Overview

overview

10

Static

static

130d67c50b...78.exe

windows7_x64

10

130d67c50b...78.exe

windows10-2004_x64

10

Analysis

  • max time kernel
    147s
  • max time network
    155s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220414-en
  • submitted
    03-06-2022 13:34

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    130d67c50bd649897b9198b090f6137b792a8415a03abf04b13063eaa93ac678.exe

  • Size

    19KB

  • MD5

    4f3cfe776b67016579985dcae493079c

  • SHA1

    d7f77c3dabc8ee72bbaee9c8dcd5bfe79ce2f777

  • SHA256

    130d67c50bd649897b9198b090f6137b792a8415a03abf04b13063eaa93ac678

  • SHA512

    3b767573ad3919b7765a64ba31134e0a19a297fb72a4c9f7f89e72e3f9f0d1d69807a838d762c993cfa2bba1fa6f55c7c360296599b7f4d9e10c7923ae425066

Score
10/10
sakulapersistenceratsuricatatrojan

Malware Config

Signatures

  • Sakula

    Sakula is a remote access trojan with various capabilities.

    trojanratsakula
  • suricata: ET MALWARE Possible DEEP PANDA C2 Activity

    suricata: ET MALWARE Possible DEEP PANDA C2 Activity

    suricata
  • suricata: ET MALWARE Possible Deep Panda - Sakula/Mivast RAT CnC Beacon 5

    suricata: ET MALWARE Possible Deep Panda - Sakula/Mivast RAT CnC Beacon 5

    suricata
  • suricata: ET MALWARE Sakula/Mivast C2 Activity

    suricata: ET MALWARE Sakula/Mivast C2 Activity

    suricata
  • Executes dropped EXE 1 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Modifies registry key 1 TTPs 1 IoCs
  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious use of WriteProcessMemory 18 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\130d67c50bd649897b9198b090f6137b792a8415a03abf04b13063eaa93ac678.exe
    "C:\Users\Admin\AppData\Local\Temp\130d67c50bd649897b9198b090f6137b792a8415a03abf04b13063eaa93ac678.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:796
    • C:\Windows\SysWOW64\cmd.exe
      cmd.exe /c reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v "MicroMedia" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2216
      • C:\Windows\SysWOW64\reg.exe
        reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v "MicroMedia" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe"
        3⤵
        • Adds Run key to start application
        • Modifies registry key
        PID:1936
    • C:\Windows\SysWOW64\cmd.exe
      cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:4548
      • C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
        C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
        3⤵
        • Executes dropped EXE
        PID:1924
    • C:\Windows\SysWOW64\cmd.exe
      cmd.exe /c ping 127.0.0.1 & del "C:\Users\Admin\AppData\Local\Temp\130d67c50bd649897b9198b090f6137b792a8415a03abf04b13063eaa93ac678.exe"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:4540
      • C:\Windows\SysWOW64\PING.EXE
        ping 127.0.0.1
        3⤵
        • Runs ping.exe
        PID:2880

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1
T1060

Privilege Escalation

Defense Evasion

Modify Registry

2
T1112

Credential Access

Discovery

Remote System Discovery

1
T1018

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
    Filesize

    19KB

    MD5

    40f379e5183102009bfe19e35bed7f79

    SHA1

    5b1e9abfc37e9df431ceb057a2561bd2d67d724d

    SHA256

    0666f8aba38789da1e80ec5c231e1587d6c33188978b5fd5ffa223f569b1f3bd

    SHA512

    4faf3bbbe52b915482d163de4d0863ac918e86b7f6d60fcd4964be0d4101ad8efe26b401309caf147209d634d5748a642509bacc68993dbc2de51144f924af84

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
    Filesize

    19KB

    MD5

    40f379e5183102009bfe19e35bed7f79

    SHA1

    5b1e9abfc37e9df431ceb057a2561bd2d67d724d

    SHA256

    0666f8aba38789da1e80ec5c231e1587d6c33188978b5fd5ffa223f569b1f3bd

    SHA512

    4faf3bbbe52b915482d163de4d0863ac918e86b7f6d60fcd4964be0d4101ad8efe26b401309caf147209d634d5748a642509bacc68993dbc2de51144f924af84

    Download Submit
  • memory/796-131-0x0000000000030000-0x0000000000034000-memory.dmp
    Filesize

    16KB

    Download
  • memory/796-135-0x0000000000400000-0x000000000040B000-memory.dmp
    Filesize

    44KB

    Download
  • memory/796-130-0x0000000000400000-0x000000000040B000-memory.dmp
    Filesize

    44KB

    Download
  • memory/1924-141-0x0000000000400000-0x000000000040B000-memory.dmp
    Filesize

    44KB

    Download
  • memory/1924-144-0x0000000000400000-0x000000000040B000-memory.dmp
    Filesize

    44KB

    Download
  • memory/1924-143-0x0000000000400000-0x000000000040B000-memory.dmp
    Filesize

    44KB

    Download
  • memory/1924-142-0x0000000000030000-0x0000000000034000-memory.dmp
    Filesize

    16KB

    Download
  • memory/1924-136-0x0000000000000000-mapping.dmp
    Download
  • memory/1936-139-0x0000000000000000-mapping.dmp
    Download
  • memory/2216-132-0x0000000000000000-mapping.dmp
    Download
  • memory/2880-140-0x0000000000000000-mapping.dmp
    Download
  • memory/4540-134-0x0000000000000000-mapping.dmp
    Download
  • memory/4548-133-0x0000000000000000-mapping.dmp
    Download