Overview

overview

10

Static

static

1

d4be6c9117...8d.exe

windows7-x64

10

d4be6c9117...8d.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    120s
  • max time network
    120s
  • platform
    windows7_x64
  • resource
    win7-20231130-en
  • resource tags

    arch:x64arch:x86image:win7-20231130-enlocale:en-usos:windows7-x64system
  • submitted
    13-12-2023 16:32

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    d4be6c9117db9de21138ae26d1d0c3cfb38fd7a19fa07c828731fa2ac756ef8d.exe

  • Size

    438KB

  • MD5

    230d8a7a60a07df28a291b13ddf3351f

  • SHA1

    de71fd21781ae1eed0dbba6bf915a65cc4c0f984

  • SHA256

    d4be6c9117db9de21138ae26d1d0c3cfb38fd7a19fa07c828731fa2ac756ef8d

  • SHA512

    b3305950a8d24b247a16b35d49f53dfbc367332879ddafcb7d95a1c44ec02f7ed66d26acbf9992bf39193094c7bbefcbbe59ae514619491e148bb59cb32ddf01

  • SSDEEP

    6144:Ldgv30si81H+Uyc4WLrxBcQtz8Q0bDC3zUonh8CD2Kc+hO:W71HTyc4WnxBF8Q02UonhsF+hO

Score
10/10
sakulapersistencerattrojan

Malware Config

Signatures

  • Sakula

    Sakula is a remote access trojan with various capabilities.

    trojanratsakula
  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 6 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies Internet Explorer settings 1 TTPs 34 IoCs
    adwarespyware
  • Modifies registry key 1 TTPs 1 IoCs
  • Runs ping.exe 1 TTPs 2 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 8 IoCs
  • Suspicious use of WriteProcessMemory 59 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\d4be6c9117db9de21138ae26d1d0c3cfb38fd7a19fa07c828731fa2ac756ef8d.exe
    "C:\Users\Admin\AppData\Local\Temp\d4be6c9117db9de21138ae26d1d0c3cfb38fd7a19fa07c828731fa2ac756ef8d.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:856
    • C:\Users\Admin\AppData\Local\Temp\Center259394734.dat
      "C:\Users\Admin\AppData\Local\Temp\Center259394734.dat"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Suspicious use of WriteProcessMemory
      PID:1812
      • C:\Users\Admin\AppData\Local\Temp\s.exe
        "C:\Users\Admin\AppData\Local\Temp\s.exe"
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Suspicious use of WriteProcessMemory
        PID:3056
        • C:\Windows\SysWOW64\cmd.exe
          cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe"
          4⤵
          • Loads dropped DLL
          • Suspicious use of WriteProcessMemory
          PID:2524
          • C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
            C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
            5⤵
            • Executes dropped EXE
            • Loads dropped DLL
            • Suspicious use of SetThreadContext
            • Suspicious use of WriteProcessMemory
            PID:2976
            • C:\Windows\SysWOW64\svchost.exe
              "C:\Windows\system32\svchost.exe"
              6⤵
                PID:2560
          • C:\Windows\SysWOW64\cmd.exe
            cmd.exe /c ping 127.0.0.1 & del "C:\Users\Admin\AppData\Local\Temp\s.exe" & del "C:\Users\Admin\AppData\Local\Temp\msi.dll" & del "C:\Users\Admin\AppData\Local\Temp\setup.msi"
            4⤵
            • Suspicious use of WriteProcessMemory
            PID:2552
            • C:\Windows\SysWOW64\PING.EXE
              ping 127.0.0.1
              5⤵
              • Runs ping.exe
              PID:2404
          • C:\Windows\SysWOW64\cmd.exe
            cmd.exe /c reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v "MicroMedia" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe"
            4⤵
            • Suspicious use of WriteProcessMemory
            PID:2500
            • C:\Windows\SysWOW64\reg.exe
              reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v "MicroMedia" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe"
              5⤵
              • Adds Run key to start application
              • Modifies registry key
              PID:2696
        • C:\Windows\SysWOW64\cmd.exe
          "C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\Center259394734.dat"
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:2480
          • C:\Windows\SysWOW64\PING.EXE
            ping 127.0.0.1
            4⤵
            • Runs ping.exe
            PID:2784
      • C:\Program Files\Internet Explorer\iexplore.exe
        "C:\Program Files\Internet Explorer\iexplore.exe" http://sharepoint-vaeit.com/login.php?ref
        2⤵
        • Modifies Internet Explorer settings
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:2960
        • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
          "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2960 CREDAT:275457 /prefetch:2
          3⤵
          • Modifies Internet Explorer settings
          • Suspicious use of SetWindowsHookEx
          PID:2732

