Overview

overview

10

Static

static

10

09afb02a9d...44.exe

windows7_x64

10

09afb02a9d...44.exe

windows10-2004_x64

10

Analysis

  • max time kernel
    146s
  • max time network
    154s
  • platform
    windows7_x64
  • resource
    win7-en-20211208
  • submitted
    12-02-2022 09:33

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    09afb02a9d645b6b6dd38d969bde96becb959e23f04f6dcb5ea7e44b6b7c6844.exe

  • Size

    216KB

  • MD5

    851773e63e4cf5d828506b9e6b979ac5

  • SHA1

    796eac7057f861e1d13963ca3d3a54ff8aa365d3

  • SHA256

    09afb02a9d645b6b6dd38d969bde96becb959e23f04f6dcb5ea7e44b6b7c6844

  • SHA512

    898f41cac4a13780d7add3c42c30153cb630c8c21be060add1b2b785df283e9164bbd96635ff1686a8c013af32b0490d646422bfad328c53831d0ff049ecc5b5

Score
10/10
sakulapersistencerattrojan

Malware Config

Signatures

  • Sakula

    Sakula is a remote access trojan with various capabilities.

    trojanratsakula
  • Sakula Payload 4 IoCs
  • Executes dropped EXE 1 IoCs
  • Deletes itself 1 IoCs
  • Loads dropped DLL 1 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\09afb02a9d645b6b6dd38d969bde96becb959e23f04f6dcb5ea7e44b6b7c6844.exe
    "C:\Users\Admin\AppData\Local\Temp\09afb02a9d645b6b6dd38d969bde96becb959e23f04f6dcb5ea7e44b6b7c6844.exe"
    1⤵
    • Loads dropped DLL
    • Adds Run key to start application
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1088
    • C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
      C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
      2⤵
      • Executes dropped EXE
      PID:1760
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\09afb02a9d645b6b6dd38d969bde96becb959e23f04f6dcb5ea7e44b6b7c6844.exe"
      2⤵
      • Deletes itself
      • Suspicious use of WriteProcessMemory
      PID:932
      • C:\Windows\SysWOW64\PING.EXE
        ping 127.0.0.1
        3⤵
        • Runs ping.exe
        PID:1828

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
    MD5

    20889158f8dc9bcdccd24f820b0c669e

    SHA1

    c9c23cf8f9eb8090736b01e85263aa26ce24cdd6

    SHA256

    208f8f4794e11103487d73e57dbef74361a40cb32e8a4c738cebc9d49caa648c

    SHA512

    60f96bc33d52540213f22cbf0c473062b3f10166626fdb2a6b778b91740fff5f468eeae63c9f7c0cf2f16b04f599174d89977cc1e1fb6ab306a44aaa76d443aa

    Download Submit
  • \Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
    MD5

    20889158f8dc9bcdccd24f820b0c669e

    SHA1

    c9c23cf8f9eb8090736b01e85263aa26ce24cdd6

    SHA256

    208f8f4794e11103487d73e57dbef74361a40cb32e8a4c738cebc9d49caa648c

    SHA512

    60f96bc33d52540213f22cbf0c473062b3f10166626fdb2a6b778b91740fff5f468eeae63c9f7c0cf2f16b04f599174d89977cc1e1fb6ab306a44aaa76d443aa

    Download Submit
  • memory/1088-54-0x0000000075341000-0x0000000075343000-memory.dmp
    Filesize

    8KB

    Download
  • memory/1088-58-0x0000000000400000-0x0000000000420000-memory.dmp
    Filesize

    128KB

    Download
  • memory/1760-59-0x0000000000400000-0x0000000000420000-memory.dmp
    Filesize

    128KB

    Download