Overview

overview

10

Static

static

d4be6c9117...8d.exe

windows7_x64

10

d4be6c9117...8d.exe

windows10_x64

10

Analysis

  • max time kernel
    128s
  • max time network
    165s
  • platform
    windows7_x64
  • resource
    win7-en-20211208
  • submitted
    30-01-2022 21:45

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    d4be6c9117db9de21138ae26d1d0c3cfb38fd7a19fa07c828731fa2ac756ef8d.exe

  • Size

    438KB

  • MD5

    230d8a7a60a07df28a291b13ddf3351f

  • SHA1

    de71fd21781ae1eed0dbba6bf915a65cc4c0f984

  • SHA256

    d4be6c9117db9de21138ae26d1d0c3cfb38fd7a19fa07c828731fa2ac756ef8d

  • SHA512

    b3305950a8d24b247a16b35d49f53dfbc367332879ddafcb7d95a1c44ec02f7ed66d26acbf9992bf39193094c7bbefcbbe59ae514619491e148bb59cb32ddf01

Score
10/10
sakulapersistenceratsuricatatrojan

Malware Config

Signatures

  • Sakula

    Sakula is a remote access trojan with various capabilities.

    trojanratsakula
  • suricata: ET MALWARE Possible Deep Panda - Sakula/Mivast RAT CnC Beacon 5

    suricata: ET MALWARE Possible Deep Panda - Sakula/Mivast RAT CnC Beacon 5

    suricata
  • suricata: ET MALWARE Possible Deep Panda User-Agent

    suricata: ET MALWARE Possible Deep Panda User-Agent

    suricata
  • suricata: ET MALWARE Sakula/Mivast C2 Activity

    suricata: ET MALWARE Sakula/Mivast C2 Activity

    suricata
  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 6 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies Internet Explorer settings 1 TTPs 34 IoCs
    adwarespyware
  • Modifies registry key 1 TTPs 1 IoCs
  • Runs ping.exe 1 TTPs 2 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 8 IoCs
  • Suspicious use of WriteProcessMemory 59 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\d4be6c9117db9de21138ae26d1d0c3cfb38fd7a19fa07c828731fa2ac756ef8d.exe
    "C:\Users\Admin\AppData\Local\Temp\d4be6c9117db9de21138ae26d1d0c3cfb38fd7a19fa07c828731fa2ac756ef8d.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1292
    • C:\Users\Admin\AppData\Local\Temp\Center259399507.dat
      "C:\Users\Admin\AppData\Local\Temp\Center259399507.dat"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Suspicious use of WriteProcessMemory
      PID:1588
      • C:\Users\Admin\AppData\Local\Temp\s.exe
        "C:\Users\Admin\AppData\Local\Temp\s.exe"
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Suspicious use of WriteProcessMemory
        PID:268
        • C:\Windows\SysWOW64\cmd.exe
          cmd.exe /c reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v "MicroMedia" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe"
          4⤵
          • Suspicious use of WriteProcessMemory
          PID:852
          • C:\Windows\SysWOW64\reg.exe
            reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v "MicroMedia" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe"
            5⤵
            • Adds Run key to start application
            • Modifies registry key
            PID:952
        • C:\Windows\SysWOW64\cmd.exe
          cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe"
          4⤵
          • Loads dropped DLL
          • Suspicious use of WriteProcessMemory
          PID:964
          • C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
            C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
            5⤵
            • Executes dropped EXE
            • Loads dropped DLL
            • Suspicious use of SetThreadContext
            • Suspicious use of WriteProcessMemory
            PID:1812
            • C:\Windows\SysWOW64\svchost.exe
              "C:\Windows\system32\svchost.exe"
              6⤵
                PID:1640
          • C:\Windows\SysWOW64\cmd.exe
            cmd.exe /c ping 127.0.0.1 & del "C:\Users\Admin\AppData\Local\Temp\s.exe" & del "C:\Users\Admin\AppData\Local\Temp\msi.dll" & del "C:\Users\Admin\AppData\Local\Temp\setup.msi"
            4⤵
            • Suspicious use of WriteProcessMemory
            PID:1828
            • C:\Windows\SysWOW64\PING.EXE
              ping 127.0.0.1
              5⤵
              • Runs ping.exe
              PID:1460
        • C:\Windows\SysWOW64\cmd.exe
          "C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\Center259399507.dat"
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:1596
          • C:\Windows\SysWOW64\PING.EXE
            ping 127.0.0.1
            4⤵
            • Runs ping.exe
            PID:1512
      • C:\Program Files\Internet Explorer\iexplore.exe
        "C:\Program Files\Internet Explorer\iexplore.exe" http://sharepoint-vaeit.com/login.php?ref
        2⤵
        • Modifies Internet Explorer settings
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:1940
        • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
          "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1940 CREDAT:275457 /prefetch:2
          3⤵
          • Modifies Internet Explorer settings
          • Suspicious use of SetWindowsHookEx
          PID:1744

