Analysis
-
max time kernel
139s -
max time network
140s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
19-06-2024 02:54
Behavioral task
behavioral1
Sample
c221c0b7c68a8c652a57fa433f0f21a5f9d94b13aedbcc9053eb28a41268e745.exe
Resource
win7-20240611-en
Behavioral task
behavioral2
Sample
c221c0b7c68a8c652a57fa433f0f21a5f9d94b13aedbcc9053eb28a41268e745.exe
Resource
win10v2004-20240508-en
General
-
Target
c221c0b7c68a8c652a57fa433f0f21a5f9d94b13aedbcc9053eb28a41268e745.exe
-
Size
376KB
-
MD5
5a2adaed47828b90e6a01ee6cbff4729
-
SHA1
d7fff8c492c9c1c692f3ee98c9712ee3fbb9155f
-
SHA256
c221c0b7c68a8c652a57fa433f0f21a5f9d94b13aedbcc9053eb28a41268e745
-
SHA512
dcfdefd2e88487956fb4d0d8a1857f56c3e0ed0389b21d459f9a5931de2a5e5644c8a6f90f787a3c603599d686996f4ccf74d344a6ba15a38fbe16a3e3455c93
-
SSDEEP
6144:M29qRfVSndj30B3wBxE1+ijiBKk3etdgI2MyzNORQtOfl1qNVo7R+S+N/TU7kn5Y:0RfQn+w8EYiBlMkn5Y
Malware Config
Extracted
sakula
www.polarroute.com
Signatures
-
Sakula payload 4 IoCs
Processes:
resource yara_rule behavioral2/memory/4564-1-0x0000000000400000-0x0000000000420000-memory.dmp family_sakula C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula behavioral2/memory/2904-5-0x0000000000400000-0x0000000000420000-memory.dmp family_sakula behavioral2/memory/4564-6-0x0000000000400000-0x0000000000420000-memory.dmp family_sakula -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
c221c0b7c68a8c652a57fa433f0f21a5f9d94b13aedbcc9053eb28a41268e745.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation c221c0b7c68a8c652a57fa433f0f21a5f9d94b13aedbcc9053eb28a41268e745.exe -
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 2904 MediaCenter.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
c221c0b7c68a8c652a57fa433f0f21a5f9d94b13aedbcc9053eb28a41268e745.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" c221c0b7c68a8c652a57fa433f0f21a5f9d94b13aedbcc9053eb28a41268e745.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
c221c0b7c68a8c652a57fa433f0f21a5f9d94b13aedbcc9053eb28a41268e745.exedescription pid process Token: SeIncBasePriorityPrivilege 4564 c221c0b7c68a8c652a57fa433f0f21a5f9d94b13aedbcc9053eb28a41268e745.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
c221c0b7c68a8c652a57fa433f0f21a5f9d94b13aedbcc9053eb28a41268e745.execmd.exedescription pid process target process PID 4564 wrote to memory of 2904 4564 c221c0b7c68a8c652a57fa433f0f21a5f9d94b13aedbcc9053eb28a41268e745.exe MediaCenter.exe PID 4564 wrote to memory of 2904 4564 c221c0b7c68a8c652a57fa433f0f21a5f9d94b13aedbcc9053eb28a41268e745.exe MediaCenter.exe PID 4564 wrote to memory of 2904 4564 c221c0b7c68a8c652a57fa433f0f21a5f9d94b13aedbcc9053eb28a41268e745.exe MediaCenter.exe PID 4564 wrote to memory of 4520 4564 c221c0b7c68a8c652a57fa433f0f21a5f9d94b13aedbcc9053eb28a41268e745.exe cmd.exe PID 4564 wrote to memory of 4520 4564 c221c0b7c68a8c652a57fa433f0f21a5f9d94b13aedbcc9053eb28a41268e745.exe cmd.exe PID 4564 wrote to memory of 4520 4564 c221c0b7c68a8c652a57fa433f0f21a5f9d94b13aedbcc9053eb28a41268e745.exe cmd.exe PID 4520 wrote to memory of 2592 4520 cmd.exe PING.EXE PID 4520 wrote to memory of 2592 4520 cmd.exe PING.EXE PID 4520 wrote to memory of 2592 4520 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\c221c0b7c68a8c652a57fa433f0f21a5f9d94b13aedbcc9053eb28a41268e745.exe"C:\Users\Admin\AppData\Local\Temp\c221c0b7c68a8c652a57fa433f0f21a5f9d94b13aedbcc9053eb28a41268e745.exe"1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\c221c0b7c68a8c652a57fa433f0f21a5f9d94b13aedbcc9053eb28a41268e745.exe"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=4036,i,10373433614523925616,13586256558317053467,262144 --variations-seed-version --mojo-platform-channel-handle=4204 /prefetch:81⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeFilesize
376KB
MD54d3c68d58218d184ef99962b7f8c3416
SHA18742532c30ee51638484de4c9a8ad643b14c0db7
SHA256dd3ae878db54c6fe173377d6c6c7b4d1c33428651346ca29ce44ceb780a413fa
SHA5128cb22b89910b69dcb6ed55a73c312b1c409d59421bd72280057a59d3a77897c41f76453067af27404aaccd1a451d992ee37a716abe1ebc55803af0c88265edb5
-
memory/2904-5-0x0000000000400000-0x0000000000420000-memory.dmpFilesize
128KB
-
memory/4564-1-0x0000000000400000-0x0000000000420000-memory.dmpFilesize
128KB
-
memory/4564-6-0x0000000000400000-0x0000000000420000-memory.dmpFilesize
128KB