Analysis
-
max time kernel
157s -
max time network
180s -
platform
windows10-2004_x64 -
resource
win10v2004-en-20220113 -
submitted
12-02-2022 11:02
General
-
Target
0578aded6b549aff597036154eac27e3dc5409b2fa885e23984e77cbc2a01ed1.exe
-
Size
216KB
-
MD5
ab82e84388b0519bfcf3d8e0131800f5
-
SHA1
adbe818edfd7c68f20dbc1ff153e8e405feb2c8f
-
SHA256
0578aded6b549aff597036154eac27e3dc5409b2fa885e23984e77cbc2a01ed1
-
SHA512
44f9d9b66cb3e8e92c8d155decafe587469028daef3e9df0ae4a91f64a05ca46ddfcefee29a4f24f337308269717c14ad7ad4af28163d8edc9c187a2e3c6abdd
Malware Config
Signatures
-
Sakula
Sakula is a remote access trojan with various capabilities.
-
Sakula Payload 4 IoCs
-
suricata: ET MALWARE SUSPICIOUS UA (iexplore)
suricata: ET MALWARE SUSPICIOUS UA (iexplore)
-
suricata: ET MALWARE Sakula/Mivast RAT CnC Beacon 1
suricata: ET MALWARE Sakula/Mivast RAT CnC Beacon 1
-
Executes dropped EXE 1 IoCs
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
-
Adds Run key to start application 2 TTPs 1 IoCs
-
Drops file in Windows directory 8 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
-
Suspicious use of WriteProcessMemory 9 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\0578aded6b549aff597036154eac27e3dc5409b2fa885e23984e77cbc2a01ed1.exe"C:\Users\Admin\AppData\Local\Temp\0578aded6b549aff597036154eac27e3dc5409b2fa885e23984e77cbc2a01ed1.exe"1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\0578aded6b549aff597036154eac27e3dc5409b2fa885e23984e77cbc2a01ed1.exe"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exeC:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
0a6abe8e23574921adc1275fe796a02f
SHA1c1e220e02e92b02306db6e1b6a69c8f91937dbeb
SHA256ae7f93e3785bce8bae8a607a357af9d9ad8bda4ba17675c2a41f8bdb23eff78a
SHA512b9c49c846bfec728af5f9b92a5e2d472203999ccecc8725db37aed4f0d8299fa5c693ffd8b4158be01b1c2c98530796b0523f3b7193b356a639db9501f472202
-
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
0a6abe8e23574921adc1275fe796a02f
SHA1c1e220e02e92b02306db6e1b6a69c8f91937dbeb
SHA256ae7f93e3785bce8bae8a607a357af9d9ad8bda4ba17675c2a41f8bdb23eff78a
SHA512b9c49c846bfec728af5f9b92a5e2d472203999ccecc8725db37aed4f0d8299fa5c693ffd8b4158be01b1c2c98530796b0523f3b7193b356a639db9501f472202
-
memory/3924-132-0x0000000000400000-0x0000000000420000-memory.dmpFilesize
128KB
-
memory/4276-133-0x00000278CB9A0000-0x00000278CB9B0000-memory.dmpFilesize
64KB
-
memory/4276-134-0x00000278CC020000-0x00000278CC030000-memory.dmpFilesize
64KB
-
memory/4276-135-0x00000278CE720000-0x00000278CE724000-memory.dmpFilesize
16KB
-
memory/4848-136-0x0000000000400000-0x0000000000420000-memory.dmpFilesize
128KB