Overview

overview

10

Static

static

10

170e7f9b8b...1d.exe

windows7_x64

10

170e7f9b8b...1d.exe

windows10-2004_x64

10

Analysis

  • max time kernel
    167s
  • max time network
    167s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-en-20220112
  • submitted
    12-02-2022 03:39

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    170e7f9b8b91012265ce4c2fcabc66178cc705df28ebd506c4c5db1f2b6f1b1d.exe

  • Size

    80KB

  • MD5

    7b62e3d9d30de24b1ea9a0e23217bf6d

  • SHA1

    43e63ac050a2ea99f36e2f50d9adc84eefdcd2f5

  • SHA256

    170e7f9b8b91012265ce4c2fcabc66178cc705df28ebd506c4c5db1f2b6f1b1d

  • SHA512

    04f40af1fc875241554e651ee9f312ba80d0b1f97a73850180860770243b9fe09f9431a22ad1f9a74fbf9f938ac5867c76ee12723abc11181734cad5364e9840

Score
10/10
sakulapersistencerattrojan

Malware Config

Signatures

  • Sakula

    Sakula is a remote access trojan with various capabilities.

    trojanratsakula
  • Sakula Payload 2 IoCs
  • Executes dropped EXE 1 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Drops file in Windows directory 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies data under HKEY_USERS 49 IoCs
  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 34 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\170e7f9b8b91012265ce4c2fcabc66178cc705df28ebd506c4c5db1f2b6f1b1d.exe
    "C:\Users\Admin\AppData\Local\Temp\170e7f9b8b91012265ce4c2fcabc66178cc705df28ebd506c4c5db1f2b6f1b1d.exe"
    1⤵
    • Checks computer location settings
    • Adds Run key to start application
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2800
    • C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
      C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
      2⤵
      • Executes dropped EXE
      PID:3840
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\170e7f9b8b91012265ce4c2fcabc66178cc705df28ebd506c4c5db1f2b6f1b1d.exe"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1576
      • C:\Windows\SysWOW64\PING.EXE
        ping 127.0.0.1
        3⤵
        • Runs ping.exe
        PID:2956
  • C:\Windows\System32\svchost.exe
    C:\Windows\System32\svchost.exe -k NetworkService -p
    1⤵
    • Drops file in Windows directory
    • Modifies data under HKEY_USERS
    PID:3292
  • C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe
    C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding
    1⤵
    • Drops file in Windows directory
    • Suspicious use of AdjustPrivilegeToken
    PID:1256

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
    MD5

    7e651b9f41a4261f9f410b6001fb80b2

    SHA1

    73d9797d62fa25221d6a972b0982d595b1470304

    SHA256

    f2966da1484976efeb2190382811e0e398ab5677794077d349f44c2a9738b43b

    SHA512

    af689bd1ed63efe0ebb2280e08fd5b0e0beb2199bf53f407ae361ae90d6f0c36461694bcbaecafe893c02d7e999f23ccb0e038f32a792b292a056e51027854db

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
    MD5

    7e651b9f41a4261f9f410b6001fb80b2

    SHA1

    73d9797d62fa25221d6a972b0982d595b1470304

    SHA256

    f2966da1484976efeb2190382811e0e398ab5677794077d349f44c2a9738b43b

    SHA512

    af689bd1ed63efe0ebb2280e08fd5b0e0beb2199bf53f407ae361ae90d6f0c36461694bcbaecafe893c02d7e999f23ccb0e038f32a792b292a056e51027854db

    Download Submit