Overview

overview

10

Static

static

0d3c2f8869...28.exe

windows7_x64

10

0d3c2f8869...28.exe

windows10-2004_x64

10

Analysis

  • max time kernel
    162s
  • max time network
    183s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-en-20220112
  • submitted
    12-02-2022 07:33

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    0d3c2f88694fee75e9cb349c916c86d676aeaf61c98b5df2206f122e56d3ef28.exe

  • Size

    36KB

  • MD5

    c01803fac4a2e68244efe17e7f4a11df

  • SHA1

    f51e2a687257adc02fd00155726a6eccd119a599

  • SHA256

    0d3c2f88694fee75e9cb349c916c86d676aeaf61c98b5df2206f122e56d3ef28

  • SHA512

    38441fcda5f18fe1aa5bc92c28391906578ecd99ab43f33033224a731f8e9c8680e68d7f7e065dec4340d984d63c48375c866e669e9ae620ae2db5c23f72a954

Score
10/10
sakulapersistencerattrojan

Malware Config

Signatures

  • Sakula

    Sakula is a remote access trojan with various capabilities.

    trojanratsakula
  • Sakula Payload 2 IoCs
  • Executes dropped EXE 1 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Drops file in Windows directory 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies data under HKEY_USERS 50 IoCs
  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 34 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\0d3c2f88694fee75e9cb349c916c86d676aeaf61c98b5df2206f122e56d3ef28.exe
    "C:\Users\Admin\AppData\Local\Temp\0d3c2f88694fee75e9cb349c916c86d676aeaf61c98b5df2206f122e56d3ef28.exe"
    1⤵
    • Checks computer location settings
    • Adds Run key to start application
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:3752
    • C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
      C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
      2⤵
      • Executes dropped EXE
      PID:2664
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\0d3c2f88694fee75e9cb349c916c86d676aeaf61c98b5df2206f122e56d3ef28.exe"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:640
      • C:\Windows\SysWOW64\PING.EXE
        ping 127.0.0.1
        3⤵
        • Runs ping.exe
        PID:1888
  • C:\Windows\System32\svchost.exe
    C:\Windows\System32\svchost.exe -k NetworkService -p
    1⤵
    • Drops file in Windows directory
    • Modifies data under HKEY_USERS
    PID:1880
  • C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe
    C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding
    1⤵
    • Drops file in Windows directory
    • Suspicious use of AdjustPrivilegeToken
    PID:1496

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
    MD5

    b6e3cb29dcb3f37c7e5ff0e4948f7105

    SHA1

    8a7c2c812f8c29243dc91c7d208d0a2b4ff33c88

    SHA256

    d84c3ce619cebaf7177190451740da8c5d77c733bba0fb798f6c1fcd464ecded

    SHA512

    6aa5fe8d37984bc7685ee22a4ca9f12a9dd1d39b82d25c16447f4177492c3bb1edf04d360c5179a59b80b2ef55d746f041f91e3b6c3b6703ed4e9b6e5af8008e

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
    MD5

    b6e3cb29dcb3f37c7e5ff0e4948f7105

    SHA1

    8a7c2c812f8c29243dc91c7d208d0a2b4ff33c88

    SHA256

    d84c3ce619cebaf7177190451740da8c5d77c733bba0fb798f6c1fcd464ecded

    SHA512

    6aa5fe8d37984bc7685ee22a4ca9f12a9dd1d39b82d25c16447f4177492c3bb1edf04d360c5179a59b80b2ef55d746f041f91e3b6c3b6703ed4e9b6e5af8008e

    Download Submit

  • memory/2664-136-0x0000000000250000-0x0000000000269000-memory.dmp

    Filesize

    100KB

    Download

  • memory/2664-138-0x0000000000930000-0x0000000000937000-memory.dmp

    Filesize

    28KB

    Download

  • memory/3752-133-0x0000000000360000-0x0000000000379000-memory.dmp

    Filesize

    100KB

    Download

  • memory/3752-137-0x00000000008B0000-0x00000000008B7000-memory.dmp

    Filesize

    28KB

    Download