Analysis

  • max time kernel
    152s
  • max time network
    163s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230915-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
  • submitted
    11-10-2023 21:49

General

  • Target

    82b565fa498294072fe2935c5f222301_JC.exe

  • Size

    101KB

  • MD5

    82b565fa498294072fe2935c5f222301

  • SHA1

    1443cf64bf5c628a0a1676281ce121427831f874

  • SHA256

    39695dc410cc3fc588b1bb1623051485ceca6bf0f945ffd75cd5346b0d387095

  • SHA512

    b0a59103d1301aa931f7543c0fbad147eaaaf53dc8e97b93f9bfe4e7c2bf30492ed1bee8cdcfc1b656d75aad6fe30f12791f1b122bc56d75905f41107bbaba21

  • SSDEEP

    1536:9JbCiJVkgMaT2itTkjoRXnM48dXFajVPYxCEtkz30rtrfPTEzA:/bfVk29te2jqxCEtg30BLbEM

Malware Config

Extracted

Family

sakula

C2

www.savmpet.com

Signatures

  • Sakula

    Sakula is a remote access trojan with various capabilities.

  • Sakula payload 2 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\82b565fa498294072fe2935c5f222301_JC.exe
    "C:\Users\Admin\AppData\Local\Temp\82b565fa498294072fe2935c5f222301_JC.exe"
    1⤵
    • Checks computer location settings
    • Adds Run key to start application
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:4964
    • C:\Users\Admin\AppData\Local\Temp\MicroMedia\AdobeUpdate.exe
      C:\Users\Admin\AppData\Local\Temp\MicroMedia\AdobeUpdate.exe
      2⤵
      • Executes dropped EXE
      PID:3940
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\82b565fa498294072fe2935c5f222301_JC.exe"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:3960
      • C:\Windows\SysWOW64\PING.EXE
        ping 127.0.0.1
        3⤵
        • Runs ping.exe
        PID:4512

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\MicroMedia\AdobeUpdate.exe

    Filesize

    101KB

    MD5

    95abee92b145c342fdb9a98777e9d00b

    SHA1

    ab062644b4688d98f9b1ab7bf0989c92d46f1fab

    SHA256

    2099c6a7a61813856e05b7ab2d9c1f2f13bcb0383ea489f00b89255021ceab39

    SHA512

    3ab6dee3bc998d54d2ba6d2937bd3c775a4b671a7ca0e046f30e84824b07ef4479b1125f80ab73acbbae6eb72a11acebea03cd8b4de5719247e969daf25d0b9f

  • C:\Users\Admin\AppData\Local\Temp\MicroMedia\AdobeUpdate.exe

    Filesize

    101KB

    MD5

    95abee92b145c342fdb9a98777e9d00b

    SHA1

    ab062644b4688d98f9b1ab7bf0989c92d46f1fab

    SHA256

    2099c6a7a61813856e05b7ab2d9c1f2f13bcb0383ea489f00b89255021ceab39

    SHA512

    3ab6dee3bc998d54d2ba6d2937bd3c775a4b671a7ca0e046f30e84824b07ef4479b1125f80ab73acbbae6eb72a11acebea03cd8b4de5719247e969daf25d0b9f