Analysis
-
max time kernel
140s -
max time network
118s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
11-04-2024 22:18
Static task
static1
Behavioral task
behavioral1
Sample
6ed57cc74fd6b6d1c0cbf3c4fe5b5beee47df148f1c8bdabbf1d3b9a17347231.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
6ed57cc74fd6b6d1c0cbf3c4fe5b5beee47df148f1c8bdabbf1d3b9a17347231.exe
Resource
win10v2004-20240226-en
General
-
Target
6ed57cc74fd6b6d1c0cbf3c4fe5b5beee47df148f1c8bdabbf1d3b9a17347231.exe
-
Size
64KB
-
MD5
1119a0e6971e5c0773c780ed380c9ae5
-
SHA1
7b2ea5a52d4875caf342877befa5c1ea62e6db5d
-
SHA256
6ed57cc74fd6b6d1c0cbf3c4fe5b5beee47df148f1c8bdabbf1d3b9a17347231
-
SHA512
4154d97e6973b7c6b037dd274dee90f361a7dd4378de4c26454499df24513c6aaddf9a404346360b2c566ac4e5a502c4e54e1ed47456e6d3c9d382f4af3f4b5e
-
SSDEEP
768:Y0gD04rmpLAuJGlfAHI9lqnP8q0gXg0uvsVWZz/L4i/ym23ysRaKFt9kS3DCkeI9:YNpmpkzAHkq0gXgffZgiKKsDNDCkruk
Malware Config
Extracted
sakula
www.polarroute.com
Signatures
-
Sakula payload 6 IoCs
Processes:
resource yara_rule behavioral1/memory/2744-6-0x0000000000400000-0x0000000000423000-memory.dmp family_sakula behavioral1/memory/2744-8-0x0000000000400000-0x0000000000423000-memory.dmp family_sakula behavioral1/memory/3028-7-0x0000000000400000-0x0000000000423000-memory.dmp family_sakula behavioral1/memory/3028-14-0x0000000000400000-0x0000000000423000-memory.dmp family_sakula behavioral1/memory/2744-18-0x0000000000400000-0x0000000000423000-memory.dmp family_sakula behavioral1/memory/2744-24-0x0000000000400000-0x0000000000423000-memory.dmp family_sakula -
UPX dump on OEP (original entry point) 8 IoCs
Processes:
resource yara_rule behavioral1/memory/3028-0-0x0000000000400000-0x0000000000423000-memory.dmp UPX \Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe UPX behavioral1/memory/2744-6-0x0000000000400000-0x0000000000423000-memory.dmp UPX behavioral1/memory/2744-8-0x0000000000400000-0x0000000000423000-memory.dmp UPX behavioral1/memory/3028-7-0x0000000000400000-0x0000000000423000-memory.dmp UPX behavioral1/memory/3028-14-0x0000000000400000-0x0000000000423000-memory.dmp UPX behavioral1/memory/2744-18-0x0000000000400000-0x0000000000423000-memory.dmp UPX behavioral1/memory/2744-24-0x0000000000400000-0x0000000000423000-memory.dmp UPX -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 2724 cmd.exe -
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 2744 MediaCenter.exe -
Loads dropped DLL 1 IoCs
Processes:
6ed57cc74fd6b6d1c0cbf3c4fe5b5beee47df148f1c8bdabbf1d3b9a17347231.exepid process 3028 6ed57cc74fd6b6d1c0cbf3c4fe5b5beee47df148f1c8bdabbf1d3b9a17347231.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
6ed57cc74fd6b6d1c0cbf3c4fe5b5beee47df148f1c8bdabbf1d3b9a17347231.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 6ed57cc74fd6b6d1c0cbf3c4fe5b5beee47df148f1c8bdabbf1d3b9a17347231.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
