Analysis
-
max time kernel
141s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
09-10-2024 20:02
Behavioral task
behavioral1
Sample
35306d32cf510c233ddbd3ffd6b0613b4d3d47cadf7e17c948038e6d7f041243.exe
Resource
win7-20240903-en
General
-
Target
35306d32cf510c233ddbd3ffd6b0613b4d3d47cadf7e17c948038e6d7f041243.exe
-
Size
41KB
-
MD5
f2efcb0022bfaf9c509bc6160f08bb63
-
SHA1
75c016abb78026bd3841d2f5e71da5a879665b4e
-
SHA256
35306d32cf510c233ddbd3ffd6b0613b4d3d47cadf7e17c948038e6d7f041243
-
SHA512
8ccd327bd0403ff175fa1cc82c21cbc1522ff383400d34c20c804319f9fb2e06ef05ecad54d3a7381a07791036af1e5b3609503c014d2dedfebf320c14900a7a
-
SSDEEP
768:9zpVJi5kPTIukEYpcHOZ6rFSBZxkXNVkSXtfgn3JkcBwQoabJF7nbcuyD7UX:N/JKiMLE9bOq5fgn6Ozoaz7nouy8X
Malware Config
Extracted
sakula
www.polarroute.com
Signatures
-
Sakula payload 6 IoCs
resource yara_rule behavioral1/memory/2160-7-0x0000000000400000-0x000000000041E000-memory.dmp family_sakula behavioral1/memory/756-8-0x0000000000400000-0x000000000041E000-memory.dmp family_sakula behavioral1/memory/2160-10-0x0000000000400000-0x000000000041E000-memory.dmp family_sakula behavioral1/memory/756-17-0x0000000000400000-0x000000000041E000-memory.dmp family_sakula behavioral1/memory/2160-20-0x0000000000400000-0x000000000041E000-memory.dmp family_sakula behavioral1/memory/2160-26-0x0000000000400000-0x000000000041E000-memory.dmp family_sakula -
Deletes itself 1 IoCs
pid Process 2456 cmd.exe -
Executes dropped EXE 1 IoCs
pid Process 2160 MediaCenter.exe -
Loads dropped DLL 1 IoCs
pid Process 756 35306d32cf510c233ddbd3ffd6b0613b4d3d47cadf7e17c948038e6d7f041243.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 35306d32cf510c233ddbd3ffd6b0613b4d3d47cadf7e17c948038e6d7f041243.exe -
resource yara_rule behavioral1/memory/756-0-0x0000000000400000-0x000000000041E000-memory.dmp upx behavioral1/files/0x0009000000015d03-2.dat upx behavioral1/memory/2160-7-0x0000000000400000-0x000000000041E000-memory.dmp upx behavioral1/memory/756-8-0x0000000000400000-0x000000000041E000-memory.dmp upx behavioral1/memory/2160-10-0x0000000000400000-0x000000000041E000-memory.dmp upx behavioral1/memory/756-17-0x0000000000400000-0x000000000041E000-memory.dmp upx behavioral1/memory/2160-20-0x0000000000400000-0x000000000041E000-memory.dmp upx behavioral1/memory/2160-26-0x0000000000400000-0x000000000041E000-memory.dmp upx -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 35306d32cf510c233ddbd3ffd6b0613b4d3d47cadf7e17c948038e6d7f041243.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language MediaCenter.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language PING.EXE -
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs
Adversaries may check for Internet connectivity on compromised systems.
pid Process 2456 cmd.exe 2520 PING.EXE -
Runs ping.exe 1 TTPs 1 IoCs
pid Process 2520 PING.EXE -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeIncBasePriorityPrivilege 756 35306d32cf510c233ddbd3ffd6b0613b4d3d47cadf7e17c948038e6d7f041243.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 756 wrote to memory of 2160 756 35306d32cf510c233ddbd3ffd6b0613b4d3d47cadf7e17c948038e6d7f041243.exe 28 PID 756 wrote to memory of 2160 756 35306d32cf510c233ddbd3ffd6b0613b4d3d47cadf7e17c948038e6d7f041243.exe 28 PID 756 wrote to memory of 2160 756 35306d32cf510c233ddbd3ffd6b0613b4d3d47cadf7e17c948038e6d7f041243.exe 28 PID 756 wrote to memory of 2160 756 35306d32cf510c233ddbd3ffd6b0613b4d3d47cadf7e17c948038e6d7f041243.exe 28 PID 756 wrote to memory of 2456 756 35306d32cf510c233ddbd3ffd6b0613b4d3d47cadf7e17c948038e6d7f041243.exe 32 PID 756 wrote to memory of 2456 756 35306d32cf510c233ddbd3ffd6b0613b4d3d47cadf7e17c948038e6d7f041243.exe 32 PID 756 wrote to memory of 2456 756 35306d32cf510c233ddbd3ffd6b0613b4d3d47cadf7e17c948038e6d7f041243.exe 32 PID 756 wrote to memory of 2456 756 35306d32cf510c233ddbd3ffd6b0613b4d3d47cadf7e17c948038e6d7f041243.exe 32 PID 2456 wrote to memory of 2520 2456 cmd.exe 34 PID 2456 wrote to memory of 2520 2456 cmd.exe 34 PID 2456 wrote to memory of 2520 2456 cmd.exe 34 PID 2456 wrote to memory of 2520 2456 cmd.exe 34
Processes
-
C:\Users\Admin\AppData\Local\Temp\35306d32cf510c233ddbd3ffd6b0613b4d3d47cadf7e17c948038e6d7f041243.exe"C:\Users\Admin\AppData\Local\Temp\35306d32cf510c233ddbd3ffd6b0613b4d3d47cadf7e17c948038e6d7f041243.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:756 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2160
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\35306d32cf510c233ddbd3ffd6b0613b4d3d47cadf7e17c948038e6d7f041243.exe"2⤵
- Deletes itself
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Suspicious use of WriteProcessMemory
PID:2456 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2520
-
-
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
41KB
MD5eb5b405067a6b5425e6182f62c1b97f5
SHA141053c8b0a7701f2df30306c0072e12de75368c1
SHA256c88275b7102ab12beb48f87b9c71bb5535f4b876fce43e9367c939befa4aff93
SHA51287bc85ad74e92a8680fabaed50d99cdbb4b368dd65fa90b52577435cc87cbe0bb34c842f498ea236fb4b5b2aa5254152da68eccec6aeb469ad16952a21620af5