Overview

overview

10

Static

static

10

12bcf36cf6...09.exe

windows7_x64

10

12bcf36cf6...09.exe

windows10-2004_x64

10

Analysis

  • max time kernel
    172s
  • max time network
    183s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-en-20220112
  • submitted
    12-02-2022 05:26

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    12bcf36cf68e923294f645af90f1a7a21ced8a12450c7aa4b23968c76f513709.exe

  • Size

    150KB

  • MD5

    45dfe1d0b5e770408616130a450af7d6

  • SHA1

    8573d4bd8fa79ae3e8d20c13d65d13768b330795

  • SHA256

    12bcf36cf68e923294f645af90f1a7a21ced8a12450c7aa4b23968c76f513709

  • SHA512

    5a2f7c0ab51b60fcdd4934aa8e438f6eccd4f4bd59ab4655a42ec56fb5dd258d115494a9c5a1ab0b622abde54d5dbce739f86301108796850c73a19049308cbe

Score
10/10
sakulapersistencerattrojan

Malware Config

Signatures

  • Sakula

    Sakula is a remote access trojan with various capabilities.

    trojanratsakula
  • Sakula Payload 2 IoCs
  • Executes dropped EXE 1 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Drops file in Windows directory 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Modifies data under HKEY_USERS 53 IoCs
  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\12bcf36cf68e923294f645af90f1a7a21ced8a12450c7aa4b23968c76f513709.exe
    "C:\Users\Admin\AppData\Local\Temp\12bcf36cf68e923294f645af90f1a7a21ced8a12450c7aa4b23968c76f513709.exe"
    1⤵
    • Checks computer location settings
    • Adds Run key to start application
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:3332
    • C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
      C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
      2⤵
      • Executes dropped EXE
      PID:4012
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\12bcf36cf68e923294f645af90f1a7a21ced8a12450c7aa4b23968c76f513709.exe"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:968
      • C:\Windows\SysWOW64\PING.EXE
        ping 127.0.0.1
        3⤵
        • Runs ping.exe
        PID:364
  • C:\Windows\system32\MusNotifyIcon.exe
    %systemroot%\system32\MusNotifyIcon.exe NotifyTrayIcon 13
    1⤵
    • Checks processor information in registry
    PID:3944
  • C:\Windows\System32\svchost.exe
    C:\Windows\System32\svchost.exe -k NetworkService -p
    1⤵
    • Drops file in Windows directory
    • Modifies data under HKEY_USERS
    PID:3440
  • C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe
    C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding
    1⤵
    • Drops file in Windows directory
    • Suspicious use of AdjustPrivilegeToken
    PID:3884

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
    MD5

    d91d97bfb7dfa87f8ad14ac2b68cb87d

    SHA1

    93ea185718f4459a56ed8d3254c0dd2555fee6aa

    SHA256

    f4b71fa6feeabf9c924122e11070d858ccd35063c4cbfc553ec018e26321f367

    SHA512

    daa41d42b50b804229bfc010b849ab26435ea9011fa27b4bd6640ef6ea6bf97f9160ec9e2669b43568e925b26bb0f06d93a798b2183af6b6980c2ff0f4eeab62

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
    MD5

    d91d97bfb7dfa87f8ad14ac2b68cb87d

    SHA1

    93ea185718f4459a56ed8d3254c0dd2555fee6aa

    SHA256

    f4b71fa6feeabf9c924122e11070d858ccd35063c4cbfc553ec018e26321f367

    SHA512

    daa41d42b50b804229bfc010b849ab26435ea9011fa27b4bd6640ef6ea6bf97f9160ec9e2669b43568e925b26bb0f06d93a798b2183af6b6980c2ff0f4eeab62

    Download Submit