Analysis

  • max time kernel
    117s
  • max time network
    133s
  • platform
    windows7_x64
  • resource
    win7v20210408
  • submitted
    24-09-2021 06:14

General

  • Target

    a2e5236b9facabd44e2291c6fe7289a1022f1a461db2894c99e3fc91c51e5c24.exe

  • Size

    58KB

  • MD5

    eb8e2d67cde387d87a3d78a52a477fb4

  • SHA1

    4138900c2fd72ddfa8fbeedb74bdc460d9a3a42b

  • SHA256

    a2e5236b9facabd44e2291c6fe7289a1022f1a461db2894c99e3fc91c51e5c24

  • SHA512

    d085267cbfdb096391e5d80353fa08ca9d448e225ce3505f0cd1fb5c45728a7c4495c537d079e8c894baaa94ab07f5e22a2cc7430dc42b870e4da37de0ac32c0

Malware Config

Signatures

  • Sakula

    Sakula is a remote access trojan with various capabilities.

  • Executes dropped EXE 1 IoCs
  • Deletes itself 1 IoCs
  • Loads dropped DLL 2 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\a2e5236b9facabd44e2291c6fe7289a1022f1a461db2894c99e3fc91c51e5c24.exe
    "C:\Users\Admin\AppData\Local\Temp\a2e5236b9facabd44e2291c6fe7289a1022f1a461db2894c99e3fc91c51e5c24.exe"
    1⤵
    • Loads dropped DLL
    • Adds Run key to start application
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1096
    • C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
      C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
      2⤵
      • Executes dropped EXE
      PID:1652
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\a2e5236b9facabd44e2291c6fe7289a1022f1a461db2894c99e3fc91c51e5c24.exe"
      2⤵
      • Deletes itself
      • Suspicious use of WriteProcessMemory
      PID:1732
      • C:\Windows\SysWOW64\PING.EXE
        ping 127.0.0.1
        3⤵
        • Runs ping.exe
        PID:1772

Network

MITRE ATT&CK Matrix ATT&CK v6

Persistence

Registry Run Keys / Startup Folder

1
T1060

Defense Evasion

Modify Registry

1
T1112

Discovery

System Information Discovery

1
T1082

Remote System Discovery

1
T1018

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
    MD5

    dcab89bff5bb009b7403d8a24b280c0c

    SHA1

    c0e6d6578766822f3a5b01a6807f31344eefaee6

    SHA256

    5403e7abacf526eb1b72835f8245dbc8477ba65dca6ba599061c59ed54081948

    SHA512

    b1ecf17af09f76599df5cde43caad3a11422a80521aa9bca150d55f0bb90f95e45e1b31822005ddd0944c903b59b33c7feca963d6f8b4cac5c5fa825d8177a19

  • \Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
    MD5

    dcab89bff5bb009b7403d8a24b280c0c

    SHA1

    c0e6d6578766822f3a5b01a6807f31344eefaee6

    SHA256

    5403e7abacf526eb1b72835f8245dbc8477ba65dca6ba599061c59ed54081948

    SHA512

    b1ecf17af09f76599df5cde43caad3a11422a80521aa9bca150d55f0bb90f95e45e1b31822005ddd0944c903b59b33c7feca963d6f8b4cac5c5fa825d8177a19

  • \Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
    MD5

    dcab89bff5bb009b7403d8a24b280c0c

    SHA1

    c0e6d6578766822f3a5b01a6807f31344eefaee6

    SHA256

    5403e7abacf526eb1b72835f8245dbc8477ba65dca6ba599061c59ed54081948

    SHA512

    b1ecf17af09f76599df5cde43caad3a11422a80521aa9bca150d55f0bb90f95e45e1b31822005ddd0944c903b59b33c7feca963d6f8b4cac5c5fa825d8177a19

  • memory/1096-60-0x0000000075201000-0x0000000075203000-memory.dmp
    Filesize

    8KB

  • memory/1652-63-0x0000000000000000-mapping.dmp
  • memory/1732-66-0x0000000000000000-mapping.dmp
  • memory/1772-67-0x0000000000000000-mapping.dmp