Overview

overview

10

Static

static

dfff15bafd...1c.exe

windows7_x64

10

dfff15bafd...1c.exe

windows10_x64

10

dfff15bafd...1c.exe

windows10-2004_x64

10

Resubmissions

22-02-2022 12:38

220222-pt2afaaabn 10

06-07-2020 07:26

200706-je7e9l28s2 1

Analysis

  • max time kernel
    287s
  • max time network
    301s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-en-20220112
  • submitted
    22-02-2022 12:38

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    dfff15bafd692a0fdaba1112db5e45bf833beded493f1f97f4264b175ade1a1c.exe

  • Size

    77KB

  • MD5

    cce983f04093a936e29dbf1d7078bc53

  • SHA1

    619637bdcb8ed1a59e36e6badd1a189bdb35bc2f

  • SHA256

    dfff15bafd692a0fdaba1112db5e45bf833beded493f1f97f4264b175ade1a1c

  • SHA512

    2d84b360e7d5c636b5a893de51a2bc49392731660562be5a1117f9924d6e3f872d74af6a279b71fbb4cb4b1430ca02395d5e160a945d125cf1d3fef9b615d0a5

Score
10/10
sakulapersistenceratsuricatatrojan

Malware Config

Signatures

  • Sakula

    Sakula is a remote access trojan with various capabilities.

    trojanratsakula
  • suricata: ET MALWARE Possible DEEP PANDA C2 Activity

    suricata: ET MALWARE Possible DEEP PANDA C2 Activity

    suricata
  • suricata: ET MALWARE Possible Deep Panda - Sakula/Mivast RAT CnC Beacon 5

    suricata: ET MALWARE Possible Deep Panda - Sakula/Mivast RAT CnC Beacon 5

    suricata
  • suricata: ET MALWARE Sakula/Mivast C2 Activity

    suricata: ET MALWARE Sakula/Mivast C2 Activity

    suricata
  • Executes dropped EXE 1 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Drops file in Windows directory 1 IoCs
  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Modifies data under HKEY_USERS 52 IoCs
  • Modifies registry key 1 TTPs 1 IoCs
  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious use of WriteProcessMemory 18 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\dfff15bafd692a0fdaba1112db5e45bf833beded493f1f97f4264b175ade1a1c.exe
    "C:\Users\Admin\AppData\Local\Temp\dfff15bafd692a0fdaba1112db5e45bf833beded493f1f97f4264b175ade1a1c.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2636
    • C:\Windows\SysWOW64\cmd.exe
      cmd.exe /c reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v "MicroMedia" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:3832
      • C:\Windows\SysWOW64\reg.exe
        reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v "MicroMedia" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe"
        3⤵
        • Adds Run key to start application
        • Modifies registry key
        PID:1288
    • C:\Windows\SysWOW64\cmd.exe
      cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:3240
      • C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
        C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
        3⤵
        • Executes dropped EXE
        PID:640
    • C:\Windows\SysWOW64\cmd.exe
      cmd.exe /c ping 127.0.0.1 & del "C:\Users\Admin\AppData\Local\Temp\dfff15bafd692a0fdaba1112db5e45bf833beded493f1f97f4264b175ade1a1c.exe"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:3104
      • C:\Windows\SysWOW64\PING.EXE
        ping 127.0.0.1
        3⤵
        • Runs ping.exe
        PID:1576
  • C:\Windows\system32\MusNotifyIcon.exe
    %systemroot%\system32\MusNotifyIcon.exe NotifyTrayIcon 13
    1⤵
    • Checks processor information in registry
    PID:3732
  • C:\Windows\System32\svchost.exe
    C:\Windows\System32\svchost.exe -k NetworkService -p
    1⤵
    • Drops file in Windows directory
    • Modifies data under HKEY_USERS
    PID:3568
  • C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k wusvcs -p
    1⤵
      PID:2900

    Network

    MITRE ATT&CK Matrix ATT&CK v6

    Initial Access

    Execution

    Persistence

    Registry Run Keys / Startup Folder

    1
    T1060

    Privilege Escalation

    Defense Evasion

    Modify Registry

    2
    T1112

    Credential Access

    Discovery

    Query Registry

    1
    T1012

    System Information Discovery

    1
    T1082

    Remote System Discovery

    1
    T1018

    Lateral Movement

    Collection

    Exfiltration

    Command and Control

    Impact

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
      MD5

      f50ac5fdc669e8b356dfb57955fd816f

      SHA1

      7aaa0c83df840bde615e42dc040ae63aa8de3b6d

      SHA256

      a803971c56133086a9c36f94a5732e586c2beea572096a0e5f7df97fa9dbb40a

      SHA512

      a06d7257193347c42711b617fdcbae7f1ae8eecd3c64ad7b10043a1482bee2337e6a2243fbd38fec70c6e82a30e4d035fc003b63f734770308ef812667b26706

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
      MD5

      f50ac5fdc669e8b356dfb57955fd816f

      SHA1

      7aaa0c83df840bde615e42dc040ae63aa8de3b6d

      SHA256

      a803971c56133086a9c36f94a5732e586c2beea572096a0e5f7df97fa9dbb40a

      SHA512

      a06d7257193347c42711b617fdcbae7f1ae8eecd3c64ad7b10043a1482bee2337e6a2243fbd38fec70c6e82a30e4d035fc003b63f734770308ef812667b26706

      Download Submit
    • memory/2636-130-0x0000000000401000-0x0000000000404000-memory.dmp
      Filesize

      12KB

      Download