Overview

overview

10

Static

static

10

15779b2166...a5.exe

windows7_x64

10

15779b2166...a5.exe

windows10-2004_x64

10

Analysis

  • max time kernel
    122s
  • max time network
    134s
  • platform
    windows7_x64
  • resource
    win7-en-20211208
  • submitted
    12-02-2022 04:21

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    15779b21660c32d7bab65ae82aa2279ba9edeb3c8bd84c091cbcd5aec8ffcaa5.exe

  • Size

    192KB

  • MD5

    afb2579aff74db141ded5ead3fa20e66

  • SHA1

    3ca2e7e640630426d5c413fb8a96fb0687b0c6b5

  • SHA256

    15779b21660c32d7bab65ae82aa2279ba9edeb3c8bd84c091cbcd5aec8ffcaa5

  • SHA512

    bb83efb60f6ecf8d5c2544c7961ae546226b2ff5742671524df908d65fee75d58fbfe8aed23bf68efb8d30c4a49560c7fb694ccb26bb24ef85eacafb40776d99

Score
10/10
sakulapersistencerattrojan

Malware Config

Signatures

  • Sakula

    Sakula is a remote access trojan with various capabilities.

    trojanratsakula
  • Sakula Payload 3 IoCs
  • Executes dropped EXE 1 IoCs
  • Deletes itself 1 IoCs
  • Loads dropped DLL 2 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\15779b21660c32d7bab65ae82aa2279ba9edeb3c8bd84c091cbcd5aec8ffcaa5.exe
    "C:\Users\Admin\AppData\Local\Temp\15779b21660c32d7bab65ae82aa2279ba9edeb3c8bd84c091cbcd5aec8ffcaa5.exe"
    1⤵
    • Loads dropped DLL
    • Adds Run key to start application
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1664
    • C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
      C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
      2⤵
      • Executes dropped EXE
      PID:1576
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\15779b21660c32d7bab65ae82aa2279ba9edeb3c8bd84c091cbcd5aec8ffcaa5.exe"
      2⤵
      • Deletes itself
      • Suspicious use of WriteProcessMemory
      PID:432
      • C:\Windows\SysWOW64\PING.EXE
        ping 127.0.0.1
        3⤵
        • Runs ping.exe
        PID:1068

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
    MD5

    e1d5fbf42b7f1f0404913a5be4857b80

    SHA1

    6acd137c0ae45e44ce8aceb227fe95bbec2c6815

    SHA256

    adca2bbf04737985a3576c1f3dd969d3c3bf9ed835f16c7f52d977f4b0149dab

    SHA512

    3d780a79d828200c0f944e21991e0b3ab4baddf3207ec2fd27b0fae6fd00fc9b62afc71ad0ed92d1fd5ebf99b32b3e53a03bc7514ef46233f7c27062286aa054

    Download Submit

  • \Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
    MD5

    e1d5fbf42b7f1f0404913a5be4857b80

    SHA1

    6acd137c0ae45e44ce8aceb227fe95bbec2c6815

    SHA256

    adca2bbf04737985a3576c1f3dd969d3c3bf9ed835f16c7f52d977f4b0149dab

    SHA512

    3d780a79d828200c0f944e21991e0b3ab4baddf3207ec2fd27b0fae6fd00fc9b62afc71ad0ed92d1fd5ebf99b32b3e53a03bc7514ef46233f7c27062286aa054

    Download Submit

  • \Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
    MD5

    e1d5fbf42b7f1f0404913a5be4857b80

    SHA1

    6acd137c0ae45e44ce8aceb227fe95bbec2c6815

    SHA256

    adca2bbf04737985a3576c1f3dd969d3c3bf9ed835f16c7f52d977f4b0149dab

    SHA512

    3d780a79d828200c0f944e21991e0b3ab4baddf3207ec2fd27b0fae6fd00fc9b62afc71ad0ed92d1fd5ebf99b32b3e53a03bc7514ef46233f7c27062286aa054

    Download Submit

  • memory/1664-54-0x00000000754B1000-0x00000000754B3000-memory.dmp

    Filesize

    8KB

    Download