Analysis
-
max time kernel
149s -
max time network
153s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
19-12-2023 11:25
Behavioral task
behavioral1
Sample
137f0c2e4aeaae6f8aa9db92d8aa3a60.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
137f0c2e4aeaae6f8aa9db92d8aa3a60.exe
Resource
win10v2004-20231215-en
General
-
Target
137f0c2e4aeaae6f8aa9db92d8aa3a60.exe
-
Size
3.6MB
-
MD5
137f0c2e4aeaae6f8aa9db92d8aa3a60
-
SHA1
bb77f8eafe90ccf456015f47432b5dfbe75e2bda
-
SHA256
0791f8ccc942d42d4766e569670f0f9071e97109f43371fc8b9d8af09ada05b0
-
SHA512
edf5d8628516b0c4207d3082510bdf0039f43788bfb413166a50d59464ce3f2c43ca899d7a9d3fd2114bdb44d164770d76a5e67e19de105fba875613d0e0cfe9
-
SSDEEP
49152:o852ZjeUNZZH46HsnHVT5ZA+acdD6xXTIF:oU6eUNZZJHsH/
Malware Config
Extracted
sakula
www.polarroute.com
Signatures
-
Sakula payload 1 IoCs
Processes:
resource yara_rule \Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 2884 cmd.exe -
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 2180 MediaCenter.exe -
Loads dropped DLL 1 IoCs
Processes:
137f0c2e4aeaae6f8aa9db92d8aa3a60.exepid process 2172 137f0c2e4aeaae6f8aa9db92d8aa3a60.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
137f0c2e4aeaae6f8aa9db92d8aa3a60.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 137f0c2e4aeaae6f8aa9db92d8aa3a60.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
137f0c2e4aeaae6f8aa9db92d8aa3a60.exedescription pid process Token: SeIncBasePriorityPrivilege 2172 137f0c2e4aeaae6f8aa9db92d8aa3a60.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
137f0c2e4aeaae6f8aa9db92d8aa3a60.execmd.exedescription pid process target process PID 2172 wrote to memory of 2180 2172 137f0c2e4aeaae6f8aa9db92d8aa3a60.exe MediaCenter.exe PID 2172 wrote to memory of 2180 2172 137f0c2e4aeaae6f8aa9db92d8aa3a60.exe MediaCenter.exe PID 2172 wrote to memory of 2180 2172 137f0c2e4aeaae6f8aa9db92d8aa3a60.exe MediaCenter.exe PID 2172 wrote to memory of 2180 2172 137f0c2e4aeaae6f8aa9db92d8aa3a60.exe MediaCenter.exe PID 2172 wrote to memory of 2884 2172 137f0c2e4aeaae6f8aa9db92d8aa3a60.exe cmd.exe PID 2172 wrote to memory of 2884 2172 137f0c2e4aeaae6f8aa9db92d8aa3a60.exe cmd.exe PID 2172 wrote to memory of 2884 2172 137f0c2e4aeaae6f8aa9db92d8aa3a60.exe cmd.exe PID 2172 wrote to memory of 2884 2172 137f0c2e4aeaae6f8aa9db92d8aa3a60.exe cmd.exe PID 2884 wrote to memory of 1828 2884 cmd.exe PING.EXE PID 2884 wrote to memory of 1828 2884 cmd.exe PING.EXE PID 2884 wrote to memory of 1828 2884 cmd.exe PING.EXE PID 2884 wrote to memory of 1828 2884 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\137f0c2e4aeaae6f8aa9db92d8aa3a60.exe"C:\Users\Admin\AppData\Local\Temp\137f0c2e4aeaae6f8aa9db92d8aa3a60.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2172 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:2180 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\137f0c2e4aeaae6f8aa9db92d8aa3a60.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:2884 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:1828
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\Cab8F27.tmpFilesize
65KB
MD5ac05d27423a85adc1622c714f2cb6184
SHA1b0fe2b1abddb97837ea0195be70ab2ff14d43198
SHA256c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d
SHA5126d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d
-
C:\Users\Admin\AppData\Local\Temp\Tar8F59.tmpFilesize
171KB
MD59c0c641c06238516f27941aa1166d427
SHA164cd549fb8cf014fcd9312aa7a5b023847b6c977
SHA2564276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f
SHA512936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06
-
\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeFilesize
3.6MB
MD5031d1bbd9a0881e9ee00bc170a0b1104
SHA1186f570fff9bbd035a20baf962d21ddeb56b890f
SHA2561b128ec0c03480cf6412b0d3edfcd695474a07e881df1e5a2379c0c0cdbd87e7
SHA5120e9aed9dee6587b696994e2846c93373095b9a637adef1b1015bbce9330c336615fddc1d61c3472e6fe2458d7bab03e8b956945533807ca4d679c7b9eda6f0d7