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\msi.dll
      Filesize

      2KB

      MD5

      ca9e06c0679586d2ff3ff7e3416c8b87

      SHA1

      23d450989ce21cb94c0f9e552edd5eeb50b20fb3

      SHA256

      f414bcb7159a22279f893a257b52e387e4b14250dd9d0ecd871d9fa686cd26cd

      SHA512

      98a2c588a1b408f78e286540752121ac34e81963d559a8e00faa44b9a65ca2cb7265c0598aea57947d799604717cc2004fc6261e8e377a6ba6416421b44dda6e

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\setup.msi
      Filesize

      29KB

      MD5

      2c531fe9c05c5644f09fdbcbf993a737

      SHA1

      3c1185e2411549cc976cecc350f357a77de249eb

      SHA256

      680903d29590607a1ac4b77bb4cc900b382949800a1f49ebfa04b2492319118f

      SHA512

      859fa0f8efe37c196fe7bb43627c16129657dcf5ff96d23cd72c7770f564525c9b0c95ae68f0e7dad99ccf6bc97dbd5cdc4b3fb38c5fd3129a6308e3b01d7094

      Download Submit
    • \Users\Admin\AppData\Local\Temp\Center259394734.dat
      Filesize

      69KB

      MD5

      a0de79c3b449175aa97725e16c7e74b4

      SHA1

      1c57f8cb0fb4eb944634ae1e784bbf51c181a97a

      SHA256

      2102dd512f557bcd74d243c0354b9f58ced6036fc6a9be2620377890eec2348c

      SHA512

      d1a72cd238becabd9d0ab99cedddf22fbcdb6f410573995cd9f9c79efb68527d269e5f1331eee7905ee68af87be1dc1bd5b96769ac5b7ea30561cc84478a6e01

      Download Submit
    • \Users\Admin\AppData\Local\Temp\s.exe
      Filesize

      33KB

      MD5

      d00b3169f45e74bb22a1cd684341b14a

      SHA1

      2d8e43f9f8ef6cdf0cafb170a65cb27d37fb166d

      SHA256

      83f40e70ea3ba0e614d08f1070dafe75092660003b8a1f8b563d4f5b012f4bae

      SHA512

      329438b4e6d13f9a420152e5c4ed410ae474d47cad858f218bfc8130a73d8d684d89c032cf87f74b9dc3e027bcb9fbe74fe2d4f15f4a59942c4da59b7099997e

      Download Submit
    • memory/2560-39-0x0000000000080000-0x0000000000088000-memory.dmp
      Filesize

      32KB

      Download
    • memory/2560-42-0x0000000010000000-0x000000001000A000-memory.dmp
      Filesize

      40KB

      Download
    • memory/2560-41-0x0000000000080000-0x0000000000088000-memory.dmp
      Filesize

      32KB

      Download
    • memory/3056-20-0x0000000000240000-0x0000000000248000-memory.dmp
      Filesize

      32KB

      Download
    • memory/3056-21-0x0000000000250000-0x000000000025A000-memory.dmp
      Filesize

      40KB

      Download
    • memory/3056-26-0x0000000000240000-0x0000000000248000-memory.dmp
      Filesize

      32KB

      Download
    • memory/3056-45-0x0000000000240000-0x0000000000248000-memory.dmp
      Filesize

      32KB

      Download