Analysis
-
max time kernel
143s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
19-12-2023 10:32
Behavioral task
behavioral1
Sample
078a5da4c145b02ce91f8788232a3615.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
078a5da4c145b02ce91f8788232a3615.exe
Resource
win10v2004-20231215-en
General
-
Target
078a5da4c145b02ce91f8788232a3615.exe
-
Size
392KB
-
MD5
078a5da4c145b02ce91f8788232a3615
-
SHA1
eb1e1b7f458ff0a2b1cc64f6259e83fd550aa4cf
-
SHA256
9cf5b7e6c062f3c69bb62aabb2482c874f191db3f73430829c020c89bfcbc86b
-
SHA512
f3d41a86d516e808c010864b92214c749026f6a47bea20a9471f96ca9c77fc9089783e0b9a84805299436ae3b340619e396ede39b165797fd1ce2f4fb3069370
-
SSDEEP
6144:M29qRfVSndj30B3wBxE1+ijiBKk3etdgI2MyzNORQtOfl1qNVo7R+S+N/TU7kn5q:0RfQn+w8EYiBlMkn5f9J105L
Malware Config
Extracted
sakula
www.polarroute.com
Signatures
-
Sakula payload 5 IoCs
Processes:
resource yara_rule behavioral2/memory/1680-0-0x0000000000400000-0x0000000000420000-memory.dmp family_sakula C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula behavioral2/memory/2892-4-0x0000000000400000-0x0000000000420000-memory.dmp family_sakula C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula behavioral2/memory/1680-6-0x0000000000400000-0x0000000000420000-memory.dmp family_sakula -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
078a5da4c145b02ce91f8788232a3615.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-3336304223-2978740688-3645194410-1000\Control Panel\International\Geo\Nation 078a5da4c145b02ce91f8788232a3615.exe -
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 2892 MediaCenter.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
078a5da4c145b02ce91f8788232a3615.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 078a5da4c145b02ce91f8788232a3615.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
078a5da4c145b02ce91f8788232a3615.exedescription pid process Token: SeIncBasePriorityPrivilege 1680 078a5da4c145b02ce91f8788232a3615.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
078a5da4c145b02ce91f8788232a3615.execmd.exedescription pid process target process PID 1680 wrote to memory of 2892 1680 078a5da4c145b02ce91f8788232a3615.exe MediaCenter.exe PID 1680 wrote to memory of 2892 1680 078a5da4c145b02ce91f8788232a3615.exe MediaCenter.exe PID 1680 wrote to memory of 2892 1680 078a5da4c145b02ce91f8788232a3615.exe MediaCenter.exe PID 1680 wrote to memory of 1616 1680 078a5da4c145b02ce91f8788232a3615.exe cmd.exe PID 1680 wrote to memory of 1616 1680 078a5da4c145b02ce91f8788232a3615.exe cmd.exe PID 1680 wrote to memory of 1616 1680 078a5da4c145b02ce91f8788232a3615.exe cmd.exe PID 1616 wrote to memory of 1788 1616 cmd.exe PING.EXE PID 1616 wrote to memory of 1788 1616 cmd.exe PING.EXE PID 1616 wrote to memory of 1788 1616 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\078a5da4c145b02ce91f8788232a3615.exe"C:\Users\Admin\AppData\Local\Temp\078a5da4c145b02ce91f8788232a3615.exe"1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1680 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:2892 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\078a5da4c145b02ce91f8788232a3615.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:1616 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:1788
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\BPK32G26\sznrdvbh438275546[1].htmFilesize
1KB
MD58d4c07efda188f4ca3290b68b7b5c2b4
SHA1ba392480e4f36eaf02ce8df0e7b3ca86aebbd3ea
SHA256e27b64c9737988f9d6a1bff653e7de7b46c8150133d6b4e9061b70d70dbde8b4
SHA512fbbd1b4596151b13a9de1ed87c37783f2e7519c1e0b7f90fe00cba33a848b538fcb8474d0975fb18568085e81e84053d4ec2f18021fcc76cda68e0b808ed2ef2
-
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeFilesize
392KB
MD56adfe8fd0a153679ac7d951129e3603d
SHA1ab874591655158e937d5d8ca591536232269de5e
SHA256fedce949175461eab771e04e600f201e5351c272dd47d65ed4b78712cbb098b7
SHA512d0d29ff1a0b01c4594c7f848dec2b0d91608abe8032fe3287510b83b0c28726ee55b4f3871ae1c6cf4f9b26178b6a5a16c347fc8533ac8534ccdd08d230c0ab8
-
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeFilesize
299KB
MD51118cb771b7b6f206477d4aceca72bbc
SHA1f83e45d616c40db55b3c51946239463b9bd2f231
SHA256f9dd251ca411c4c05ec055a9e7ba0c2bf04674a24abf389013719c938e51a8c0
SHA51204db0956161d79cb9d6a99b68f7d9ce20bed73b51dfdc0925432441f04e48f91b285f6f469b42eac63b4b0c13b63ee857c4176276b47fe0403d065b9c4f4cc4f
-
memory/1680-0-0x0000000000400000-0x0000000000420000-memory.dmpFilesize
128KB
-
memory/1680-6-0x0000000000400000-0x0000000000420000-memory.dmpFilesize
128KB
-
memory/2892-4-0x0000000000400000-0x0000000000420000-memory.dmpFilesize
128KB