Analysis
-
max time kernel
165s -
max time network
176s -
platform
windows10_x64 -
resource
win10-en-20211208 -
submitted
30-01-2022 19:16
Static task
static1
Behavioral task
behavioral1
Sample
641b225c6954c05482069a7b808b24ab8c9dc8c95790d8cf8f4c63d9ebbd6fec.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
641b225c6954c05482069a7b808b24ab8c9dc8c95790d8cf8f4c63d9ebbd6fec.exe
Resource
win10-en-20211208
General
-
Target
641b225c6954c05482069a7b808b24ab8c9dc8c95790d8cf8f4c63d9ebbd6fec.exe
-
Size
290KB
-
MD5
4f545dff49f81d08736a782751450f71
-
SHA1
ad82ab937e28a6ddba4a837684185255b26d35ab
-
SHA256
641b225c6954c05482069a7b808b24ab8c9dc8c95790d8cf8f4c63d9ebbd6fec
-
SHA512
b62d97e2c8e189020d2d736e449bf1d148b4f97e4f0f16141fcc78a37f5148d75cf5929e1da43492660f9c10261f180dd6af1dfd407470c171ef7faced7d1fb2
Malware Config
Signatures
-
Sakula Payload 3 IoCs
Processes:
resource yara_rule behavioral2/memory/3632-119-0x0000000010000000-0x000000001001F000-memory.dmp family_sakula C:\Users\Admin\AppData\Roaming\SensrSvc2013.exe family_sakula C:\Users\Admin\AppData\Roaming\SensrSvc2013.exe family_sakula -
Executes dropped EXE 1 IoCs
Processes:
SensrSvc2013.exepid process 800 SensrSvc2013.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
SensrSvc2013.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SenseSvc = "C:\\Users\\Admin\\AppData\\Roaming\\SensrSvc2013.exe" SensrSvc2013.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
641b225c6954c05482069a7b808b24ab8c9dc8c95790d8cf8f4c63d9ebbd6fec.exedescription pid process Token: SeIncBasePriorityPrivilege 3632 641b225c6954c05482069a7b808b24ab8c9dc8c95790d8cf8f4c63d9ebbd6fec.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
641b225c6954c05482069a7b808b24ab8c9dc8c95790d8cf8f4c63d9ebbd6fec.exedescription pid process target process PID 3632 wrote to memory of 800 3632 641b225c6954c05482069a7b808b24ab8c9dc8c95790d8cf8f4c63d9ebbd6fec.exe SensrSvc2013.exe PID 3632 wrote to memory of 800 3632 641b225c6954c05482069a7b808b24ab8c9dc8c95790d8cf8f4c63d9ebbd6fec.exe SensrSvc2013.exe PID 3632 wrote to memory of 800 3632 641b225c6954c05482069a7b808b24ab8c9dc8c95790d8cf8f4c63d9ebbd6fec.exe SensrSvc2013.exe PID 3632 wrote to memory of 980 3632 641b225c6954c05482069a7b808b24ab8c9dc8c95790d8cf8f4c63d9ebbd6fec.exe cmd.exe PID 3632 wrote to memory of 980 3632 641b225c6954c05482069a7b808b24ab8c9dc8c95790d8cf8f4c63d9ebbd6fec.exe cmd.exe PID 3632 wrote to memory of 980 3632 641b225c6954c05482069a7b808b24ab8c9dc8c95790d8cf8f4c63d9ebbd6fec.exe cmd.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\641b225c6954c05482069a7b808b24ab8c9dc8c95790d8cf8f4c63d9ebbd6fec.exe"C:\Users\Admin\AppData\Local\Temp\641b225c6954c05482069a7b808b24ab8c9dc8c95790d8cf8f4c63d9ebbd6fec.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3632 -
C:\Users\Admin\AppData\Roaming\SensrSvc2013.exeC:\Users\Admin\AppData\Roaming\SensrSvc2013.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
PID:800 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\641B22~1.EXE > nul2⤵PID:980
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
4f545dff49f81d08736a782751450f71
SHA1ad82ab937e28a6ddba4a837684185255b26d35ab
SHA256641b225c6954c05482069a7b808b24ab8c9dc8c95790d8cf8f4c63d9ebbd6fec
SHA512b62d97e2c8e189020d2d736e449bf1d148b4f97e4f0f16141fcc78a37f5148d75cf5929e1da43492660f9c10261f180dd6af1dfd407470c171ef7faced7d1fb2
-
MD5
4f545dff49f81d08736a782751450f71
SHA1ad82ab937e28a6ddba4a837684185255b26d35ab
SHA256641b225c6954c05482069a7b808b24ab8c9dc8c95790d8cf8f4c63d9ebbd6fec
SHA512b62d97e2c8e189020d2d736e449bf1d148b4f97e4f0f16141fcc78a37f5148d75cf5929e1da43492660f9c10261f180dd6af1dfd407470c171ef7faced7d1fb2