Analysis
-
max time kernel
144s -
max time network
148s -
platform
windows7_x64 -
resource
win7-20240708-en -
resource tags
-
submitted
31-08-2024 08:14
General
-
Target
00803b2a9624ab755ca403c3abbf03d7dc3ac396a7c3fbcfb7471d7281cdf9d0.exe
-
Size
4.0MB
-
MD5
a9035c52848767458693dbff0b0039f2
-
SHA1
d95b563c788e34ce885299115fb0caaa1346388d
-
SHA256
00803b2a9624ab755ca403c3abbf03d7dc3ac396a7c3fbcfb7471d7281cdf9d0
-
SHA512
dca3db6af52e2c4219587f70b6cb6cccd9df4ec7b75618e0c1365b4ea745e67b334b8fda8ea74ea4dade53ba89211f660720e1b2b811f1aa2ac4a10d658135d0
-
SSDEEP
24576:DF9mrnE2Z1y/6oTNBZrBEu8C7jnIQCwRO/wTGS5DBMY4:DD2Z1qT3Zz888QCwRO/wT/aY4
Malware Config
Signatures
-
Sakula
Sakula is a remote access trojan with various capabilities.
-
Sakula payload 1 IoCs
-
Deletes itself 1 IoCs
-
Executes dropped EXE 1 IoCs
-
Loads dropped DLL 2 IoCs
-
Adds Run key to start application 2 TTPs 1 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs
Adversaries may check for Internet connectivity on compromised systems.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
-
Suspicious use of WriteProcessMemory 12 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\00803b2a9624ab755ca403c3abbf03d7dc3ac396a7c3fbcfb7471d7281cdf9d0.exe"C:\Users\Admin\AppData\Local\Temp\00803b2a9624ab755ca403c3abbf03d7dc3ac396a7c3fbcfb7471d7281cdf9d0.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\00803b2a9624ab755ca403c3abbf03d7dc3ac396a7c3fbcfb7471d7281cdf9d0.exe"2⤵
- Deletes itself
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
-
-
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
4.0MB
MD5f21da5abc49286dfb918d355ef1b3fcf
SHA1777b4a4f6603d57937c66dbde91694a37a8dd8b2
SHA256711b38138d00e9a3fcceb9d1a1760097d940f6eff5756f6dcb936d484c3cb2fa
SHA512a1c34fcc2d677b31399416e5cf175dffd2b04ea6850f5842aca70a1dbad7bb9a7f8b50d814d27bbfe2d65a035d38ccc0e8029ae6f6fa8c3617e54b1895529e43