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\Center259399507.dat
      MD5

      a0de79c3b449175aa97725e16c7e74b4

      SHA1

      1c57f8cb0fb4eb944634ae1e784bbf51c181a97a

      SHA256

      2102dd512f557bcd74d243c0354b9f58ced6036fc6a9be2620377890eec2348c

      SHA512

      d1a72cd238becabd9d0ab99cedddf22fbcdb6f410573995cd9f9c79efb68527d269e5f1331eee7905ee68af87be1dc1bd5b96769ac5b7ea30561cc84478a6e01

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\Center259399507.dat
      MD5

      a0de79c3b449175aa97725e16c7e74b4

      SHA1

      1c57f8cb0fb4eb944634ae1e784bbf51c181a97a

      SHA256

      2102dd512f557bcd74d243c0354b9f58ced6036fc6a9be2620377890eec2348c

      SHA512

      d1a72cd238becabd9d0ab99cedddf22fbcdb6f410573995cd9f9c79efb68527d269e5f1331eee7905ee68af87be1dc1bd5b96769ac5b7ea30561cc84478a6e01

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
      MD5

      d00b3169f45e74bb22a1cd684341b14a

      SHA1

      2d8e43f9f8ef6cdf0cafb170a65cb27d37fb166d

      SHA256

      83f40e70ea3ba0e614d08f1070dafe75092660003b8a1f8b563d4f5b012f4bae

      SHA512

      329438b4e6d13f9a420152e5c4ed410ae474d47cad858f218bfc8130a73d8d684d89c032cf87f74b9dc3e027bcb9fbe74fe2d4f15f4a59942c4da59b7099997e

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
      MD5

      d00b3169f45e74bb22a1cd684341b14a

      SHA1

      2d8e43f9f8ef6cdf0cafb170a65cb27d37fb166d

      SHA256

      83f40e70ea3ba0e614d08f1070dafe75092660003b8a1f8b563d4f5b012f4bae

      SHA512

      329438b4e6d13f9a420152e5c4ed410ae474d47cad858f218bfc8130a73d8d684d89c032cf87f74b9dc3e027bcb9fbe74fe2d4f15f4a59942c4da59b7099997e

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\MicroMedia\msi.dll
      MD5

      ca9e06c0679586d2ff3ff7e3416c8b87

      SHA1

      23d450989ce21cb94c0f9e552edd5eeb50b20fb3

      SHA256

      f414bcb7159a22279f893a257b52e387e4b14250dd9d0ecd871d9fa686cd26cd

      SHA512

      98a2c588a1b408f78e286540752121ac34e81963d559a8e00faa44b9a65ca2cb7265c0598aea57947d799604717cc2004fc6261e8e377a6ba6416421b44dda6e

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\MicroMedia\setup.msi
      MD5

      2c531fe9c05c5644f09fdbcbf993a737

      SHA1

      3c1185e2411549cc976cecc350f357a77de249eb

      SHA256

      680903d29590607a1ac4b77bb4cc900b382949800a1f49ebfa04b2492319118f

      SHA512

      859fa0f8efe37c196fe7bb43627c16129657dcf5ff96d23cd72c7770f564525c9b0c95ae68f0e7dad99ccf6bc97dbd5cdc4b3fb38c5fd3129a6308e3b01d7094

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\msi.dll
      MD5

      ca9e06c0679586d2ff3ff7e3416c8b87

      SHA1

      23d450989ce21cb94c0f9e552edd5eeb50b20fb3

      SHA256

      f414bcb7159a22279f893a257b52e387e4b14250dd9d0ecd871d9fa686cd26cd

      SHA512

      98a2c588a1b408f78e286540752121ac34e81963d559a8e00faa44b9a65ca2cb7265c0598aea57947d799604717cc2004fc6261e8e377a6ba6416421b44dda6e

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\s.exe
      MD5

      d00b3169f45e74bb22a1cd684341b14a

      SHA1

      2d8e43f9f8ef6cdf0cafb170a65cb27d37fb166d

      SHA256

      83f40e70ea3ba0e614d08f1070dafe75092660003b8a1f8b563d4f5b012f4bae

      SHA512

      329438b4e6d13f9a420152e5c4ed410ae474d47cad858f218bfc8130a73d8d684d89c032cf87f74b9dc3e027bcb9fbe74fe2d4f15f4a59942c4da59b7099997e

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\s.exe
      MD5

      d00b3169f45e74bb22a1cd684341b14a

      SHA1

      2d8e43f9f8ef6cdf0cafb170a65cb27d37fb166d

      SHA256

      83f40e70ea3ba0e614d08f1070dafe75092660003b8a1f8b563d4f5b012f4bae

      SHA512

      329438b4e6d13f9a420152e5c4ed410ae474d47cad858f218bfc8130a73d8d684d89c032cf87f74b9dc3e027bcb9fbe74fe2d4f15f4a59942c4da59b7099997e

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\setup.msi
      MD5

      2c531fe9c05c5644f09fdbcbf993a737

      SHA1

      3c1185e2411549cc976cecc350f357a77de249eb

      SHA256

      680903d29590607a1ac4b77bb4cc900b382949800a1f49ebfa04b2492319118f

      SHA512

      859fa0f8efe37c196fe7bb43627c16129657dcf5ff96d23cd72c7770f564525c9b0c95ae68f0e7dad99ccf6bc97dbd5cdc4b3fb38c5fd3129a6308e3b01d7094

