Overview

overview

10

Static

static

10

b8bc59f0a3...1b.exe

windows7_x64

10

b8bc59f0a3...1b.exe

windows10_x64

10

Analysis

  • max time kernel
    135s
  • max time network
    146s
  • platform
    windows10_x64
  • resource
    win10-en-20211208
  • submitted
    30-01-2022 21:35

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    b8bc59f0a3c34720a5f47b2cf769548f9c057605a94fe5e06361bbeb9801641b.exe

  • Size

    126KB

  • MD5

    260349f5343244c439b211d9f9ff53cf

  • SHA1

    5fbf3ca23f97deb97647ace003308129eeeac1ce

  • SHA256

    b8bc59f0a3c34720a5f47b2cf769548f9c057605a94fe5e06361bbeb9801641b

  • SHA512

    1c75c910e387dc2b1f20d45b418e38bccf1211ae23acc7163b26b9ed73271443115f2a2c5bf95e26356e2eb8dac90cd17d6d337c1dc4f1e4bfa232a5e7749714

Score
10/10
sakulapersistencerattrojan

Malware Config

Signatures

  • Sakula

    Sakula is a remote access trojan with various capabilities.

    trojanratsakula
  • Sakula Payload 4 IoCs
  • Executes dropped EXE 2 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies Internet Explorer settings 1 TTPs 47 IoCs
    adwarespyware
  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 6 IoCs
  • Suspicious use of WriteProcessMemory 17 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\b8bc59f0a3c34720a5f47b2cf769548f9c057605a94fe5e06361bbeb9801641b.exe
    "C:\Users\Admin\AppData\Local\Temp\b8bc59f0a3c34720a5f47b2cf769548f9c057605a94fe5e06361bbeb9801641b.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:596
    • C:\Users\Admin\AppData\Local\Temp\pdfforie.exe
      C:\Users\Admin\AppData\Local\Temp\pdfforie.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1356
      • C:\Users\Admin\AppData\Local\Temp\MicroMedia\AdobeUpdate.exe
        C:\Users\Admin\AppData\Local\Temp\MicroMedia\AdobeUpdate.exe
        3⤵
        • Executes dropped EXE
        PID:2232
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\pdfforie.exe"
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:1348
        • C:\Windows\SysWOW64\PING.EXE
          ping 127.0.0.1
          4⤵
          • Runs ping.exe
          PID:720
    • C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe" http://www.qzbwcq.com/cookie.html
      2⤵
      • Modifies Internet Explorer settings
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:1212
      • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1212 CREDAT:82945 /prefetch:2
        3⤵
        • Modifies Internet Explorer settings
        • Suspicious use of SetWindowsHookEx
        PID:2276

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
    MD5

    77913080540cc7373c6757efd172eba7

    SHA1

    13f05349210ec6bf2af101f44fe8f6e37b303daf

    SHA256

    8be7e5dd8ee384a264a5813e199eddb7b8710b082d638294c72c6fb518257d16

    SHA512

    dad482654e8026918c5cb61eb992f58626fa787ce85769457f4544bf4e3204693f5271d31bf62f85de9d05adc49ef4865ae1ece1c58849e94da5475e59d6db11

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
    MD5

    155060501c30219334cc00b4fb322170

    SHA1

    40547e5ed6c298573e1858a3afe05db78a986aad

    SHA256

    5c5670a29e04c3d0e74018467bbfc1b44830b04a50a1328edf3cb546713a477f

    SHA512

    8422f57311aa832342e603c233bf39d04debdce5d2474bcf87cd6973e93a6dcdf079ac5b053e2178e5d36f63a4993aefde5484e74da25fddcf4afb11f7bf7648

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\A5GV1THW.cookie
    MD5

    1bca38abaf718e8c22dd45745878c833

    SHA1

    54185ee31e40bbe891bdf965d8188872b333ef42

    SHA256

    b38e708cb152518302b74586691064d723763db3a8e898d69b1b50b44ecc2ea9

    SHA512

    036a2f6d0405596448194f42509f913187c10c223134b3467bd6919e7cf2c4f8ec969f57174c54a40932507aa0e530c12e44dd08b2685cdca07f6c8270e284dd

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\MicroMedia\AdobeUpdate.exe
    MD5

    0f43d3de510a47e839341629c21b8ef4

    SHA1

    b1b0777274352ac396b08e0f0a0f79ead5e3ad47

    SHA256

    1aeac003b44b1fae08355ba2d506c4750d54e9b958896c7efe7e66f8e943c28f

    SHA512

    4becfa07d78759e38ef7c1dc41d00b43c2b449cdfd6d54938e7210e9f493104613bbf8c64ad04b87709ee9c29d969df39f7b73ee9b9b6e112ee114314f9eb05d

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\MicroMedia\AdobeUpdate.exe
    MD5

    0f43d3de510a47e839341629c21b8ef4

    SHA1

    b1b0777274352ac396b08e0f0a0f79ead5e3ad47

    SHA256

    1aeac003b44b1fae08355ba2d506c4750d54e9b958896c7efe7e66f8e943c28f

    SHA512

    4becfa07d78759e38ef7c1dc41d00b43c2b449cdfd6d54938e7210e9f493104613bbf8c64ad04b87709ee9c29d969df39f7b73ee9b9b6e112ee114314f9eb05d

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\pdfforie.exe
    MD5

    191696982f3f21a6ac31bf3549c94108

    SHA1

    b28806efad1136d03a4e6f34ed9d826fd828b535

    SHA256

    22f5fa60c2286e22bee79bcde6e9c7ee80b42ef308c6bb7aed6d6163e5da0214

    SHA512

    aa6d79fbce14f68e47dd7719e7dcb688dfd72b63db4e8ad3976351494df7221684621468380828c1aeca9f77c1156c8317524ee972696225c0d9be0dde8815ee

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\pdfforie.exe
    MD5

    191696982f3f21a6ac31bf3549c94108

    SHA1

    b28806efad1136d03a4e6f34ed9d826fd828b535

    SHA256

    22f5fa60c2286e22bee79bcde6e9c7ee80b42ef308c6bb7aed6d6163e5da0214

    SHA512

    aa6d79fbce14f68e47dd7719e7dcb688dfd72b63db4e8ad3976351494df7221684621468380828c1aeca9f77c1156c8317524ee972696225c0d9be0dde8815ee

    Download Submit