Analysis
-
max time kernel
126s -
max time network
128s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
19-12-2023 10:44
Behavioral task
behavioral1
Sample
0b980ed39da10a55d451efb072884a33.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
0b980ed39da10a55d451efb072884a33.exe
Resource
win10v2004-20231215-en
General
-
Target
0b980ed39da10a55d451efb072884a33.exe
-
Size
92KB
-
MD5
0b980ed39da10a55d451efb072884a33
-
SHA1
b4fa9a8e926891bb64747b89f5ac3ebdfe81505d
-
SHA256
82373431eb3a1ba42c7b205b04b0bdcb435c9cb896f346730a00326d59f2f106
-
SHA512
3ee830c21d85e5b666b2da4ebc790c4badd6b508d0246fdc193e7dd077c32a335c31877284510f7facf6e988121ee6cb06418afd45a555309b78401b8398539d
-
SSDEEP
1536:PQFl29mEkE0L1rDEKrxZKF2zf9g2Pl7W/MwbxMX+ees52z30rtr0:w29DkEGRQixVSjLaes5G30BQ
Malware Config
Extracted
sakula
www.polarroute.com
Signatures
-
Sakula payload 1 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
0b980ed39da10a55d451efb072884a33.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\Control Panel\International\Geo\Nation 0b980ed39da10a55d451efb072884a33.exe -
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 448 MediaCenter.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
0b980ed39da10a55d451efb072884a33.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 0b980ed39da10a55d451efb072884a33.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
0b980ed39da10a55d451efb072884a33.exedescription pid process Token: SeIncBasePriorityPrivilege 4460 0b980ed39da10a55d451efb072884a33.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
0b980ed39da10a55d451efb072884a33.execmd.exedescription pid process target process PID 4460 wrote to memory of 448 4460 0b980ed39da10a55d451efb072884a33.exe MediaCenter.exe PID 4460 wrote to memory of 448 4460 0b980ed39da10a55d451efb072884a33.exe MediaCenter.exe PID 4460 wrote to memory of 448 4460 0b980ed39da10a55d451efb072884a33.exe MediaCenter.exe PID 4460 wrote to memory of 3616 4460 0b980ed39da10a55d451efb072884a33.exe cmd.exe PID 4460 wrote to memory of 3616 4460 0b980ed39da10a55d451efb072884a33.exe cmd.exe PID 4460 wrote to memory of 3616 4460 0b980ed39da10a55d451efb072884a33.exe cmd.exe PID 3616 wrote to memory of 2776 3616 cmd.exe PING.EXE PID 3616 wrote to memory of 2776 3616 cmd.exe PING.EXE PID 3616 wrote to memory of 2776 3616 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\0b980ed39da10a55d451efb072884a33.exe"C:\Users\Admin\AppData\Local\Temp\0b980ed39da10a55d451efb072884a33.exe"1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4460 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:448 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\0b980ed39da10a55d451efb072884a33.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:3616 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:2776
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\W8BIYKF7\tnjxozbg-1500139985[1].htmFilesize
1KB
MD58d4c07efda188f4ca3290b68b7b5c2b4
SHA1ba392480e4f36eaf02ce8df0e7b3ca86aebbd3ea
SHA256e27b64c9737988f9d6a1bff653e7de7b46c8150133d6b4e9061b70d70dbde8b4
SHA512fbbd1b4596151b13a9de1ed87c37783f2e7519c1e0b7f90fe00cba33a848b538fcb8474d0975fb18568085e81e84053d4ec2f18021fcc76cda68e0b808ed2ef2
-
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeFilesize
92KB
MD50d15bdf1bc64fb02b14f8dccb9919865
SHA162f09f1d8e76bea5da926356f6c6930b833d2696
SHA256a0b17b10720fee586dc6d05b1bc9dac625725eeb986f08b0b7065ba4b2615bd2
SHA512410eab962417f5cb77469a994a5828d2b8c55bb04de2a066df7a94f19c0a53e77ee682ddeaebdf6e19fe8a3c54a33c6ab8ba4b7c772fedff18226bce499581d1