Analysis
-
max time kernel
135s -
max time network
146s -
platform
windows10-2004_x64 -
resource
win10v2004-en-20220113 -
submitted
12-02-2022 04:56
General
-
Target
13fb67872c5696f5639db4606411c18b6c816edfd009309cff535d74c14b17a0.exe
-
Size
79KB
-
MD5
6f5029e7b679c29c3cc377ee1d293ad1
-
SHA1
6f14c44e155845143c1a91e64c3e22f664236bf7
-
SHA256
13fb67872c5696f5639db4606411c18b6c816edfd009309cff535d74c14b17a0
-
SHA512
b07fd2f6ebd446ec6bc8565680a70ebba2f4e8ae518dd52e6f92686963bb444149b905a471b448b646e077380e27d688412d3dff25b192f49e69f4136245566b
Malware Config
Signatures
-
Sakula
Sakula is a remote access trojan with various capabilities.
-
Sakula Payload 2 IoCs
-
Executes dropped EXE 1 IoCs
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
-
Adds Run key to start application 2 TTPs 1 IoCs
-
Drops file in Windows directory 8 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
-
Suspicious use of WriteProcessMemory 9 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\13fb67872c5696f5639db4606411c18b6c816edfd009309cff535d74c14b17a0.exe"C:\Users\Admin\AppData\Local\Temp\13fb67872c5696f5639db4606411c18b6c816edfd009309cff535d74c14b17a0.exe"1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\13fb67872c5696f5639db4606411c18b6c816edfd009309cff535d74c14b17a0.exe"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exeC:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
445e2869cef533899c608b053f24d45f
SHA115d1ec8963449992a550f8918318117b97dbe32f
SHA256e8b07c07a6a46a59833fcc8c7b8af84ae557b3b2bd6d233fc1842e433f9300ad
SHA512aa1ee6fc138c1271086e2a0e8da871f8afffb14589b0a2aedec3f39bd5deb4692d5bd192e37c9f471438dcb647a63fbcd9c0f564261797e4f2448a81f610d45f
-
MD5
445e2869cef533899c608b053f24d45f
SHA115d1ec8963449992a550f8918318117b97dbe32f
SHA256e8b07c07a6a46a59833fcc8c7b8af84ae557b3b2bd6d233fc1842e433f9300ad
SHA512aa1ee6fc138c1271086e2a0e8da871f8afffb14589b0a2aedec3f39bd5deb4692d5bd192e37c9f471438dcb647a63fbcd9c0f564261797e4f2448a81f610d45f
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
16KB