Overview

overview

10

Static

static

10

0e6b8d14e0...56.exe

windows7_x64

10

0e6b8d14e0...56.exe

windows10-2004_x64

10

Analysis

  • max time kernel
    168s
  • max time network
    192s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-en-20220112
  • submitted
    12-02-2022 07:08

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    0e6b8d14e04e55ea3836d9de67a5b5314c66210701cb504bebed269030079856.exe

  • Size

    191KB

  • MD5

    6875b11b2e7da9aeb6370077f6b228d3

  • SHA1

    fc94eaf90b170a615dd19557399e8b9a8855114d

  • SHA256

    0e6b8d14e04e55ea3836d9de67a5b5314c66210701cb504bebed269030079856

  • SHA512

    b3d7fcb169dbf15652612f2cfbc3ac7177c1329bbe9f3c7c36e59607ffa84351824ed59931b044e2f739fe4a099c7d1ca134c66450d931960993a94606bdfa4b

Score
10/10
sakulapersistencerattrojan

Malware Config

Signatures

  • Sakula

    Sakula is a remote access trojan with various capabilities.

    trojanratsakula
  • Sakula Payload 2 IoCs
  • Executes dropped EXE 1 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\0e6b8d14e04e55ea3836d9de67a5b5314c66210701cb504bebed269030079856.exe
    "C:\Users\Admin\AppData\Local\Temp\0e6b8d14e04e55ea3836d9de67a5b5314c66210701cb504bebed269030079856.exe"
    1⤵
    • Checks computer location settings
    • Adds Run key to start application
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2300
    • C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
      C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
      2⤵
      • Executes dropped EXE
      PID:752
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\0e6b8d14e04e55ea3836d9de67a5b5314c66210701cb504bebed269030079856.exe"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:3924
      • C:\Windows\SysWOW64\PING.EXE
        ping 127.0.0.1
        3⤵
        • Runs ping.exe
        PID:3088
  • C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k wusvcs -p
    1⤵
      PID:2976
    • C:\Windows\system32\MusNotifyIcon.exe
      %systemroot%\system32\MusNotifyIcon.exe NotifyTrayIcon 13
      1⤵
      • Checks processor information in registry
      PID:1396

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
      MD5

      ab04c36e3a5988c696f77703b17afae4

      SHA1

      7bf63b5531f31f3dcb72f3dc369beee4f0632c97

      SHA256

      a9c286ebad631a562a9055dde6a708f15573ca82004e6d361be1977a86cc7743

      SHA512

      1c077ffb50639efe96a058bf6feb67b6e8f74fee9ba147d00fc7fa17b2efa93688eb454376953d9da645e09ee67cbd62ff07035da2d0e366a9a8b03620fe4955

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
      MD5

      ab04c36e3a5988c696f77703b17afae4

      SHA1

      7bf63b5531f31f3dcb72f3dc369beee4f0632c97

      SHA256

      a9c286ebad631a562a9055dde6a708f15573ca82004e6d361be1977a86cc7743

      SHA512

      1c077ffb50639efe96a058bf6feb67b6e8f74fee9ba147d00fc7fa17b2efa93688eb454376953d9da645e09ee67cbd62ff07035da2d0e366a9a8b03620fe4955

      Download Submit