Overview

overview

10

Static

static

1087585481...72.exe

windows7_x64

10

1087585481...72.exe

windows10-2004_x64

10

Analysis

  • max time kernel
    124s
  • max time network
    153s
  • platform
    windows7_x64
  • resource
    win7-en-20211208
  • submitted
    12-02-2022 06:14

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    1087585481d2b486b866a169f003568a0efc862ae3dd248dd760a25809f3d572.exe

  • Size

    36KB

  • MD5

    5ba8b640d31085d6b4f327b6cf01f412

  • SHA1

    f5a515abc4f3e804d8288b88df40a62d0549e9f1

  • SHA256

    1087585481d2b486b866a169f003568a0efc862ae3dd248dd760a25809f3d572

  • SHA512

    ae12cb2eecf540ce40f839ec7fed1ee9bbb29ba232fe4900762fa8fb83ed6cc89306fe28a29074a028a8ddcc708a56b5bf188d4ca18ab4b21677da76303fb88b

Score
10/10
sakulapersistencerattrojan

Malware Config

Signatures

  • Sakula

    Sakula is a remote access trojan with various capabilities.

    trojanratsakula
  • Executes dropped EXE 1 IoCs
  • Deletes itself 1 IoCs
  • Loads dropped DLL 2 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\1087585481d2b486b866a169f003568a0efc862ae3dd248dd760a25809f3d572.exe
    "C:\Users\Admin\AppData\Local\Temp\1087585481d2b486b866a169f003568a0efc862ae3dd248dd760a25809f3d572.exe"
    1⤵
    • Loads dropped DLL
    • Adds Run key to start application
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1752
    • C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
      C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
      2⤵
      • Executes dropped EXE
      PID:1616
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\1087585481d2b486b866a169f003568a0efc862ae3dd248dd760a25809f3d572.exe"
      2⤵
      • Deletes itself
      • Suspicious use of WriteProcessMemory
      PID:1604
      • C:\Windows\SysWOW64\PING.EXE
        ping 127.0.0.1
        3⤵
        • Runs ping.exe
        PID:1484

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
    MD5

    f0a5a87c6b9b7dc7aae91ceb41fc052a

    SHA1

    704d2f6f0361a9724d67b7b1b06029f674b2ab26

    SHA256

    50551b607daf4749053eb4feee8cb85e00a9d706a37639ab54416cbc96c27cde

    SHA512

    ca734364e1099c7918f5f8013ccd0d6b154f903ef14b0103a8aee9cb9dd8046d1f3e40a37e8b507d7d46c4db175efc415b52bf9298fc13ab77e0b54962ebb02c

    Download Submit

  • \Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
    MD5

    f0a5a87c6b9b7dc7aae91ceb41fc052a

    SHA1

    704d2f6f0361a9724d67b7b1b06029f674b2ab26

    SHA256

    50551b607daf4749053eb4feee8cb85e00a9d706a37639ab54416cbc96c27cde

    SHA512

    ca734364e1099c7918f5f8013ccd0d6b154f903ef14b0103a8aee9cb9dd8046d1f3e40a37e8b507d7d46c4db175efc415b52bf9298fc13ab77e0b54962ebb02c

    Download Submit

  • \Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
    MD5

    f0a5a87c6b9b7dc7aae91ceb41fc052a

    SHA1

    704d2f6f0361a9724d67b7b1b06029f674b2ab26

    SHA256

    50551b607daf4749053eb4feee8cb85e00a9d706a37639ab54416cbc96c27cde

    SHA512

    ca734364e1099c7918f5f8013ccd0d6b154f903ef14b0103a8aee9cb9dd8046d1f3e40a37e8b507d7d46c4db175efc415b52bf9298fc13ab77e0b54962ebb02c

    Download Submit

  • memory/1752-55-0x0000000076921000-0x0000000076923000-memory.dmp

    Filesize

    8KB

    Download