Analysis
-
max time kernel
117s -
max time network
118s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
-
submitted
22-11-2024 13:43
General
-
Target
d99e5e62549e4e356392bd5c304172a695d1393f5999efdd1756f05f6e580da0N.exe
-
Size
92KB
-
MD5
030bf5cf1828d8bc62c783e739cfd540
-
SHA1
025fc8b7fe036d1fe0541b6bc162da6888aa7392
-
SHA256
d99e5e62549e4e356392bd5c304172a695d1393f5999efdd1756f05f6e580da0
-
SHA512
2af948dfab1928dfc9de82a4254b62d3be180ff918741fc8f54277f3cfd1a71b44d7ca4e42e324b109bb6b4918c09674b934e7678d49ae7ca4526664fef9d249
-
SSDEEP
1536:TJbCiJVkgMaT2itTkjoRXnM48dXFajVPYxCEtkz30rtrM:9bfVk29te2jqxCEtg30BA
Malware Config
Extracted
sakula
www.savmpet.com
Signatures
-
Sakula
Sakula is a remote access trojan with various capabilities.
-
Sakula family
-
Sakula payload 1 IoCs
-
Deletes itself 1 IoCs
-
Executes dropped EXE 1 IoCs
-
Loads dropped DLL 4 IoCs
-
Adds Run key to start application 2 TTPs 1 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs
Adversaries may check for Internet connectivity on compromised systems.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
-
Suspicious use of WriteProcessMemory 15 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\d99e5e62549e4e356392bd5c304172a695d1393f5999efdd1756f05f6e580da0N.exe"C:\Users\Admin\AppData\Local\Temp\d99e5e62549e4e356392bd5c304172a695d1393f5999efdd1756f05f6e580da0N.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\MicroMedia\AdobeUpdate.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\AdobeUpdate.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\d99e5e62549e4e356392bd5c304172a695d1393f5999efdd1756f05f6e580da0N.exe"2⤵
- Deletes itself
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
-
-
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
92KB
MD58dc25aec0736de98d8287a4c7491ff40
SHA1d69c86d66157d46d31f7ed863ac78cf39b533b83
SHA2567fc2a16c530868accd27d8e4d47a4f56effec8c241d12928e432ceddd679806a
SHA512ad434a6e4ba8495206bb020f7e17444064fc322d3abb4a58c3a3529dddb07aff08b1db24ebfd055df675a845de52709fa1910d3e1d3d47ab6c6d8f7e2a82d016