Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

10

abd5b72af7...51.exe

windows7-x64

10

abd5b72af7...51.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    143s
  • max time network
    185s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
  • submitted
    08/03/2024, 22:12

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    abd5b72af7ebe14e1c3b7540de2e30cf31e852b53b2c6a55251a6e6756e35a51.exe

  • Size

    212KB

  • MD5

    1357e64b7017ef220c506b4b539e1a87

  • SHA1

    2eaa81c569c5e626d8a36dbdafa285a88d1c2ab1

  • SHA256

    abd5b72af7ebe14e1c3b7540de2e30cf31e852b53b2c6a55251a6e6756e35a51

  • SHA512

    e226ca35d6e841f0e9b3eacfb323cdecdc4e6a950dcbe6295203cd9ef55d2038c9d9b24c662d6d7f7a77cabface9b2d73fc70fa56f1e6d6e8be561c6bbcca012

  • SSDEEP

    1536:ftQFl29mEkE0L1rDEKrxZKF2zf9g2Pl7W/MwbxMX++pdz30rtr8gjXjp0SanB1:u29DkEGRQixVSjLc130BYgjXjpgnB1

Score
10/10
sakulapersistencerattrojanupx

Malware Config

Extracted

Family

sakula

C2

www.polarroute.com

Signatures

  • Sakula

    Sakula is a remote access trojan with various capabilities.

    trojanratsakula
  • Sakula payload 6 IoCs
  • UPX dump on OEP (original entry point) 6 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • UPX packed file 6 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\abd5b72af7ebe14e1c3b7540de2e30cf31e852b53b2c6a55251a6e6756e35a51.exe
    "C:\Users\Admin\AppData\Local\Temp\abd5b72af7ebe14e1c3b7540de2e30cf31e852b53b2c6a55251a6e6756e35a51.exe"
    1⤵
    • Checks computer location settings
    • Adds Run key to start application
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:4532
    • C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
      C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
      2⤵
      • Executes dropped EXE
      PID:4704
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\abd5b72af7ebe14e1c3b7540de2e30cf31e852b53b2c6a55251a6e6756e35a51.exe"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:3720
      • C:\Windows\SysWOW64\PING.EXE
        ping 127.0.0.1
        3⤵
        • Runs ping.exe
        PID:4044

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
    Filesize

    212KB

    MD5

    f322cb0376caae1de7743a51bb71b11e

    SHA1

    6c332c8e9f67966f105fba30e39df43f18a0052e

    SHA256

    8df21b8ecc104329b5131e97046a1f350e74ea2d1dec4550cc8e84b276e7f51e

    SHA512

    06fd306a304a571c1eaabcbf48081492f81e8c606cc2d70fd2be85caeb9768c5c5eeb87866c2158339a10a3af09702e5d36b6977ff113a436533dbc5aa1230d1

    Download Submit

  • memory/4532-0-0x0000000000400000-0x0000000000435000-memory.dmp

    Filesize

    212KB

    Download

  • memory/4532-6-0x0000000000400000-0x0000000000435000-memory.dmp

    Filesize

    212KB

    Download

  • memory/4532-8-0x0000000000400000-0x0000000000435000-memory.dmp

    Filesize

    212KB

    Download

  • memory/4704-4-0x0000000000400000-0x0000000000435000-memory.dmp

    Filesize

    212KB

    Download

  • memory/4704-7-0x0000000000400000-0x0000000000435000-memory.dmp

    Filesize

    212KB

    Download