Analysis
-
max time kernel
140s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
19-12-2023 11:25
Behavioral task
behavioral1
Sample
137f0c2e4aeaae6f8aa9db92d8aa3a60.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
137f0c2e4aeaae6f8aa9db92d8aa3a60.exe
Resource
win10v2004-20231215-en
General
-
Target
137f0c2e4aeaae6f8aa9db92d8aa3a60.exe
-
Size
3.6MB
-
MD5
137f0c2e4aeaae6f8aa9db92d8aa3a60
-
SHA1
bb77f8eafe90ccf456015f47432b5dfbe75e2bda
-
SHA256
0791f8ccc942d42d4766e569670f0f9071e97109f43371fc8b9d8af09ada05b0
-
SHA512
edf5d8628516b0c4207d3082510bdf0039f43788bfb413166a50d59464ce3f2c43ca899d7a9d3fd2114bdb44d164770d76a5e67e19de105fba875613d0e0cfe9
-
SSDEEP
49152:o852ZjeUNZZH46HsnHVT5ZA+acdD6xXTIF:oU6eUNZZJHsH/
Malware Config
Extracted
sakula
www.polarroute.com
Signatures
-
Sakula payload 1 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
137f0c2e4aeaae6f8aa9db92d8aa3a60.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-996941297-2279405024-2328152752-1000\Control Panel\International\Geo\Nation 137f0c2e4aeaae6f8aa9db92d8aa3a60.exe -
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 2080 MediaCenter.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
137f0c2e4aeaae6f8aa9db92d8aa3a60.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 137f0c2e4aeaae6f8aa9db92d8aa3a60.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
137f0c2e4aeaae6f8aa9db92d8aa3a60.exedescription pid process Token: SeIncBasePriorityPrivilege 4716 137f0c2e4aeaae6f8aa9db92d8aa3a60.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
137f0c2e4aeaae6f8aa9db92d8aa3a60.execmd.exedescription pid process target process PID 4716 wrote to memory of 2080 4716 137f0c2e4aeaae6f8aa9db92d8aa3a60.exe MediaCenter.exe PID 4716 wrote to memory of 2080 4716 137f0c2e4aeaae6f8aa9db92d8aa3a60.exe MediaCenter.exe PID 4716 wrote to memory of 2080 4716 137f0c2e4aeaae6f8aa9db92d8aa3a60.exe MediaCenter.exe PID 4716 wrote to memory of 4132 4716 137f0c2e4aeaae6f8aa9db92d8aa3a60.exe cmd.exe PID 4716 wrote to memory of 4132 4716 137f0c2e4aeaae6f8aa9db92d8aa3a60.exe cmd.exe PID 4716 wrote to memory of 4132 4716 137f0c2e4aeaae6f8aa9db92d8aa3a60.exe cmd.exe PID 4132 wrote to memory of 768 4132 cmd.exe PING.EXE PID 4132 wrote to memory of 768 4132 cmd.exe PING.EXE PID 4132 wrote to memory of 768 4132 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\137f0c2e4aeaae6f8aa9db92d8aa3a60.exe"C:\Users\Admin\AppData\Local\Temp\137f0c2e4aeaae6f8aa9db92d8aa3a60.exe"1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4716 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:2080 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\137f0c2e4aeaae6f8aa9db92d8aa3a60.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:4132 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:768
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\PG47MANB\rlueqcgt-665476452[1].htmFilesize
1KB
MD58d4c07efda188f4ca3290b68b7b5c2b4
SHA1ba392480e4f36eaf02ce8df0e7b3ca86aebbd3ea
SHA256e27b64c9737988f9d6a1bff653e7de7b46c8150133d6b4e9061b70d70dbde8b4
SHA512fbbd1b4596151b13a9de1ed87c37783f2e7519c1e0b7f90fe00cba33a848b538fcb8474d0975fb18568085e81e84053d4ec2f18021fcc76cda68e0b808ed2ef2
-
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeFilesize
3.6MB
MD5cd115ca379cb6e028ad8aaafb7dae40b
SHA1a46225114bba58c3d33a65b1e9407ff2c66f73eb
SHA256af1b8627248ffbeae4dcea4dd4bbf397ef85fb88df02d69b7f2a723e73b4c92c
SHA5127aa5509a9309d7af846050a7b31ce9b761249d565f8af363ab5495f1e4a66ebff7b9529a3180618441868fc7246e773fac439fcaacaaf446b93cd84605b0a24e