Analysis
-
max time kernel
36s -
max time network
23s -
platform
windows7_x64 -
resource
win7-20230831-en -
resource tags
arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system -
submitted
21-10-2023 21:25
Behavioral task
behavioral1
Sample
NEAS.86f540cb1a64b17ab32196c9382f1470.exe
Resource
win7-20230831-en
Behavioral task
behavioral2
Sample
NEAS.86f540cb1a64b17ab32196c9382f1470.exe
Resource
win10v2004-20231020-en
General
-
Target
NEAS.86f540cb1a64b17ab32196c9382f1470.exe
-
Size
190KB
-
MD5
86f540cb1a64b17ab32196c9382f1470
-
SHA1
19a1ad0cf4ee5947c82bb81cf6b1bf4b1035bb15
-
SHA256
131c45691ffed3a1896f9f412a4b50298f1778068bafae96cdd90ceb04dc22d6
-
SHA512
6527729b443e693aa1168d6bc9e715e5cefad06953cbc6e599adb3aff0f66667916bfcd7b1334626553d0cef079d6d6f026f526afafb0cca0daa6a8ed2d43aa8
-
SSDEEP
3072:929DkEGRQixVSjLa130BYgjXjp+y9T7uZwOuz/xS0:929qRfVSnA30B7XjUbwBxF
Malware Config
Extracted
sakula
www.polarroute.com
Signatures
-
Sakula payload 6 IoCs
Processes:
resource yara_rule behavioral1/memory/2964-0-0x0000000000400000-0x0000000000425000-memory.dmp family_sakula behavioral1/memory/2652-7-0x0000000000400000-0x0000000000425000-memory.dmp family_sakula \Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula behavioral1/memory/2964-8-0x0000000000400000-0x0000000000425000-memory.dmp family_sakula behavioral1/memory/2964-9-0x0000000000400000-0x0000000000425000-memory.dmp family_sakula -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 2476 cmd.exe -
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 2652 MediaCenter.exe -
Loads dropped DLL 1 IoCs
Processes:
NEAS.86f540cb1a64b17ab32196c9382f1470.exepid process 2964 NEAS.86f540cb1a64b17ab32196c9382f1470.exe -
Processes:
resource yara_rule behavioral1/memory/2964-0-0x0000000000400000-0x0000000000425000-memory.dmp upx behavioral1/memory/2652-7-0x0000000000400000-0x0000000000425000-memory.dmp upx \Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe upx C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe upx behavioral1/memory/2964-8-0x0000000000400000-0x0000000000425000-memory.dmp upx behavioral1/memory/2964-9-0x0000000000400000-0x0000000000425000-memory.dmp upx -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
NEAS.86f540cb1a64b17ab32196c9382f1470.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" NEAS.86f540cb1a64b17ab32196c9382f1470.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
NEAS.86f540cb1a64b17ab32196c9382f1470.exedescription pid process Token: SeIncBasePriorityPrivilege 2964 NEAS.86f540cb1a64b17ab32196c9382f1470.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
NEAS.86f540cb1a64b17ab32196c9382f1470.execmd.exedescription pid process target process PID 2964 wrote to memory of 2652 2964 NEAS.86f540cb1a64b17ab32196c9382f1470.exe MediaCenter.exe PID 2964 wrote to memory of 2652 2964 NEAS.86f540cb1a64b17ab32196c9382f1470.exe MediaCenter.exe PID 2964 wrote to memory of 2652 2964 NEAS.86f540cb1a64b17ab32196c9382f1470.exe MediaCenter.exe PID 2964 wrote to memory of 2652 2964 NEAS.86f540cb1a64b17ab32196c9382f1470.exe MediaCenter.exe PID 2964 wrote to memory of 2476 2964 NEAS.86f540cb1a64b17ab32196c9382f1470.exe cmd.exe PID 2964 wrote to memory of 2476 2964 NEAS.86f540cb1a64b17ab32196c9382f1470.exe cmd.exe PID 2964 wrote to memory of 2476 2964 NEAS.86f540cb1a64b17ab32196c9382f1470.exe cmd.exe PID 2964 wrote to memory of 2476 2964 NEAS.86f540cb1a64b17ab32196c9382f1470.exe cmd.exe PID 2476 wrote to memory of 2220 2476 cmd.exe PING.EXE PID 2476 wrote to memory of 2220 2476 cmd.exe PING.EXE PID 2476 wrote to memory of 2220 2476 cmd.exe PING.EXE PID 2476 wrote to memory of 2220 2476 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\NEAS.86f540cb1a64b17ab32196c9382f1470.exe"C:\Users\Admin\AppData\Local\Temp\NEAS.86f540cb1a64b17ab32196c9382f1470.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2964 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:2652 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\NEAS.86f540cb1a64b17ab32196c9382f1470.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:2476 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:2220
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeFilesize
190KB
MD543760fb875801efd5c20c1a1c829f156
SHA1fb681fb8ea001516bb690f7601518836c8fa0475
SHA256c0d3cf2e5d8837d2178159f2f5f2f3a57d90843ee20f5bd3774b79aefed4784e
SHA512de7415508792ea86e6e6457700b6e638b4c2b2b89e1d079e79b3878b84ee0188b696bca351ed2484f01920a662636455524031fddc54936c259467e5c2a096c1
-
\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeFilesize
190KB
MD543760fb875801efd5c20c1a1c829f156
SHA1fb681fb8ea001516bb690f7601518836c8fa0475
SHA256c0d3cf2e5d8837d2178159f2f5f2f3a57d90843ee20f5bd3774b79aefed4784e
SHA512de7415508792ea86e6e6457700b6e638b4c2b2b89e1d079e79b3878b84ee0188b696bca351ed2484f01920a662636455524031fddc54936c259467e5c2a096c1
-
memory/2652-7-0x0000000000400000-0x0000000000425000-memory.dmpFilesize
148KB
-
memory/2964-0-0x0000000000400000-0x0000000000425000-memory.dmpFilesize
148KB
-
memory/2964-6-0x0000000001B60000-0x0000000001B85000-memory.dmpFilesize
148KB
-
memory/2964-8-0x0000000000400000-0x0000000000425000-memory.dmpFilesize
148KB
-
memory/2964-9-0x0000000000400000-0x0000000000425000-memory.dmpFilesize
148KB