Overview

overview

10

Static

static

10

59a7c19afa...c4.exe

windows7_x64

10

59a7c19afa...c4.exe

windows10_x64

10

Analysis

  • max time kernel
    142s
  • max time network
    149s
  • platform
    windows7_x64
  • resource
    win7-en-20211208
  • submitted
    31-01-2022 01:05

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    59a7c19afa4baa80c90eec1a6f21311983029e923d1b0a483daf206dab991fc4.exe

  • Size

    123KB

  • MD5

    07b62497e41898c22e5d5351607aac8e

  • SHA1

    d85860554ea5718bbcbe877c1310c301a8d2d2ad

  • SHA256

    59a7c19afa4baa80c90eec1a6f21311983029e923d1b0a483daf206dab991fc4

  • SHA512

    72e32b134e72ba1b1bca0e6faa79c40e1f76766faefb11995788f26e2289f0aa32a2a1fde9db0a6037ccbfc8cebbc83118ee4199679719c239230c0dd7b6a28a

Score
10/10
sakulapersistenceratsuricatatrojan

Malware Config

Signatures

  • Sakula

    Sakula is a remote access trojan with various capabilities.

    trojanratsakula
  • Sakula Payload 5 IoCs
  • suricata: ET MALWARE SUSPICIOUS UA (iexplore)

    suricata: ET MALWARE SUSPICIOUS UA (iexplore)

    suricata
  • suricata: ET MALWARE Sakula/Mivast RAT CnC Beacon 1

    suricata: ET MALWARE Sakula/Mivast RAT CnC Beacon 1

    suricata
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 2 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies Internet Explorer settings 1 TTPs 36 IoCs
    adwarespyware
  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 6 IoCs
  • Suspicious use of WriteProcessMemory 24 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\59a7c19afa4baa80c90eec1a6f21311983029e923d1b0a483daf206dab991fc4.exe
    "C:\Users\Admin\AppData\Local\Temp\59a7c19afa4baa80c90eec1a6f21311983029e923d1b0a483daf206dab991fc4.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of WriteProcessMemory
    PID:1660
    • C:\Users\Admin\AppData\Local\Temp\pdfforie.exe
      C:\Users\Admin\AppData\Local\Temp\pdfforie.exe
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Adds Run key to start application
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2032
      • C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
        C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
        3⤵
        • Executes dropped EXE
        PID:760
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\pdfforie.exe"
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:1956
        • C:\Windows\SysWOW64\PING.EXE
          ping 127.0.0.1
          4⤵
          • Runs ping.exe
          PID:912
    • C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe" https://www.training-at-hps.com/asp/student/cookie.html
      2⤵
      • Modifies Internet Explorer settings
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:756
      • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:756 CREDAT:275457 /prefetch:2
        3⤵
        • Modifies Internet Explorer settings
        • Suspicious use of SetWindowsHookEx
        PID:392

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    MD5

    2e33321c1f27dd8969f169106b63bb28

    SHA1

    71f67556f47aba5d810cadb28035119259cb69b7

    SHA256

    a240149452c0f77686ad8515ecab85d536c42497d34f13d705bb5df9297a4728

    SHA512

    80ed59a6f3b8dc4d847c71da446270aefa05b4d9581afc948c44327f3d85a90a81543c70fd4c4179091bcca27316a36c2673e8bf0591eb57f3a5b7134ab3d87b

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
    MD5

    bfc4758702b2c245d89ed4ab9682ff46

    SHA1

    21dc102330b1357ac4daff41a4994f74fd498de9

    SHA256

    c087f6b5a696d88864e30f16892fed90197bd4b83e2225c3484d4b7cdaaf96e4

    SHA512

    56a10963352f91c24abb70822ad4cd3ae6febf3c363847455f289f6c45880a5b41431bc5ad3b289094bbf43278c3b8c53415a22f4d9f3d0519f178c0d3255932

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\pdfforie.exe
    MD5

    259ea5f6f3f1209de99d6eb27a301cb7

    SHA1

    ceb0574487e52ddf6a7963e7647f9ad74a42e339

    SHA256

    8239d115f3453c5ff7cdafc7878c9842e14e768a38c00de2f8f45e18659ca951

    SHA512

    6c75dc9a9755546c0e7a8b9a8ba167cc05176760a8dbec26689d4955b9c72243b0e07131e4dc3237a8751b6d831a6015e0f0c04bc3abd050c9d67f55fcec07d7

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\pdfforie.exe
    MD5

    259ea5f6f3f1209de99d6eb27a301cb7

    SHA1

    ceb0574487e52ddf6a7963e7647f9ad74a42e339

    SHA256

    8239d115f3453c5ff7cdafc7878c9842e14e768a38c00de2f8f45e18659ca951

    SHA512

    6c75dc9a9755546c0e7a8b9a8ba167cc05176760a8dbec26689d4955b9c72243b0e07131e4dc3237a8751b6d831a6015e0f0c04bc3abd050c9d67f55fcec07d7

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\0CD3OKDN.txt
    MD5

    64f8380b2f08c753d62230e7406f1aea

    SHA1

    0badc68c01c6eaa66c8cddb635467467f6847f33

    SHA256

    0e2118e317ccffb88a29c0ad3b69c025f97cd74c64307a7c422896fe29d2890a

    SHA512

    480a011daaf1307ba9787c7b4df6db7171ae6aab35a2999b4ce2613c1895296a2a200685942a77e57660cc475ca2192802ffa4d7f6f6d26746996da758e2e788

    Download Submit

  • \Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
    MD5

    bfc4758702b2c245d89ed4ab9682ff46

    SHA1

    21dc102330b1357ac4daff41a4994f74fd498de9

    SHA256

    c087f6b5a696d88864e30f16892fed90197bd4b83e2225c3484d4b7cdaaf96e4

    SHA512

    56a10963352f91c24abb70822ad4cd3ae6febf3c363847455f289f6c45880a5b41431bc5ad3b289094bbf43278c3b8c53415a22f4d9f3d0519f178c0d3255932

    Download Submit

  • \Users\Admin\AppData\Local\Temp\pdfforie.exe
    MD5

    259ea5f6f3f1209de99d6eb27a301cb7

    SHA1

    ceb0574487e52ddf6a7963e7647f9ad74a42e339

    SHA256

    8239d115f3453c5ff7cdafc7878c9842e14e768a38c00de2f8f45e18659ca951

    SHA512

    6c75dc9a9755546c0e7a8b9a8ba167cc05176760a8dbec26689d4955b9c72243b0e07131e4dc3237a8751b6d831a6015e0f0c04bc3abd050c9d67f55fcec07d7

    Download Submit

  • memory/2032-56-0x0000000075CE1000-0x0000000075CE3000-memory.dmp

    Filesize

    8KB

    Download