Overview

overview

10

Static

static

126c811284...46.exe

windows7_x64

10

126c811284...46.exe

windows10-2004_x64

10

Analysis

  • max time kernel
    154s
  • max time network
    128s
  • platform
    windows7_x64
  • resource
    win7-en-20211208
  • submitted
    12-02-2022 05:32

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    126c81128464e2eeabe48a9413fcfa8e01645a0b5a56cf0b6090d7c682964846.exe

  • Size

    36KB

  • MD5

    a78e82245103aca7f26f67355b280629

  • SHA1

    187674c7b37413b1ed49e80b46af468d41bfa0b3

  • SHA256

    126c81128464e2eeabe48a9413fcfa8e01645a0b5a56cf0b6090d7c682964846

  • SHA512

    fed17999ebb429d5f092d0143203653c80df9d08cacd33840368cb846932a0eee9edff40332638e9bb19c781eba71b20d8d5b7c203dcdac99e01b7d0dfdc7d07

Score
10/10
sakulapersistencerattrojan

Malware Config

Signatures

  • Sakula

    Sakula is a remote access trojan with various capabilities.

    trojanratsakula
  • Executes dropped EXE 1 IoCs
  • Deletes itself 1 IoCs
  • Loads dropped DLL 2 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\126c81128464e2eeabe48a9413fcfa8e01645a0b5a56cf0b6090d7c682964846.exe
    "C:\Users\Admin\AppData\Local\Temp\126c81128464e2eeabe48a9413fcfa8e01645a0b5a56cf0b6090d7c682964846.exe"
    1⤵
    • Loads dropped DLL
    • Adds Run key to start application
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1664
    • C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
      C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
      2⤵
      • Executes dropped EXE
      PID:828
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\126c81128464e2eeabe48a9413fcfa8e01645a0b5a56cf0b6090d7c682964846.exe"
      2⤵
      • Deletes itself
      • Suspicious use of WriteProcessMemory
      PID:1260
      • C:\Windows\SysWOW64\PING.EXE
        ping 127.0.0.1
        3⤵
        • Runs ping.exe
        PID:956

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
    MD5

    383ef0fac1136ebaf5f41e635dee0b15

    SHA1

    47c9f9c3cb00ce01a2f4c6c9ce1f0a3903945935

    SHA256

    8e7a400948ee1c3e44c6749c2c5ad409a93bf4586f3a1fee6ab85eea6812c1bf

    SHA512

    25cdc57fa2d4f856604d5389910b4fc579445c28c894c71257db720b48eebb1f22274c0ea7dfccfcd59744a402fb9eb86c678dbd217264b8ff68c6ba1dd76d59

    Download Submit

  • \Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
    MD5

    383ef0fac1136ebaf5f41e635dee0b15

    SHA1

    47c9f9c3cb00ce01a2f4c6c9ce1f0a3903945935

    SHA256

    8e7a400948ee1c3e44c6749c2c5ad409a93bf4586f3a1fee6ab85eea6812c1bf

    SHA512

    25cdc57fa2d4f856604d5389910b4fc579445c28c894c71257db720b48eebb1f22274c0ea7dfccfcd59744a402fb9eb86c678dbd217264b8ff68c6ba1dd76d59

    Download Submit

  • \Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
    MD5

    383ef0fac1136ebaf5f41e635dee0b15

    SHA1

    47c9f9c3cb00ce01a2f4c6c9ce1f0a3903945935

    SHA256

    8e7a400948ee1c3e44c6749c2c5ad409a93bf4586f3a1fee6ab85eea6812c1bf

    SHA512

    25cdc57fa2d4f856604d5389910b4fc579445c28c894c71257db720b48eebb1f22274c0ea7dfccfcd59744a402fb9eb86c678dbd217264b8ff68c6ba1dd76d59

    Download Submit

  • memory/1664-54-0x0000000075B51000-0x0000000075B53000-memory.dmp

    Filesize

    8KB

    Download