Overview

overview

10

Static

static

16f57f1712...7a.exe

windows7_x64

10

16f57f1712...7a.exe

windows10-2004_x64

10

Analysis

  • max time kernel
    147s
  • max time network
    156s
  • platform
    windows7_x64
  • resource
    win7-en-20211208
  • submitted
    12-02-2022 03:41

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    16f57f17126de49c918e499e73fb3911970bcd7e46754151d4678d21ef68e07a.exe

  • Size

    36KB

  • MD5

    e38b889bd8ce530aab35327d85cf0266

  • SHA1

    6e7f2b60a9d65edf056a669707044382654e6ef7

  • SHA256

    16f57f17126de49c918e499e73fb3911970bcd7e46754151d4678d21ef68e07a

  • SHA512

    292b4e94b5b74e7df431e434497a7c562bc78852456b402ae9d9c530600a103306ed7fc59c9e5445600ebda5a0c8be6ab17178784c890927bfe63f9e130634f2

Score
10/10
sakulapersistencerattrojan

Malware Config

Signatures

  • Sakula

    Sakula is a remote access trojan with various capabilities.

    trojanratsakula
  • Executes dropped EXE 1 IoCs
  • Deletes itself 1 IoCs
  • Loads dropped DLL 2 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\16f57f17126de49c918e499e73fb3911970bcd7e46754151d4678d21ef68e07a.exe
    "C:\Users\Admin\AppData\Local\Temp\16f57f17126de49c918e499e73fb3911970bcd7e46754151d4678d21ef68e07a.exe"
    1⤵
    • Loads dropped DLL
    • Adds Run key to start application
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1664
    • C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
      C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
      2⤵
      • Executes dropped EXE
      PID:1544
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\16f57f17126de49c918e499e73fb3911970bcd7e46754151d4678d21ef68e07a.exe"
      2⤵
      • Deletes itself
      • Suspicious use of WriteProcessMemory
      PID:1980
      • C:\Windows\SysWOW64\PING.EXE
        ping 127.0.0.1
        3⤵
        • Runs ping.exe
        PID:1964

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
    MD5

    141ae5d498f7030f43b8dc5501dab218

    SHA1

    4307c52d8cb07beb2e3e31f83b0660de7f23cf0e

    SHA256

    4437062cc9ded509ce2e717c449d079897efa9f6bcec47b3875984c237e02b16

    SHA512

    acca030fabb55c8050a9b7480f4733064d043ba09d8a2d1beacc8d55758c9e0ef0d0f2c124ec20ce1e6299de5d6a2c91bf067e040d49cf68ba6a3f94b19b956e

    Download Submit

  • \Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
    MD5

    141ae5d498f7030f43b8dc5501dab218

    SHA1

    4307c52d8cb07beb2e3e31f83b0660de7f23cf0e

    SHA256

    4437062cc9ded509ce2e717c449d079897efa9f6bcec47b3875984c237e02b16

    SHA512

    acca030fabb55c8050a9b7480f4733064d043ba09d8a2d1beacc8d55758c9e0ef0d0f2c124ec20ce1e6299de5d6a2c91bf067e040d49cf68ba6a3f94b19b956e

    Download Submit

  • \Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
    MD5

    141ae5d498f7030f43b8dc5501dab218

    SHA1

    4307c52d8cb07beb2e3e31f83b0660de7f23cf0e

    SHA256

    4437062cc9ded509ce2e717c449d079897efa9f6bcec47b3875984c237e02b16

    SHA512

    acca030fabb55c8050a9b7480f4733064d043ba09d8a2d1beacc8d55758c9e0ef0d0f2c124ec20ce1e6299de5d6a2c91bf067e040d49cf68ba6a3f94b19b956e

    Download Submit

  • memory/1664-53-0x0000000075D61000-0x0000000075D63000-memory.dmp

    Filesize

    8KB

    Download