Analysis
-
max time kernel
154s -
max time network
123s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
30-01-2022 19:16
Static task
static1
Behavioral task
behavioral1
Sample
641b225c6954c05482069a7b808b24ab8c9dc8c95790d8cf8f4c63d9ebbd6fec.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
641b225c6954c05482069a7b808b24ab8c9dc8c95790d8cf8f4c63d9ebbd6fec.exe
Resource
win10-en-20211208
General
-
Target
641b225c6954c05482069a7b808b24ab8c9dc8c95790d8cf8f4c63d9ebbd6fec.exe
-
Size
290KB
-
MD5
4f545dff49f81d08736a782751450f71
-
SHA1
ad82ab937e28a6ddba4a837684185255b26d35ab
-
SHA256
641b225c6954c05482069a7b808b24ab8c9dc8c95790d8cf8f4c63d9ebbd6fec
-
SHA512
b62d97e2c8e189020d2d736e449bf1d148b4f97e4f0f16141fcc78a37f5148d75cf5929e1da43492660f9c10261f180dd6af1dfd407470c171ef7faced7d1fb2
Malware Config
Signatures
-
Sakula Payload 6 IoCs
Processes:
resource yara_rule behavioral1/memory/1624-55-0x0000000010000000-0x000000001001F000-memory.dmp family_sakula behavioral1/memory/1624-58-0x00000000001D0000-0x0000000000218000-memory.dmp family_sakula \Users\Admin\AppData\Roaming\SensrSvc2013.exe family_sakula \Users\Admin\AppData\Roaming\SensrSvc2013.exe family_sakula C:\Users\Admin\AppData\Roaming\SensrSvc2013.exe family_sakula C:\Users\Admin\AppData\Roaming\SensrSvc2013.exe family_sakula -
Executes dropped EXE 1 IoCs
Processes:
SensrSvc2013.exepid process 760 SensrSvc2013.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 672 cmd.exe -
Loads dropped DLL 2 IoCs
Processes:
641b225c6954c05482069a7b808b24ab8c9dc8c95790d8cf8f4c63d9ebbd6fec.exepid process 1624 641b225c6954c05482069a7b808b24ab8c9dc8c95790d8cf8f4c63d9ebbd6fec.exe 1624 641b225c6954c05482069a7b808b24ab8c9dc8c95790d8cf8f4c63d9ebbd6fec.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
SensrSvc2013.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SenseSvc = "C:\\Users\\Admin\\AppData\\Roaming\\SensrSvc2013.exe" SensrSvc2013.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
641b225c6954c05482069a7b808b24ab8c9dc8c95790d8cf8f4c63d9ebbd6fec.exedescription pid process Token: SeIncBasePriorityPrivilege 1624 641b225c6954c05482069a7b808b24ab8c9dc8c95790d8cf8f4c63d9ebbd6fec.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
641b225c6954c05482069a7b808b24ab8c9dc8c95790d8cf8f4c63d9ebbd6fec.exedescription pid process target process PID 1624 wrote to memory of 760 1624 641b225c6954c05482069a7b808b24ab8c9dc8c95790d8cf8f4c63d9ebbd6fec.exe SensrSvc2013.exe PID 1624 wrote to memory of 760 1624 641b225c6954c05482069a7b808b24ab8c9dc8c95790d8cf8f4c63d9ebbd6fec.exe SensrSvc2013.exe PID 1624 wrote to memory of 760 1624 641b225c6954c05482069a7b808b24ab8c9dc8c95790d8cf8f4c63d9ebbd6fec.exe SensrSvc2013.exe PID 1624 wrote to memory of 760 1624 641b225c6954c05482069a7b808b24ab8c9dc8c95790d8cf8f4c63d9ebbd6fec.exe SensrSvc2013.exe PID 1624 wrote to memory of 672 1624 641b225c6954c05482069a7b808b24ab8c9dc8c95790d8cf8f4c63d9ebbd6fec.exe cmd.exe PID 1624 wrote to memory of 672 1624 641b225c6954c05482069a7b808b24ab8c9dc8c95790d8cf8f4c63d9ebbd6fec.exe cmd.exe PID 1624 wrote to memory of 672 1624 641b225c6954c05482069a7b808b24ab8c9dc8c95790d8cf8f4c63d9ebbd6fec.exe cmd.exe PID 1624 wrote to memory of 672 1624 641b225c6954c05482069a7b808b24ab8c9dc8c95790d8cf8f4c63d9ebbd6fec.exe cmd.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\641b225c6954c05482069a7b808b24ab8c9dc8c95790d8cf8f4c63d9ebbd6fec.exe"C:\Users\Admin\AppData\Local\Temp\641b225c6954c05482069a7b808b24ab8c9dc8c95790d8cf8f4c63d9ebbd6fec.exe"1⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1624 -
C:\Users\Admin\AppData\Roaming\SensrSvc2013.exeC:\Users\Admin\AppData\Roaming\SensrSvc2013.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
PID:760 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\641B22~1.EXE > nul2⤵
- Deletes itself
PID:672
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
4f545dff49f81d08736a782751450f71
SHA1ad82ab937e28a6ddba4a837684185255b26d35ab
SHA256641b225c6954c05482069a7b808b24ab8c9dc8c95790d8cf8f4c63d9ebbd6fec
SHA512b62d97e2c8e189020d2d736e449bf1d148b4f97e4f0f16141fcc78a37f5148d75cf5929e1da43492660f9c10261f180dd6af1dfd407470c171ef7faced7d1fb2
-
MD5
4f545dff49f81d08736a782751450f71
SHA1ad82ab937e28a6ddba4a837684185255b26d35ab
SHA256641b225c6954c05482069a7b808b24ab8c9dc8c95790d8cf8f4c63d9ebbd6fec
SHA512b62d97e2c8e189020d2d736e449bf1d148b4f97e4f0f16141fcc78a37f5148d75cf5929e1da43492660f9c10261f180dd6af1dfd407470c171ef7faced7d1fb2
-
MD5
4f545dff49f81d08736a782751450f71
SHA1ad82ab937e28a6ddba4a837684185255b26d35ab
SHA256641b225c6954c05482069a7b808b24ab8c9dc8c95790d8cf8f4c63d9ebbd6fec
SHA512b62d97e2c8e189020d2d736e449bf1d148b4f97e4f0f16141fcc78a37f5148d75cf5929e1da43492660f9c10261f180dd6af1dfd407470c171ef7faced7d1fb2
-
MD5
4f545dff49f81d08736a782751450f71
SHA1ad82ab937e28a6ddba4a837684185255b26d35ab
SHA256641b225c6954c05482069a7b808b24ab8c9dc8c95790d8cf8f4c63d9ebbd6fec
SHA512b62d97e2c8e189020d2d736e449bf1d148b4f97e4f0f16141fcc78a37f5148d75cf5929e1da43492660f9c10261f180dd6af1dfd407470c171ef7faced7d1fb2