Overview

overview

10

Static

static

10

15d69bc850...c8.exe

windows7_x64

10

15d69bc850...c8.exe

windows10-2004_x64

10

Analysis

  • max time kernel
    148s
  • max time network
    154s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-en-20220113
  • submitted
    12-02-2022 04:11

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    15d69bc850c0b4f1727b0b0dd1599ab3edae7538e397acc8275ed9890e07ffc8.exe

  • Size

    192KB

  • MD5

    c49e3b0ea7366580768985643d49a6a2

  • SHA1

    c168facb19a7433884f2977491a2abd6a4451cc9

  • SHA256

    15d69bc850c0b4f1727b0b0dd1599ab3edae7538e397acc8275ed9890e07ffc8

  • SHA512

    050c9eb057a9d96c6ab9afe9eee8e9fa00f4c118cf6aa36e061f7ccae7512a98d76d30ffef369e5e3f2b7daa750a81d9a2de16823c8e5723cdda89cc5f1a2c0b

Score
10/10
sakulapersistencerattrojan

Malware Config

Signatures

  • Sakula

    Sakula is a remote access trojan with various capabilities.

    trojanratsakula
  • Sakula Payload 2 IoCs
  • Executes dropped EXE 1 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Drops file in Windows directory 8 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\15d69bc850c0b4f1727b0b0dd1599ab3edae7538e397acc8275ed9890e07ffc8.exe
    "C:\Users\Admin\AppData\Local\Temp\15d69bc850c0b4f1727b0b0dd1599ab3edae7538e397acc8275ed9890e07ffc8.exe"
    1⤵
    • Checks computer location settings
    • Adds Run key to start application
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:420
    • C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
      C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
      2⤵
      • Executes dropped EXE
      PID:3968
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\15d69bc850c0b4f1727b0b0dd1599ab3edae7538e397acc8275ed9890e07ffc8.exe"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:3200
      • C:\Windows\SysWOW64\PING.EXE
        ping 127.0.0.1
        3⤵
        • Runs ping.exe
        PID:2796
  • C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv
    1⤵
    • Drops file in Windows directory
    • Suspicious use of AdjustPrivilegeToken
    PID:1228
  • C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe
    C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding
    1⤵
    • Drops file in Windows directory
    • Suspicious use of AdjustPrivilegeToken
    PID:1128

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
    MD5

    2ea86be60a48b681d30d9c7ce01068b0

    SHA1

    a126f5b887da1e55c9673e862480f0cba4a06ba0

    SHA256

    181a0c542175b3b63fa464315c27f279066601f5176505d6a407d7463ea0c8ba

    SHA512

    7492a77ed67762e5c6b7dc5f740aa45c5eba1aa618dcd5369b5f17e580462b3da24e96998a364ac0227800d946921766340d63f9fae584ab5f1dc0b3075e8729

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
    MD5

    2ea86be60a48b681d30d9c7ce01068b0

    SHA1

    a126f5b887da1e55c9673e862480f0cba4a06ba0

    SHA256

    181a0c542175b3b63fa464315c27f279066601f5176505d6a407d7463ea0c8ba

    SHA512

    7492a77ed67762e5c6b7dc5f740aa45c5eba1aa618dcd5369b5f17e580462b3da24e96998a364ac0227800d946921766340d63f9fae584ab5f1dc0b3075e8729

    Download Submit

  • memory/1228-132-0x000002D12A960000-0x000002D12A970000-memory.dmp

    Filesize

    64KB

    Download

  • memory/1228-133-0x000002D12AF20000-0x000002D12AF30000-memory.dmp

    Filesize

    64KB

    Download

  • memory/1228-134-0x000002D12D590000-0x000002D12D594000-memory.dmp

    Filesize

    16KB

    Download