Analysis
-
max time kernel
147s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
19-12-2023 10:12
Behavioral task
behavioral1
Sample
006e8acf6a130d89e531256306eba7f4.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
006e8acf6a130d89e531256306eba7f4.exe
Resource
win10v2004-20231215-en
General
-
Target
006e8acf6a130d89e531256306eba7f4.exe
-
Size
517KB
-
MD5
006e8acf6a130d89e531256306eba7f4
-
SHA1
ad65d804338a6db8ad60ff9fd6693b25a1e82631
-
SHA256
c4638fcc1256408344d1c1a85bc750620891b56f5f33bc1cd9ffede6e980c625
-
SHA512
a0420ce0d61bb5be11658cd443b4942d49943fdecaa5b9c0c3fe1f8da749519645d99aecba7071dc95aa7dc0501e0299f86cf6b244ca3997a42c3fe180741243
-
SSDEEP
12288:0RfQn+w8EYiBlMkn5f9J105ko8T6csVe+:g4+wlYBsb3zNsf
Malware Config
Extracted
sakula
www.polarroute.com
Signatures
-
Sakula payload 4 IoCs
Processes:
resource yara_rule behavioral2/memory/3824-0-0x0000000000400000-0x0000000000420000-memory.dmp family_sakula C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula behavioral2/memory/5104-5-0x0000000000400000-0x0000000000420000-memory.dmp family_sakula behavioral2/memory/3824-6-0x0000000000400000-0x0000000000420000-memory.dmp family_sakula -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
006e8acf6a130d89e531256306eba7f4.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\Control Panel\International\Geo\Nation 006e8acf6a130d89e531256306eba7f4.exe -
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 5104 MediaCenter.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
006e8acf6a130d89e531256306eba7f4.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 006e8acf6a130d89e531256306eba7f4.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
006e8acf6a130d89e531256306eba7f4.exedescription pid process Token: SeIncBasePriorityPrivilege 3824 006e8acf6a130d89e531256306eba7f4.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
006e8acf6a130d89e531256306eba7f4.execmd.exedescription pid process target process PID 3824 wrote to memory of 5104 3824 006e8acf6a130d89e531256306eba7f4.exe MediaCenter.exe PID 3824 wrote to memory of 5104 3824 006e8acf6a130d89e531256306eba7f4.exe MediaCenter.exe PID 3824 wrote to memory of 5104 3824 006e8acf6a130d89e531256306eba7f4.exe MediaCenter.exe PID 3824 wrote to memory of 4856 3824 006e8acf6a130d89e531256306eba7f4.exe cmd.exe PID 3824 wrote to memory of 4856 3824 006e8acf6a130d89e531256306eba7f4.exe cmd.exe PID 3824 wrote to memory of 4856 3824 006e8acf6a130d89e531256306eba7f4.exe cmd.exe PID 4856 wrote to memory of 4144 4856 cmd.exe PING.EXE PID 4856 wrote to memory of 4144 4856 cmd.exe PING.EXE PID 4856 wrote to memory of 4144 4856 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\006e8acf6a130d89e531256306eba7f4.exe"C:\Users\Admin\AppData\Local\Temp\006e8acf6a130d89e531256306eba7f4.exe"1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3824 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:5104 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\006e8acf6a130d89e531256306eba7f4.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:4856 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:4144
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\BMK4G1YN\wdtixtax1214110740[1].htmFilesize
1KB
MD58d4c07efda188f4ca3290b68b7b5c2b4
SHA1ba392480e4f36eaf02ce8df0e7b3ca86aebbd3ea
SHA256e27b64c9737988f9d6a1bff653e7de7b46c8150133d6b4e9061b70d70dbde8b4
SHA512fbbd1b4596151b13a9de1ed87c37783f2e7519c1e0b7f90fe00cba33a848b538fcb8474d0975fb18568085e81e84053d4ec2f18021fcc76cda68e0b808ed2ef2
-
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeFilesize
517KB
MD543cf48332b60d1d98d8281be2c166b66
SHA11ea286c6c309b0c1a84e39eedd14140125874f50
SHA256cb4716552f15b0a0af23d38fb128170d1b7741ac2059056ce29e97bc2a838493
SHA51253d722e824527331c2c5b579853819c46265ee594686f39f6a4ccfadfe0505f5afa602d05f5d2cac659ef14d8d34e173c94097a57d92ff1c4c269cd3528d4332
-
memory/3824-0-0x0000000000400000-0x0000000000420000-memory.dmpFilesize
128KB
-
memory/3824-6-0x0000000000400000-0x0000000000420000-memory.dmpFilesize
128KB
-
memory/5104-5-0x0000000000400000-0x0000000000420000-memory.dmpFilesize
128KB