Overview

overview

10

Static

static

0cb4f6a76f...9b.exe

windows7_x64

10

0cb4f6a76f...9b.exe

windows10-2004_x64

10

Analysis

  • max time kernel
    160s
  • max time network
    168s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-en-20220112
  • submitted
    12-02-2022 07:44

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    0cb4f6a76f4f5527116d13493ee70b8ae18bb6c944ba94d0076035af390f7e9b.exe

  • Size

    36KB

  • MD5

    7272859ae1cfabbbb9562035c8c1da4b

  • SHA1

    7216190cadeecb314aabb1be05424c2ede8047ce

  • SHA256

    0cb4f6a76f4f5527116d13493ee70b8ae18bb6c944ba94d0076035af390f7e9b

  • SHA512

    a95260b378c614edb7f8705ece74aa2d509d78aff04fb9bb665e3064f4adaa70cd61eea7d936363c37b2d31174440642ba1f7a009a893e34436893bb79f7d552

Score
10/10
sakulapersistencerattrojan

Malware Config

Signatures

  • Sakula

    Sakula is a remote access trojan with various capabilities.

    trojanratsakula
  • Executes dropped EXE 1 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Drops file in Windows directory 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Modifies data under HKEY_USERS 52 IoCs
  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\0cb4f6a76f4f5527116d13493ee70b8ae18bb6c944ba94d0076035af390f7e9b.exe
    "C:\Users\Admin\AppData\Local\Temp\0cb4f6a76f4f5527116d13493ee70b8ae18bb6c944ba94d0076035af390f7e9b.exe"
    1⤵
    • Checks computer location settings
    • Adds Run key to start application
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1100
    • C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
      C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
      2⤵
      • Executes dropped EXE
      PID:1248
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\0cb4f6a76f4f5527116d13493ee70b8ae18bb6c944ba94d0076035af390f7e9b.exe"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1536
      • C:\Windows\SysWOW64\PING.EXE
        ping 127.0.0.1
        3⤵
        • Runs ping.exe
        PID:4016
  • C:\Windows\system32\MusNotifyIcon.exe
    %systemroot%\system32\MusNotifyIcon.exe NotifyTrayIcon 13
    1⤵
    • Checks processor information in registry
    PID:540
  • C:\Windows\System32\svchost.exe
    C:\Windows\System32\svchost.exe -k NetworkService -p
    1⤵
    • Drops file in Windows directory
    • Modifies data under HKEY_USERS
    PID:3264
  • C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe
    C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding
    1⤵
    • Drops file in Windows directory
    • Suspicious use of AdjustPrivilegeToken
    PID:3924

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
    MD5

    4eb02d284d6a5e6e0b691b10ad4f022f

    SHA1

    ac76eaa8164b337d16f75e9695c39edb756d1d98

    SHA256

    f40b61bec2c5048344bba11e69277cc72086720b6d8b8319bcaddeb8ca9689fe

    SHA512

    7ac0ed5126e0dc222379b15f8b40a37dc9dd1df81058cf5c98d819b018bddbdc1709972a7f0d98ec12b58b62557d2f7643b56602354161d3cf9b847b54829157

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
    MD5

    4eb02d284d6a5e6e0b691b10ad4f022f

    SHA1

    ac76eaa8164b337d16f75e9695c39edb756d1d98

    SHA256

    f40b61bec2c5048344bba11e69277cc72086720b6d8b8319bcaddeb8ca9689fe

    SHA512

    7ac0ed5126e0dc222379b15f8b40a37dc9dd1df81058cf5c98d819b018bddbdc1709972a7f0d98ec12b58b62557d2f7643b56602354161d3cf9b847b54829157

    Download Submit