Analysis
-
max time kernel
159s -
max time network
164s -
platform
windows10-2004_x64 -
resource
win10v2004-20231025-en -
resource tags
arch:x64arch:x86image:win10v2004-20231025-enlocale:en-usos:windows10-2004-x64system -
submitted
14-11-2023 19:14
Behavioral task
behavioral1
Sample
b5cfbee4157bf05fc656345fbb22efe9741db758dbec483782e8c4824a82fd54.exe
Resource
win7-20231025-en
Behavioral task
behavioral2
Sample
b5cfbee4157bf05fc656345fbb22efe9741db758dbec483782e8c4824a82fd54.exe
Resource
win10v2004-20231025-en
General
-
Target
b5cfbee4157bf05fc656345fbb22efe9741db758dbec483782e8c4824a82fd54.exe
-
Size
411KB
-
MD5
33035942c17d3a53f3b6d1ca970c0212
-
SHA1
3709cd98c55bcb4567a047e58398504df287d6c5
-
SHA256
b5cfbee4157bf05fc656345fbb22efe9741db758dbec483782e8c4824a82fd54
-
SHA512
7cc642d0829cc5225900c0c9de06236be800e5ae4b73d1f84200cfa042ec4d0e4eac71c56d6350186468bdde027578386c7f87984793c03bd972eb42814e8a48
-
SSDEEP
6144:LHkZeUwBxE1+ijiBKk3etdgI2MyzNORQtOfl1qNVo7R+S+N/TU7kn5119J3rR05F:zkZbw8EYiBlMkn5f9J105ko8K
Malware Config
Extracted
sakula
www.polarroute.com
Signatures
-
Sakula payload 4 IoCs
Processes:
resource yara_rule behavioral2/memory/3504-5-0x0000000000400000-0x0000000000423000-memory.dmp family_sakula behavioral2/memory/3640-6-0x0000000000400000-0x0000000000423000-memory.dmp family_sakula behavioral2/memory/3504-13-0x0000000000400000-0x0000000000423000-memory.dmp family_sakula behavioral2/memory/3640-16-0x0000000000400000-0x0000000000423000-memory.dmp family_sakula -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
b5cfbee4157bf05fc656345fbb22efe9741db758dbec483782e8c4824a82fd54.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-177160434-2093019976-369403398-1000\Control Panel\International\Geo\Nation b5cfbee4157bf05fc656345fbb22efe9741db758dbec483782e8c4824a82fd54.exe -
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 3640 MediaCenter.exe -
Processes:
resource yara_rule behavioral2/memory/3504-0-0x0000000000400000-0x0000000000423000-memory.dmp upx C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe upx C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe upx behavioral2/memory/3504-5-0x0000000000400000-0x0000000000423000-memory.dmp upx behavioral2/memory/3640-6-0x0000000000400000-0x0000000000423000-memory.dmp upx behavioral2/memory/3504-13-0x0000000000400000-0x0000000000423000-memory.dmp upx behavioral2/memory/3640-16-0x0000000000400000-0x0000000000423000-memory.dmp upx -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
b5cfbee4157bf05fc656345fbb22efe9741db758dbec483782e8c4824a82fd54.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" b5cfbee4157bf05fc656345fbb22efe9741db758dbec483782e8c4824a82fd54.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
b5cfbee4157bf05fc656345fbb22efe9741db758dbec483782e8c4824a82fd54.exedescription pid process Token: SeIncBasePriorityPrivilege 3504 b5cfbee4157bf05fc656345fbb22efe9741db758dbec483782e8c4824a82fd54.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
b5cfbee4157bf05fc656345fbb22efe9741db758dbec483782e8c4824a82fd54.execmd.exedescription pid process target process PID 3504 wrote to memory of 3640 3504 b5cfbee4157bf05fc656345fbb22efe9741db758dbec483782e8c4824a82fd54.exe MediaCenter.exe PID 3504 wrote to memory of 3640 3504 b5cfbee4157bf05fc656345fbb22efe9741db758dbec483782e8c4824a82fd54.exe MediaCenter.exe PID 3504 wrote to memory of 3640 3504 b5cfbee4157bf05fc656345fbb22efe9741db758dbec483782e8c4824a82fd54.exe MediaCenter.exe PID 3504 wrote to memory of 1180 3504 b5cfbee4157bf05fc656345fbb22efe9741db758dbec483782e8c4824a82fd54.exe cmd.exe PID 3504 wrote to memory of 1180 3504 b5cfbee4157bf05fc656345fbb22efe9741db758dbec483782e8c4824a82fd54.exe cmd.exe PID 3504 wrote to memory of 1180 3504 b5cfbee4157bf05fc656345fbb22efe9741db758dbec483782e8c4824a82fd54.exe cmd.exe PID 1180 wrote to memory of 1556 1180 cmd.exe PING.EXE PID 1180 wrote to memory of 1556 1180 cmd.exe PING.EXE PID 1180 wrote to memory of 1556 1180 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\b5cfbee4157bf05fc656345fbb22efe9741db758dbec483782e8c4824a82fd54.exe"C:\Users\Admin\AppData\Local\Temp\b5cfbee4157bf05fc656345fbb22efe9741db758dbec483782e8c4824a82fd54.exe"1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3504 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:3640 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\b5cfbee4157bf05fc656345fbb22efe9741db758dbec483782e8c4824a82fd54.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:1180 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:1556
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\J9NF6NB1\btvitsnp-1193839729[1].htmFilesize
1KB
MD5e507b6db861216a44b75378e63fbf065
SHA139215c521f8f24d158a7937442102db64e2ad150
SHA256f24b19277b603c95eee4c2e9cd4880b3cd25b7efae2c53a7953137215fd38568
SHA51211f384c722ab2128bfa6a211321f1ed9c7b9a469dbd85ecf253aca9ec1251d53ed4ca11bca50a3c134b3fab4439def0b5e85accca0bddd0d804a7d24a1d13d30
-
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeFilesize
411KB
MD53b415c20d2c35b1dc69cf188c7ffdea1
SHA111276d9b42c6c92e8e8cee7c2555a0f8b61b5ea8
SHA256fe82381afd88617384fa0ce396452b59bdb5f70e93292f3b9758dc92ccd29ab8
SHA5128bb2760b42849b3f7c599d2154fa3e91c1879c01c8d3a218220a0edf07510e3f6ce1cb977e76a4a36cb3f74836b38d4dd41f614cb8a776cdc8125bc9611af307
-
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeFilesize
411KB
MD53b415c20d2c35b1dc69cf188c7ffdea1
SHA111276d9b42c6c92e8e8cee7c2555a0f8b61b5ea8
SHA256fe82381afd88617384fa0ce396452b59bdb5f70e93292f3b9758dc92ccd29ab8
SHA5128bb2760b42849b3f7c599d2154fa3e91c1879c01c8d3a218220a0edf07510e3f6ce1cb977e76a4a36cb3f74836b38d4dd41f614cb8a776cdc8125bc9611af307
-
memory/3504-0-0x0000000000400000-0x0000000000423000-memory.dmpFilesize
140KB
-
memory/3504-5-0x0000000000400000-0x0000000000423000-memory.dmpFilesize
140KB
-
memory/3504-13-0x0000000000400000-0x0000000000423000-memory.dmpFilesize
140KB
-
memory/3640-6-0x0000000000400000-0x0000000000423000-memory.dmpFilesize
140KB
-
memory/3640-16-0x0000000000400000-0x0000000000423000-memory.dmpFilesize
140KB