      Download Submit

    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\D6YTOL5S.txt
      MD5

      ce303b0b35073ac954c7947ce353eda0

      SHA1

      a9dd0aeee764780ee0e284769c65537cffe034fc

      SHA256

      3226f7f5a533629f7d1c5d14fdb9ceda5c236d0c4ed2f5a4312136520088291c

      SHA512

      e76d71d6150d0b67662b330af11dccf41df64d624dc20b99e61ed487bb17743e642a961eb4034dbf3a28cdd5b3dda1d594292bcd826e1f819853cc6b37d85981

      Download Submit

    • \Users\Admin\AppData\Local\Temp\Center259399507.dat
      MD5

      a0de79c3b449175aa97725e16c7e74b4

      SHA1

      1c57f8cb0fb4eb944634ae1e784bbf51c181a97a

      SHA256

      2102dd512f557bcd74d243c0354b9f58ced6036fc6a9be2620377890eec2348c

      SHA512

      d1a72cd238becabd9d0ab99cedddf22fbcdb6f410573995cd9f9c79efb68527d269e5f1331eee7905ee68af87be1dc1bd5b96769ac5b7ea30561cc84478a6e01

      Download Submit

    • \Users\Admin\AppData\Local\Temp\Center259399507.dat
      MD5

      a0de79c3b449175aa97725e16c7e74b4

      SHA1

      1c57f8cb0fb4eb944634ae1e784bbf51c181a97a

      SHA256

      2102dd512f557bcd74d243c0354b9f58ced6036fc6a9be2620377890eec2348c

      SHA512

      d1a72cd238becabd9d0ab99cedddf22fbcdb6f410573995cd9f9c79efb68527d269e5f1331eee7905ee68af87be1dc1bd5b96769ac5b7ea30561cc84478a6e01

      Download Submit

    • \Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
      MD5

      d00b3169f45e74bb22a1cd684341b14a

      SHA1

      2d8e43f9f8ef6cdf0cafb170a65cb27d37fb166d

      SHA256

      83f40e70ea3ba0e614d08f1070dafe75092660003b8a1f8b563d4f5b012f4bae

      SHA512

      329438b4e6d13f9a420152e5c4ed410ae474d47cad858f218bfc8130a73d8d684d89c032cf87f74b9dc3e027bcb9fbe74fe2d4f15f4a59942c4da59b7099997e

      Download Submit

    • \Users\Admin\AppData\Local\Temp\MicroMedia\msi.dll
      MD5

      ca9e06c0679586d2ff3ff7e3416c8b87

      SHA1

      23d450989ce21cb94c0f9e552edd5eeb50b20fb3

      SHA256

      f414bcb7159a22279f893a257b52e387e4b14250dd9d0ecd871d9fa686cd26cd

      SHA512

      98a2c588a1b408f78e286540752121ac34e81963d559a8e00faa44b9a65ca2cb7265c0598aea57947d799604717cc2004fc6261e8e377a6ba6416421b44dda6e

      Download Submit

    • \Users\Admin\AppData\Local\Temp\msi.dll
      MD5

      ca9e06c0679586d2ff3ff7e3416c8b87

      SHA1

      23d450989ce21cb94c0f9e552edd5eeb50b20fb3

      SHA256

      f414bcb7159a22279f893a257b52e387e4b14250dd9d0ecd871d9fa686cd26cd

      SHA512

      98a2c588a1b408f78e286540752121ac34e81963d559a8e00faa44b9a65ca2cb7265c0598aea57947d799604717cc2004fc6261e8e377a6ba6416421b44dda6e

      Download Submit

    • \Users\Admin\AppData\Local\Temp\s.exe
      MD5

      d00b3169f45e74bb22a1cd684341b14a

      SHA1

      2d8e43f9f8ef6cdf0cafb170a65cb27d37fb166d

      SHA256

      83f40e70ea3ba0e614d08f1070dafe75092660003b8a1f8b563d4f5b012f4bae

      SHA512

      329438b4e6d13f9a420152e5c4ed410ae474d47cad858f218bfc8130a73d8d684d89c032cf87f74b9dc3e027bcb9fbe74fe2d4f15f4a59942c4da59b7099997e

      Download Submit

    • memory/268-67-0x00000000003D0000-0x00000000003DA000-memory.dmp

      Filesize

      40KB

      Download

    • memory/268-65-0x00000000003C0000-0x00000000003C8000-memory.dmp

      Filesize

      32KB

      Download

    • memory/1292-54-0x0000000076151000-0x0000000076153000-memory.dmp

      Filesize

      8KB

      Download

    • memory/1640-80-0x00000000000C0000-0x00000000000C8000-memory.dmp

      Filesize

      32KB

      Download

    • memory/1640-83-0x0000000010000000-0x000000001000A000-memory.dmp

      Filesize

      40KB

      Download

    • memory/1812-78-0x0000000000250000-0x000000000025A000-memory.dmp

      Filesize

      40KB

      Download