Overview

overview

10

Static

static

188eb78f4c...96.exe

windows7_x64

10

188eb78f4c...96.exe

windows10-2004_x64

10

Analysis

  • max time kernel
    122s
  • max time network
    127s
  • platform
    windows7_x64
  • resource
    win7-en-20211208
  • submitted
    12-02-2022 03:06

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    188eb78f4ce4186de40c7260ffb07a673ce457357486c8fb7ab913a754c5a196.exe

  • Size

    58KB

  • MD5

    22171589b7cc9dbac6b1913100cbab40

  • SHA1

    4439f518bde68f7e3ac296302e650b4bee910591

  • SHA256

    188eb78f4ce4186de40c7260ffb07a673ce457357486c8fb7ab913a754c5a196

  • SHA512

    f20297fc73b2991a33eb04ecc40561ec547903c2b357dcbf29ff2ad4f1d40af38c815f66a129812f8b5511da8c46ab6e829177e0cd592f5fd37860d2e53eb9b9

Score
10/10
sakulapersistencerattrojan

Malware Config

Signatures

  • Sakula

    Sakula is a remote access trojan with various capabilities.

    trojanratsakula
  • Executes dropped EXE 1 IoCs
  • Deletes itself 1 IoCs
  • Loads dropped DLL 2 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\188eb78f4ce4186de40c7260ffb07a673ce457357486c8fb7ab913a754c5a196.exe
    "C:\Users\Admin\AppData\Local\Temp\188eb78f4ce4186de40c7260ffb07a673ce457357486c8fb7ab913a754c5a196.exe"
    1⤵
    • Loads dropped DLL
    • Adds Run key to start application
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1204
    • C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
      C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
      2⤵
      • Executes dropped EXE
      PID:1600
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\188eb78f4ce4186de40c7260ffb07a673ce457357486c8fb7ab913a754c5a196.exe"
      2⤵
      • Deletes itself
      • Suspicious use of WriteProcessMemory
      PID:392
      • C:\Windows\SysWOW64\PING.EXE
        ping 127.0.0.1
        3⤵
        • Runs ping.exe
        PID:784

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
    MD5

    c86d69d5182fd1d00c87cb94b8f39423

    SHA1

    30aa45ea72499df76f64e4fde020224c367c76a6

    SHA256

    f6d5c92340142ff72fb72f01551eb470d122ae95c1df1ef2f412b9e65f71e961

    SHA512

    4b27da3447e36c5d2343f2a952d726d9d2b121e889855c21712fe7bd85faa39351cad11c4fa7f9ee32ab0b61f110ade0e35a063cc307058ed9e775d434c4dbd1

    Download Submit

  • \Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
    MD5

    c86d69d5182fd1d00c87cb94b8f39423

    SHA1

    30aa45ea72499df76f64e4fde020224c367c76a6

    SHA256

    f6d5c92340142ff72fb72f01551eb470d122ae95c1df1ef2f412b9e65f71e961

    SHA512

    4b27da3447e36c5d2343f2a952d726d9d2b121e889855c21712fe7bd85faa39351cad11c4fa7f9ee32ab0b61f110ade0e35a063cc307058ed9e775d434c4dbd1

    Download Submit

  • \Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
    MD5

    c86d69d5182fd1d00c87cb94b8f39423

    SHA1

    30aa45ea72499df76f64e4fde020224c367c76a6

    SHA256

    f6d5c92340142ff72fb72f01551eb470d122ae95c1df1ef2f412b9e65f71e961

    SHA512

    4b27da3447e36c5d2343f2a952d726d9d2b121e889855c21712fe7bd85faa39351cad11c4fa7f9ee32ab0b61f110ade0e35a063cc307058ed9e775d434c4dbd1

    Download Submit

  • memory/1204-54-0x0000000075CE1000-0x0000000075CE3000-memory.dmp

    Filesize

    8KB

    Download