Overview

overview

10

Static

static

10

0ca0a2a384...32.exe

windows7_x64

10

0ca0a2a384...32.exe

windows10-2004_x64

10

Analysis

  • max time kernel
    139s
  • max time network
    152s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-en-20220113
  • submitted
    12-02-2022 07:47

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    0ca0a2a38476e188cfd1acf8df24a25d48878fe7b7180e027069ef7e874f9632.exe

  • Size

    200KB

  • MD5

    bfbe4b2ec56db581d1e48ab3572143f9

  • SHA1

    6fdfa0c845252ad6aa802579c22de6a4f591fd72

  • SHA256

    0ca0a2a38476e188cfd1acf8df24a25d48878fe7b7180e027069ef7e874f9632

  • SHA512

    4a5669bd2f9537b33a79480304813978cd3fffbbf7a27d3399248d3c257b1bf869101bd09eff2763c6b5a6a54e68f266a8af4fa150a98f721d190af24fc11af4

Score
10/10
sakulapersistenceratsuricatatrojan

Malware Config

Signatures

  • Sakula

    Sakula is a remote access trojan with various capabilities.

    trojanratsakula
  • Sakula Payload 4 IoCs
  • suricata: ET MALWARE SUSPICIOUS UA (iexplore)

    suricata: ET MALWARE SUSPICIOUS UA (iexplore)

    suricata
  • suricata: ET MALWARE Sakula/Mivast RAT CnC Beacon 1

    suricata: ET MALWARE Sakula/Mivast RAT CnC Beacon 1

    suricata
  • Executes dropped EXE 1 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Drops file in Windows directory 8 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\0ca0a2a38476e188cfd1acf8df24a25d48878fe7b7180e027069ef7e874f9632.exe
    "C:\Users\Admin\AppData\Local\Temp\0ca0a2a38476e188cfd1acf8df24a25d48878fe7b7180e027069ef7e874f9632.exe"
    1⤵
    • Checks computer location settings
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:3568
    • C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
      C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
      2⤵
      • Executes dropped EXE
      PID:4260
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\0ca0a2a38476e188cfd1acf8df24a25d48878fe7b7180e027069ef7e874f9632.exe"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2512
      • C:\Windows\SysWOW64\PING.EXE
        ping 127.0.0.1
        3⤵
        • Runs ping.exe
        PID:2164
  • C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv
    1⤵
    • Drops file in Windows directory
    • Suspicious use of AdjustPrivilegeToken
    PID:2120
  • C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe
    C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding
    1⤵
    • Drops file in Windows directory
    • Suspicious use of AdjustPrivilegeToken
    PID:4628

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
    MD5

    a92a8a89e63dc97aed4a53c5bc07c328

    SHA1

    dfb2b265817614920ce838a5f469926c259fd913

    SHA256

    20ec8294e8766d36630c469f4315a6c03924f6dd57a237fb4ec5bdec0de836a1

    SHA512

    1d655492a5135c2af45fef83f89a8dbef528735fc97391785b8a1645c0e8c79572be69322d38632cceed36e2ac162c53dda126c611ebd5bbc427f441f7a74211

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
    MD5

    a92a8a89e63dc97aed4a53c5bc07c328

    SHA1

    dfb2b265817614920ce838a5f469926c259fd913

    SHA256

    20ec8294e8766d36630c469f4315a6c03924f6dd57a237fb4ec5bdec0de836a1

    SHA512

    1d655492a5135c2af45fef83f89a8dbef528735fc97391785b8a1645c0e8c79572be69322d38632cceed36e2ac162c53dda126c611ebd5bbc427f441f7a74211

    Download Submit

  • memory/2120-132-0x0000020A4C020000-0x0000020A4C030000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2120-133-0x0000020A4C080000-0x0000020A4C090000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2120-134-0x0000020A4E740000-0x0000020A4E744000-memory.dmp

    Filesize

    16KB

    Download

  • memory/3568-135-0x0000000000400000-0x0000000000420000-memory.dmp

    Filesize

    128KB

    Download

  • memory/4260-136-0x0000000000400000-0x0000000000420000-memory.dmp

    Filesize

    128KB

    Download