6ed57cc74fd6b6d1c0cbf3c4fe5b5beee47df148f1c8bdabbf1d3b9a17347231.exedescription pid process Token: SeIncBasePriorityPrivilege 3028 6ed57cc74fd6b6d1c0cbf3c4fe5b5beee47df148f1c8bdabbf1d3b9a17347231.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
6ed57cc74fd6b6d1c0cbf3c4fe5b5beee47df148f1c8bdabbf1d3b9a17347231.execmd.exedescription pid process target process PID 3028 wrote to memory of 2744 3028 6ed57cc74fd6b6d1c0cbf3c4fe5b5beee47df148f1c8bdabbf1d3b9a17347231.exe MediaCenter.exe PID 3028 wrote to memory of 2744 3028 6ed57cc74fd6b6d1c0cbf3c4fe5b5beee47df148f1c8bdabbf1d3b9a17347231.exe MediaCenter.exe PID 3028 wrote to memory of 2744 3028 6ed57cc74fd6b6d1c0cbf3c4fe5b5beee47df148f1c8bdabbf1d3b9a17347231.exe MediaCenter.exe PID 3028 wrote to memory of 2744 3028 6ed57cc74fd6b6d1c0cbf3c4fe5b5beee47df148f1c8bdabbf1d3b9a17347231.exe MediaCenter.exe PID 3028 wrote to memory of 2724 3028 6ed57cc74fd6b6d1c0cbf3c4fe5b5beee47df148f1c8bdabbf1d3b9a17347231.exe cmd.exe PID 3028 wrote to memory of 2724 3028 6ed57cc74fd6b6d1c0cbf3c4fe5b5beee47df148f1c8bdabbf1d3b9a17347231.exe cmd.exe PID 3028 wrote to memory of 2724 3028 6ed57cc74fd6b6d1c0cbf3c4fe5b5beee47df148f1c8bdabbf1d3b9a17347231.exe cmd.exe PID 3028 wrote to memory of 2724 3028 6ed57cc74fd6b6d1c0cbf3c4fe5b5beee47df148f1c8bdabbf1d3b9a17347231.exe cmd.exe PID 2724 wrote to memory of 2824 2724 cmd.exe PING.EXE PID 2724 wrote to memory of 2824 2724 cmd.exe PING.EXE PID 2724 wrote to memory of 2824 2724 cmd.exe PING.EXE PID 2724 wrote to memory of 2824 2724 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\6ed57cc74fd6b6d1c0cbf3c4fe5b5beee47df148f1c8bdabbf1d3b9a17347231.exe"C:\Users\Admin\AppData\Local\Temp\6ed57cc74fd6b6d1c0cbf3c4fe5b5beee47df148f1c8bdabbf1d3b9a17347231.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\6ed57cc74fd6b6d1c0cbf3c4fe5b5beee47df148f1c8bdabbf1d3b9a17347231.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeFilesize
64KB
MD570396dc2c23af43dce6da5b7816a1ebe
SHA17545d001be38163feadfdc6441a2d413ed91e079
SHA256b8d3184b0704f550f2cb3425a207f284c563c792124e957c5cc00ae264a013ae
SHA512b75807600b5b7fbcedb10b91679ba822d0f38aa16c1cfc33d82dc0bfec55b2bca8cd7d4b1abd0decfaa714db583e4f27423ec2f4e12ad75395f3b9b058f64274
-
memory/2744-6-0x0000000000400000-0x0000000000423000-memory.dmpFilesize
140KB
-
memory/2744-8-0x0000000000400000-0x0000000000423000-memory.dmpFilesize
140KB
-
memory/2744-18-0x0000000000400000-0x0000000000423000-memory.dmpFilesize
140KB
-
memory/2744-24-0x0000000000400000-0x0000000000423000-memory.dmpFilesize
140KB
-
memory/3028-0-0x0000000000400000-0x0000000000423000-memory.dmpFilesize
140KB
-
memory/3028-7-0x0000000000400000-0x0000000000423000-memory.dmpFilesize
140KB
-
memory/3028-11-0x00000000001D0000-0x00000000001F3000-memory.dmpFilesize
140KB
-
memory/3028-14-0x0000000000400000-0x0000000000423000-memory.dmpFilesize
140KB
-
memory/3028-15-0x00000000001D0000-0x00000000001F3000-memory.dmpFilesize
140KB