Overview

overview

10

Static

static

14028b2309...7f.exe

windows7_x64

10

14028b2309...7f.exe

windows10-2004_x64

10

Analysis

  • max time kernel
    152s
  • max time network
    183s
  • platform
    windows7_x64
  • resource
    win7-en-20211208
  • submitted
    12-02-2022 04:55

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    14028b2309ca15af5f69192d6727d1072b295bfd9941e0e8d9fd00301403747f.exe

  • Size

    36KB

  • MD5

    f11797239498a6cebd92f964b2b42912

  • SHA1

    2f9d0702f042d97c13792f0591f405896c5c955d

  • SHA256

    14028b2309ca15af5f69192d6727d1072b295bfd9941e0e8d9fd00301403747f

  • SHA512

    690595e3f7548464c7419c6d81ab24bf36c7ef031e5fe2890e4d64b215957de2e374d5ba13ab60ab0f740c2d9be6a21240e86a780e6d5937cefd4b82309d825f

Score
10/10
sakulapersistencerattrojan

Malware Config

Signatures

  • Sakula

    Sakula is a remote access trojan with various capabilities.

    trojanratsakula
  • Executes dropped EXE 1 IoCs
  • Deletes itself 1 IoCs
  • Loads dropped DLL 2 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\14028b2309ca15af5f69192d6727d1072b295bfd9941e0e8d9fd00301403747f.exe
    "C:\Users\Admin\AppData\Local\Temp\14028b2309ca15af5f69192d6727d1072b295bfd9941e0e8d9fd00301403747f.exe"
    1⤵
    • Loads dropped DLL
    • Adds Run key to start application
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1668
    • C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
      C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
      2⤵
      • Executes dropped EXE
      PID:1628
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\14028b2309ca15af5f69192d6727d1072b295bfd9941e0e8d9fd00301403747f.exe"
      2⤵
      • Deletes itself
      • Suspicious use of WriteProcessMemory
      PID:960
      • C:\Windows\SysWOW64\PING.EXE
        ping 127.0.0.1
        3⤵
        • Runs ping.exe
        PID:780

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
    MD5

    d835f3502125146d093665817a9a8161

    SHA1

    4f215327d647d085ceb2fa5f348796ee5bf8a543

    SHA256

    b6cb167beaf9c3b5dae5d60eaf30c61a03a837e1ff6b0e66c2c039431579c2e0

    SHA512

    8cfba566d4ae0dab97fa0a847f51aa0d57c2ba8b7f9fedc3cca34ee60bf98813c30935d52971d0bfb1948d7786cd3f29b2a59c08af1e1bd68f6f4d1fd2474787

    Download Submit

  • \Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
    MD5

    d835f3502125146d093665817a9a8161

    SHA1

    4f215327d647d085ceb2fa5f348796ee5bf8a543

    SHA256

    b6cb167beaf9c3b5dae5d60eaf30c61a03a837e1ff6b0e66c2c039431579c2e0

    SHA512

    8cfba566d4ae0dab97fa0a847f51aa0d57c2ba8b7f9fedc3cca34ee60bf98813c30935d52971d0bfb1948d7786cd3f29b2a59c08af1e1bd68f6f4d1fd2474787

    Download Submit

  • \Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
    MD5

    d835f3502125146d093665817a9a8161

    SHA1

    4f215327d647d085ceb2fa5f348796ee5bf8a543

    SHA256

    b6cb167beaf9c3b5dae5d60eaf30c61a03a837e1ff6b0e66c2c039431579c2e0

    SHA512

    8cfba566d4ae0dab97fa0a847f51aa0d57c2ba8b7f9fedc3cca34ee60bf98813c30935d52971d0bfb1948d7786cd3f29b2a59c08af1e1bd68f6f4d1fd2474787

    Download Submit

  • memory/1668-55-0x0000000075DF1000-0x0000000075DF3000-memory.dmp

    Filesize

    8KB

    Download