Overview

overview

10

Static

static

8d168092d5...e9.exe

windows7_x64

10

8d168092d5...e9.exe

windows10_x64

10

Analysis

  • max time kernel
    149s
  • max time network
    148s
  • platform
    windows7_x64
  • resource
    win7-en-20211208
  • submitted
    22-01-2022 01:27

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    8d168092d5601ebbaed24ec3caeef7454c48cf21366cd76560755eb33aff89e9.exe

  • Size

    496KB

  • MD5

    98721c78dfbf8a45d152a888c804427c

  • SHA1

    e8d06bd24e600f95b67786db6ff37da1c8995854

  • SHA256

    8d168092d5601ebbaed24ec3caeef7454c48cf21366cd76560755eb33aff89e9

  • SHA512

    5f5bf474744c715965a3fff72d5091cec45196b4c2afe44c3ae0e54e08a5a5b8c34494501961b6f2bdfa1a74f9d0b8990b09547beb34e8604ab735b944c15296

Score
10/10
sakulapersistencerattrojan

Malware Config

Signatures

  • Sakula

    Sakula is a remote access trojan with various capabilities.

    trojanratsakula
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 4 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies Internet Explorer settings 1 TTPs 36 IoCs
    adwarespyware
  • Modifies registry key 1 TTPs 1 IoCs
  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 8 IoCs
  • Suspicious use of WriteProcessMemory 32 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\8d168092d5601ebbaed24ec3caeef7454c48cf21366cd76560755eb33aff89e9.exe
    "C:\Users\Admin\AppData\Local\Temp\8d168092d5601ebbaed24ec3caeef7454c48cf21366cd76560755eb33aff89e9.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1500
    • C:\Users\Admin\AppData\Local\Temp\Center259387183.dat
      "C:\Users\Admin\AppData\Local\Temp\Center259387183.dat"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Suspicious use of WriteProcessMemory
      PID:656
      • C:\Windows\SysWOW64\cmd.exe
        cmd.exe /c reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v "MicroMedia" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe"
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:1400
        • C:\Windows\SysWOW64\reg.exe
          reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v "MicroMedia" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe"
          4⤵
          • Adds Run key to start application
          • Modifies registry key
          PID:1960
      • C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
        C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
        3⤵
        • Executes dropped EXE
        PID:636
      • C:\Windows\SysWOW64\cmd.exe
        cmd.exe /c ping 127.0.0.1 & del "C:\Users\Admin\AppData\Local\Temp\Center259387183.dat"
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:1936
        • C:\Windows\SysWOW64\PING.EXE
          ping 127.0.0.1
          4⤵
          • Runs ping.exe
          PID:1460
    • C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe" http://extcitrix.we11point.com/vpn/index.php?ref=1
      2⤵
      • Modifies Internet Explorer settings
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:872
      • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:872 CREDAT:275457 /prefetch:2
        3⤵
        • Modifies Internet Explorer settings
        • Suspicious behavior: GetForegroundWindowSpam
        • Suspicious use of SetWindowsHookEx
        PID:1980

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\Center259387183.dat
    MD5

    cb56b1fc08451d1f56481a29bd1047e9

    SHA1

    c01fbb52a7a188c4f7441a808b153a34ec753a2d

    SHA256

    3e2805c14a8ec785a36022218a37a235abe4548baf1bde50aa05dc5692f01ed1

    SHA512

    b088e9d5b28727c23f54e84cffc5f249ddeb00cb0ce97c3776c3195d2a46e000b90690b17882110ed5d60b8184b0d77f8659b72608dc78899a1dcab582f55eb8

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\Center259387183.dat
    MD5

    cb56b1fc08451d1f56481a29bd1047e9

    SHA1

    c01fbb52a7a188c4f7441a808b153a34ec753a2d

    SHA256

    3e2805c14a8ec785a36022218a37a235abe4548baf1bde50aa05dc5692f01ed1

    SHA512

    b088e9d5b28727c23f54e84cffc5f249ddeb00cb0ce97c3776c3195d2a46e000b90690b17882110ed5d60b8184b0d77f8659b72608dc78899a1dcab582f55eb8

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
    MD5

    4ef2f78ba07d3ecfd30997617520a6aa

    SHA1

    eb5a61ffa0f209e2362318e16f08580964981c49

    SHA256

    ede2962b66c3b771f887fdebea517d09576bdf897d778e24a8769b8485045c65

    SHA512

    3679e70c7f976fd7486e2921b111f77c9691e784dbbdb619a805328bf8ac69546ff4a184c37d0a06717a014476db759db507abd7e3b754e1aeec8ddf46b909c7

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\CRI8OCT3.txt
    MD5

    4ee915258c0c58d807e32b9f5c153c8c

    SHA1

    1fbad516f6dd437509eb2fbda29a619a3a1d1179

    SHA256

    11a259e09e060db82dbadaa534eb5437febb071fe06504bbd27edbc5fa53d78c

    SHA512

    93fadb831860306c8e9fddbe2e98aeb3ef547f94ed68749320ce8a55a5edabaebcab69279b251b20bd6a0336fb9714cf6cfeb243c14adec7e062fd53ea05d7db

    Download Submit

  • \Users\Admin\AppData\Local\Temp\Center259387183.dat
    MD5

    cb56b1fc08451d1f56481a29bd1047e9

    SHA1

    c01fbb52a7a188c4f7441a808b153a34ec753a2d

    SHA256

    3e2805c14a8ec785a36022218a37a235abe4548baf1bde50aa05dc5692f01ed1

    SHA512

    b088e9d5b28727c23f54e84cffc5f249ddeb00cb0ce97c3776c3195d2a46e000b90690b17882110ed5d60b8184b0d77f8659b72608dc78899a1dcab582f55eb8

    Download Submit

  • \Users\Admin\AppData\Local\Temp\Center259387183.dat
    MD5

    cb56b1fc08451d1f56481a29bd1047e9

    SHA1

    c01fbb52a7a188c4f7441a808b153a34ec753a2d

    SHA256

    3e2805c14a8ec785a36022218a37a235abe4548baf1bde50aa05dc5692f01ed1

    SHA512

    b088e9d5b28727c23f54e84cffc5f249ddeb00cb0ce97c3776c3195d2a46e000b90690b17882110ed5d60b8184b0d77f8659b72608dc78899a1dcab582f55eb8

    Download Submit

  • \Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
    MD5

    4ef2f78ba07d3ecfd30997617520a6aa

    SHA1

    eb5a61ffa0f209e2362318e16f08580964981c49

    SHA256

    ede2962b66c3b771f887fdebea517d09576bdf897d778e24a8769b8485045c65

    SHA512

    3679e70c7f976fd7486e2921b111f77c9691e784dbbdb619a805328bf8ac69546ff4a184c37d0a06717a014476db759db507abd7e3b754e1aeec8ddf46b909c7

    Download Submit

  • \Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
    MD5

    4ef2f78ba07d3ecfd30997617520a6aa

    SHA1

    eb5a61ffa0f209e2362318e16f08580964981c49

    SHA256

    ede2962b66c3b771f887fdebea517d09576bdf897d778e24a8769b8485045c65

    SHA512

    3679e70c7f976fd7486e2921b111f77c9691e784dbbdb619a805328bf8ac69546ff4a184c37d0a06717a014476db759db507abd7e3b754e1aeec8ddf46b909c7

    Download Submit

  • memory/1500-53-0x0000000074F01000-0x0000000074F03000-memory.dmp

    Filesize

    8KB

    Download