Overview

overview

10

Static

static

10

15a4b6c379...c9.exe

windows7_x64

10

15a4b6c379...c9.exe

windows10-2004_x64

10

Analysis

  • max time kernel
    139s
  • max time network
    170s
  • platform
    windows7_x64
  • resource
    win7-en-20211208
  • submitted
    12-02-2022 04:16

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    15a4b6c379bcd3c896d474fbc2760e23f96c3a23ad93a3e9ba4aea01758f8ac9.exe

  • Size

    104KB

  • MD5

    81d356647a59f9c07470b19d926f275a

  • SHA1

    01713cf6de30480c037f8be0279545f99900c367

  • SHA256

    15a4b6c379bcd3c896d474fbc2760e23f96c3a23ad93a3e9ba4aea01758f8ac9

  • SHA512

    933714a5212d70dc59c3a8013d7564fafeb4507cc5fc2fb51216f079b9ec04e1aebf580549eff0e6d5171f1e3b80480c5e260344a13c22d4c75265c879004f78

Score
10/10
sakulapersistencerattrojan

Malware Config

Signatures

  • Sakula

    Sakula is a remote access trojan with various capabilities.

    trojanratsakula
  • Sakula Payload 3 IoCs
  • Executes dropped EXE 1 IoCs
  • Deletes itself 1 IoCs
  • Loads dropped DLL 2 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\15a4b6c379bcd3c896d474fbc2760e23f96c3a23ad93a3e9ba4aea01758f8ac9.exe
    "C:\Users\Admin\AppData\Local\Temp\15a4b6c379bcd3c896d474fbc2760e23f96c3a23ad93a3e9ba4aea01758f8ac9.exe"
    1⤵
    • Loads dropped DLL
    • Adds Run key to start application
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1632
    • C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
      C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
      2⤵
      • Executes dropped EXE
      PID:952
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\15a4b6c379bcd3c896d474fbc2760e23f96c3a23ad93a3e9ba4aea01758f8ac9.exe"
      2⤵
      • Deletes itself
      • Suspicious use of WriteProcessMemory
      PID:1928
      • C:\Windows\SysWOW64\PING.EXE
        ping 127.0.0.1
        3⤵
        • Runs ping.exe
        PID:1636

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
    MD5

    3e01cd69764e368c9b794834ee719245

    SHA1

    6f625332dfa46d1c035b2ddf3743a09eca186005

    SHA256

    e8654c59ef99d7d765b62169ba5ce388b95a89c1fea74678580c7276be94b64b

    SHA512

    a732373948694400bddfd9599106d824a10066e75beb38055a9c8c27d81ea1bc0badf2a64320ed755629370d174cca0f1700c2b4323d707326681dd845bb00fa

    Download Submit

  • \Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
    MD5

    3e01cd69764e368c9b794834ee719245

    SHA1

    6f625332dfa46d1c035b2ddf3743a09eca186005

    SHA256

    e8654c59ef99d7d765b62169ba5ce388b95a89c1fea74678580c7276be94b64b

    SHA512

    a732373948694400bddfd9599106d824a10066e75beb38055a9c8c27d81ea1bc0badf2a64320ed755629370d174cca0f1700c2b4323d707326681dd845bb00fa

    Download Submit

  • \Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
    MD5

    3e01cd69764e368c9b794834ee719245

    SHA1

    6f625332dfa46d1c035b2ddf3743a09eca186005

    SHA256

    e8654c59ef99d7d765b62169ba5ce388b95a89c1fea74678580c7276be94b64b

    SHA512

    a732373948694400bddfd9599106d824a10066e75beb38055a9c8c27d81ea1bc0badf2a64320ed755629370d174cca0f1700c2b4323d707326681dd845bb00fa

    Download Submit

  • memory/1632-55-0x0000000076141000-0x0000000076143000-memory.dmp

    Filesize

    8KB

    Download