Analysis
-
max time kernel
120s -
max time network
123s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
19-12-2023 13:08
Behavioral task
behavioral1
Sample
2db67f0f93300be187b2efd34afc82b1.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
2db67f0f93300be187b2efd34afc82b1.exe
Resource
win10v2004-20231215-en
General
-
Target
2db67f0f93300be187b2efd34afc82b1.exe
-
Size
3.6MB
-
MD5
2db67f0f93300be187b2efd34afc82b1
-
SHA1
7be57d066dc49677951de40a198c7a6355cdb8bd
-
SHA256
9f2cc213108a119a3fcd93915f48661ba83444906111b7b2af4450973e9cf04c
-
SHA512
b3924098b874a2f537164ae474da9a9052852436d45149909b4516fd6aec63c7b6a5f70d4823ed2b2d1ddc8ed921d33434637111752a62c6b4d11d7e3d0784b2
-
SSDEEP
49152:o852ZjeUNZZH46HsnHVT5ZA+acdD6xXTI1:oU6eUNZZJHsHj
Malware Config
Extracted
sakula
www.polarroute.com
Signatures
-
Sakula payload 1 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
2db67f0f93300be187b2efd34afc82b1.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\Control Panel\International\Geo\Nation 2db67f0f93300be187b2efd34afc82b1.exe -
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 960 MediaCenter.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
2db67f0f93300be187b2efd34afc82b1.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 2db67f0f93300be187b2efd34afc82b1.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
2db67f0f93300be187b2efd34afc82b1.exedescription pid process Token: SeIncBasePriorityPrivilege 2184 2db67f0f93300be187b2efd34afc82b1.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
2db67f0f93300be187b2efd34afc82b1.execmd.exedescription pid process target process PID 2184 wrote to memory of 960 2184 2db67f0f93300be187b2efd34afc82b1.exe MediaCenter.exe PID 2184 wrote to memory of 960 2184 2db67f0f93300be187b2efd34afc82b1.exe MediaCenter.exe PID 2184 wrote to memory of 960 2184 2db67f0f93300be187b2efd34afc82b1.exe MediaCenter.exe PID 2184 wrote to memory of 1856 2184 2db67f0f93300be187b2efd34afc82b1.exe cmd.exe PID 2184 wrote to memory of 1856 2184 2db67f0f93300be187b2efd34afc82b1.exe cmd.exe PID 2184 wrote to memory of 1856 2184 2db67f0f93300be187b2efd34afc82b1.exe cmd.exe PID 1856 wrote to memory of 2964 1856 cmd.exe PING.EXE PID 1856 wrote to memory of 2964 1856 cmd.exe PING.EXE PID 1856 wrote to memory of 2964 1856 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\2db67f0f93300be187b2efd34afc82b1.exe"C:\Users\Admin\AppData\Local\Temp\2db67f0f93300be187b2efd34afc82b1.exe"1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2184 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:960 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\2db67f0f93300be187b2efd34afc82b1.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:1856 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:2964
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\DQ2SYU15\gfoxswdz478235458[1].htmFilesize
1KB
MD58d4c07efda188f4ca3290b68b7b5c2b4
SHA1ba392480e4f36eaf02ce8df0e7b3ca86aebbd3ea
SHA256e27b64c9737988f9d6a1bff653e7de7b46c8150133d6b4e9061b70d70dbde8b4
SHA512fbbd1b4596151b13a9de1ed87c37783f2e7519c1e0b7f90fe00cba33a848b538fcb8474d0975fb18568085e81e84053d4ec2f18021fcc76cda68e0b808ed2ef2
-
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeFilesize
3.6MB
MD52354d1fde87b95552e5bc1ecc6c74391
SHA18132fca3556b87b890d56db663cb95625630e93d
SHA256854eebff1386f35ce712922dfc99cdd0f371546e8d44cbd564e40248c1068733
SHA512a3573b0c20c115ad294ece8213a66cfb5bf1e45eda27f8f264fb6b1dbedfb8a6770c8e16ad06f08d5386f4d65f65b5a925c1bd658f10fdc3669d325cfcc7817a