Analysis
-
max time kernel
144s -
max time network
139s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
21-01-2022 23:52
Static task
static1
Behavioral task
behavioral1
Sample
fc404ae4e968d35421598be460be1ca7e87128cc247be1905c29c560fb015915.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
fc404ae4e968d35421598be460be1ca7e87128cc247be1905c29c560fb015915.exe
Resource
win10-en-20211208
General
-
Target
fc404ae4e968d35421598be460be1ca7e87128cc247be1905c29c560fb015915.exe
-
Size
117KB
-
MD5
fe74dc43af839146f64ec7bea752c4f0
-
SHA1
570e72586b5451afef9a05fede4a9cd8f51cfc9a
-
SHA256
fc404ae4e968d35421598be460be1ca7e87128cc247be1905c29c560fb015915
-
SHA512
4bea67cdfe8121e1f51863cddce0d7d331a5fbb438319df8c571992b9d90cbc852a3c3e2e9da898e576d2da8f5b7e78c437deb5d3d8d496fb84866266d43711d
Malware Config
Signatures
-
Sakula Payload 2 IoCs
Processes:
resource yara_rule behavioral1/memory/832-56-0x0000000010000000-0x000000001001F000-memory.dmp family_sakula behavioral1/memory/832-67-0x0000000000020000-0x000000000003D000-memory.dmp family_sakula -
Executes dropped EXE 1 IoCs
Processes:
SensrSvc.exepid process 524 SensrSvc.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 528 cmd.exe -
Loads dropped DLL 2 IoCs
Processes:
fc404ae4e968d35421598be460be1ca7e87128cc247be1905c29c560fb015915.exepid process 832 fc404ae4e968d35421598be460be1ca7e87128cc247be1905c29c560fb015915.exe 832 fc404ae4e968d35421598be460be1ca7e87128cc247be1905c29c560fb015915.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
SensrSvc.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SenseSvc = "C:\\ProgramData\\SensrSvc.exe" SensrSvc.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
fc404ae4e968d35421598be460be1ca7e87128cc247be1905c29c560fb015915.exedescription pid process Token: SeIncBasePriorityPrivilege 832 fc404ae4e968d35421598be460be1ca7e87128cc247be1905c29c560fb015915.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
fc404ae4e968d35421598be460be1ca7e87128cc247be1905c29c560fb015915.exedescription pid process target process PID 832 wrote to memory of 524 832 fc404ae4e968d35421598be460be1ca7e87128cc247be1905c29c560fb015915.exe SensrSvc.exe PID 832 wrote to memory of 524 832 fc404ae4e968d35421598be460be1ca7e87128cc247be1905c29c560fb015915.exe SensrSvc.exe PID 832 wrote to memory of 524 832 fc404ae4e968d35421598be460be1ca7e87128cc247be1905c29c560fb015915.exe SensrSvc.exe PID 832 wrote to memory of 524 832 fc404ae4e968d35421598be460be1ca7e87128cc247be1905c29c560fb015915.exe SensrSvc.exe PID 832 wrote to memory of 528 832 fc404ae4e968d35421598be460be1ca7e87128cc247be1905c29c560fb015915.exe cmd.exe PID 832 wrote to memory of 528 832 fc404ae4e968d35421598be460be1ca7e87128cc247be1905c29c560fb015915.exe cmd.exe PID 832 wrote to memory of 528 832 fc404ae4e968d35421598be460be1ca7e87128cc247be1905c29c560fb015915.exe cmd.exe PID 832 wrote to memory of 528 832 fc404ae4e968d35421598be460be1ca7e87128cc247be1905c29c560fb015915.exe cmd.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\fc404ae4e968d35421598be460be1ca7e87128cc247be1905c29c560fb015915.exe"C:\Users\Admin\AppData\Local\Temp\fc404ae4e968d35421598be460be1ca7e87128cc247be1905c29c560fb015915.exe"1⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:832 -
C:\ProgramData\SensrSvc.exeC:\ProgramData\SensrSvc.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
PID:524 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\FC404A~1.EXE > nul2⤵
- Deletes itself
PID:528
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
fe74dc43af839146f64ec7bea752c4f0
SHA1570e72586b5451afef9a05fede4a9cd8f51cfc9a
SHA256fc404ae4e968d35421598be460be1ca7e87128cc247be1905c29c560fb015915
SHA5124bea67cdfe8121e1f51863cddce0d7d331a5fbb438319df8c571992b9d90cbc852a3c3e2e9da898e576d2da8f5b7e78c437deb5d3d8d496fb84866266d43711d
-
MD5
fe74dc43af839146f64ec7bea752c4f0
SHA1570e72586b5451afef9a05fede4a9cd8f51cfc9a
SHA256fc404ae4e968d35421598be460be1ca7e87128cc247be1905c29c560fb015915
SHA5124bea67cdfe8121e1f51863cddce0d7d331a5fbb438319df8c571992b9d90cbc852a3c3e2e9da898e576d2da8f5b7e78c437deb5d3d8d496fb84866266d43711d
-
MD5
fe74dc43af839146f64ec7bea752c4f0
SHA1570e72586b5451afef9a05fede4a9cd8f51cfc9a
SHA256fc404ae4e968d35421598be460be1ca7e87128cc247be1905c29c560fb015915
SHA5124bea67cdfe8121e1f51863cddce0d7d331a5fbb438319df8c571992b9d90cbc852a3c3e2e9da898e576d2da8f5b7e78c437deb5d3d8d496fb84866266d43711d
-
MD5
fe74dc43af839146f64ec7bea752c4f0
SHA1570e72586b5451afef9a05fede4a9cd8f51cfc9a
SHA256fc404ae4e968d35421598be460be1ca7e87128cc247be1905c29c560fb015915
SHA5124bea67cdfe8121e1f51863cddce0d7d331a5fbb438319df8c571992b9d90cbc852a3c3e2e9da898e576d2da8f5b7e78c437deb5d3d8d496fb84866266d43711d