd6dde8921befe8b2aa2bffe3238a109a349875a2090ffb8361224790b76888
-
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeFilesize
144KB
MD522f090318f14dcaa294374056f99a1b0
SHA1a5187b2843abdddde59d4ccba5e5bdfde77ee2ea
SHA256ecd499daada95c14cc1650193209f0c4afac9fdfe7fb824b608b3362dedcd5d9
SHA5125dcfd60e4387ed72a34306623c51da24a3904350eabc1040da4b4f5028791e8d5dd6dde8921befe8b2aa2bffe3238a109a349875a2090ffb8361224790b76888
-
memory/2788-0-0x0000000000400000-0x0000000000425000-memory.dmpFilesize
148KB
-
memory/2788-6-0x0000000000400000-0x0000000000425000-memory.dmpFilesize
148KB
-
memory/2788-8-0x0000000000400000-0x0000000000425000-memory.dmpFilesize
148KB
-
memory/2844-5-0x0000000000400000-0x0000000000425000-memory.dmpFilesize
148KB
-
memory/2844-7-0x0000000000400000-0x0000000000425000-memory.dmpFilesize
148KB