Overview

overview

10

Static

static

10

158a524650...01.exe

windows7_x64

10

158a524650...01.exe

windows10-2004_x64

10

Analysis

  • max time kernel
    118s
  • max time network
    128s
  • platform
    windows7_x64
  • resource
    win7-en-20211208
  • submitted
    12-02-2022 04:18

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    158a52465055d0341a1002774af978ca77a5287e8bf2f04bb8b7a4d2a72e3401.exe

  • Size

    80KB

  • MD5

    baa957e90b1fed34bb0549a1ced98392

  • SHA1

    8385d115b3a13f63320a5b7f39bff8fd24ba2fcd

  • SHA256

    158a52465055d0341a1002774af978ca77a5287e8bf2f04bb8b7a4d2a72e3401

  • SHA512

    6dec4f1670096a195ca404fcad00d8dc28a502a581675b5ff39ca859ae39aa056fa22b74be001df59c56c878bf90e13dc1bdbfd6f97e9ffc727d09bc2cce603a

Score
10/10
sakulapersistencerattrojan

Malware Config

Signatures

  • Sakula

    Sakula is a remote access trojan with various capabilities.

    trojanratsakula
  • Sakula Payload 3 IoCs
  • Executes dropped EXE 1 IoCs
  • Deletes itself 1 IoCs
  • Loads dropped DLL 2 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\158a52465055d0341a1002774af978ca77a5287e8bf2f04bb8b7a4d2a72e3401.exe
    "C:\Users\Admin\AppData\Local\Temp\158a52465055d0341a1002774af978ca77a5287e8bf2f04bb8b7a4d2a72e3401.exe"
    1⤵
    • Loads dropped DLL
    • Adds Run key to start application
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1564
    • C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
      C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
      2⤵
      • Executes dropped EXE
      PID:804
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\158a52465055d0341a1002774af978ca77a5287e8bf2f04bb8b7a4d2a72e3401.exe"
      2⤵
      • Deletes itself
      • Suspicious use of WriteProcessMemory
      PID:640
      • C:\Windows\SysWOW64\PING.EXE
        ping 127.0.0.1
        3⤵
        • Runs ping.exe
        PID:1116

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
    MD5

    594f0000b7d4a8416132d93c9588bcf2

    SHA1

    ff64f1ba7ffac619e953a7cf30fae0399ff05fe0

    SHA256

    7f586640fb04e09085327148b4fabcc95fb85f65c44e632159422a0502e462be

    SHA512

    2020a4876af38baa5caf754ee6e0e352d49cd6c8193bbe6541befc1e51c1b28c9d6af13a5467d48088d0540fa4016f4dfc8e6f87af88322e2bab3eca8e26447a

    Download Submit

  • \Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
    MD5

    594f0000b7d4a8416132d93c9588bcf2

    SHA1

    ff64f1ba7ffac619e953a7cf30fae0399ff05fe0

    SHA256

    7f586640fb04e09085327148b4fabcc95fb85f65c44e632159422a0502e462be

    SHA512

    2020a4876af38baa5caf754ee6e0e352d49cd6c8193bbe6541befc1e51c1b28c9d6af13a5467d48088d0540fa4016f4dfc8e6f87af88322e2bab3eca8e26447a

    Download Submit

  • \Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
    MD5

    594f0000b7d4a8416132d93c9588bcf2

    SHA1

    ff64f1ba7ffac619e953a7cf30fae0399ff05fe0

    SHA256

    7f586640fb04e09085327148b4fabcc95fb85f65c44e632159422a0502e462be

    SHA512

    2020a4876af38baa5caf754ee6e0e352d49cd6c8193bbe6541befc1e51c1b28c9d6af13a5467d48088d0540fa4016f4dfc8e6f87af88322e2bab3eca8e26447a

    Download Submit

  • memory/1564-54-0x00000000766D1000-0x00000000766D3000-memory.dmp

    Filesize

    8KB

    Download