Analysis
-
max time kernel
136s -
max time network
147s -
platform
windows7_x64 -
resource
win7-20240729-en -
resource tags
-
submitted
10-12-2024 12:45
General
-
Target
c0d200da66ed310cb501886ae3eb8feeac8905c9ac7847d7b04c5295bfd5a4a9.exe
-
Size
92KB
-
MD5
e76317033682333166458d92c0d7bb4a
-
SHA1
437bc205fca3a0fe8d355b76e8aa9d053d0d774f
-
SHA256
c0d200da66ed310cb501886ae3eb8feeac8905c9ac7847d7b04c5295bfd5a4a9
-
SHA512
2ef6e06b59824f3f854b04be8aed26be2855815269fbeba9bb471ada3cfa9d35bfc8ec1a6a87ad42a551827f6a529c5bbe73a766ce0490402c2fadef60b49f7c
-
SSDEEP
1536:TJbCiJVkgMaT2itTkjoRXnM48dXFajVPYxCEtkz30rtrO:9bfVk29te2jqxCEtg30By
Malware Config
Extracted
sakula
www.savmpet.com
Signatures
-
Sakula
Sakula is a remote access trojan with various capabilities.
-
Sakula family
-
Sakula payload 1 IoCs
-
Deletes itself 1 IoCs
-
Executes dropped EXE 1 IoCs
-
Loads dropped DLL 4 IoCs
-
Adds Run key to start application 2 TTPs 1 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs
Adversaries may check for Internet connectivity on compromised systems.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
-
Suspicious use of WriteProcessMemory 15 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\c0d200da66ed310cb501886ae3eb8feeac8905c9ac7847d7b04c5295bfd5a4a9.exe"C:\Users\Admin\AppData\Local\Temp\c0d200da66ed310cb501886ae3eb8feeac8905c9ac7847d7b04c5295bfd5a4a9.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\MicroMedia\AdobeUpdate.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\AdobeUpdate.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\c0d200da66ed310cb501886ae3eb8feeac8905c9ac7847d7b04c5295bfd5a4a9.exe"2⤵
- Deletes itself
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
-
-
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
92KB
MD50f7efd161b1c902cf6a9656e2da6211b
SHA186afa4e66777a59d7179830b6c6c27417b4ad5f2
SHA256daf8e51096c72a28afabc42e084490039cd93d821f33b3a9e0aee6d2449c71c5
SHA512bed4e6bbf4ad5f7a696147d51df24bcb0b3663f759af84e67d5898376bdd4b17759d40cb46a8c9aac0fa1b91111de007f364295dd048e2e867324bdcb4eff677