Overview

overview

10

Static

static

10

08bfd583e6...06.exe

windows7_x64

10

08bfd583e6...06.exe

windows10-2004_x64

10

Analysis

  • max time kernel
    146s
  • max time network
    173s
  • platform
    windows7_x64
  • resource
    win7-en-20211208
  • submitted
    12-02-2022 09:53

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    08bfd583e6c4ddf417cd756755bf2d2d38c100f4b39b4cf82ac95479249fc006.exe

  • Size

    99KB

  • MD5

    e89fc15b316dbaed0f800e0ef18597fc

  • SHA1

    ca4414c0070e3a51625b70b56799dc9ae7642a6b

  • SHA256

    08bfd583e6c4ddf417cd756755bf2d2d38c100f4b39b4cf82ac95479249fc006

  • SHA512

    46ea9c7466690cf3c35a3c4259490ba21e136e2d0795d0cd849cc5c3306715afc86baeca8d576bb3950612b06fd641251038a6f92522f4dfdf33fde84243d8a8

Score
10/10
sakulapersistencerattrojan

Malware Config

Signatures

  • Sakula

    Sakula is a remote access trojan with various capabilities.

    trojanratsakula
  • Sakula Payload 3 IoCs
  • Executes dropped EXE 1 IoCs
  • Deletes itself 1 IoCs
  • Loads dropped DLL 2 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\08bfd583e6c4ddf417cd756755bf2d2d38c100f4b39b4cf82ac95479249fc006.exe
    "C:\Users\Admin\AppData\Local\Temp\08bfd583e6c4ddf417cd756755bf2d2d38c100f4b39b4cf82ac95479249fc006.exe"
    1⤵
    • Loads dropped DLL
    • Adds Run key to start application
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1760
    • C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
      C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
      2⤵
      • Executes dropped EXE
      PID:1928
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\08bfd583e6c4ddf417cd756755bf2d2d38c100f4b39b4cf82ac95479249fc006.exe"
      2⤵
      • Deletes itself
      • Suspicious use of WriteProcessMemory
      PID:1620
      • C:\Windows\SysWOW64\PING.EXE
        ping 127.0.0.1
        3⤵
        • Runs ping.exe
        PID:1984

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
    MD5

    07e7e639722c46e293ff5d7a35dd29c4

    SHA1

    2ddd474332aa01b9685aef32005b1b6a0b4ba880

    SHA256

    ec3ee3d406db18461afc510483aa916c2056ba721e8719e57433f301ba375aa0

    SHA512

    dbd77e0ba32deab3dfbac6d2a1bbfaf1821119eebdc6e8a2d40fc7106f13ddf62a3781f7ffa1e752b8773f771a522559342b5844e21dfb9dbf559a19dfba30eb

    Download Submit
  • \Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
    MD5

    07e7e639722c46e293ff5d7a35dd29c4

    SHA1

    2ddd474332aa01b9685aef32005b1b6a0b4ba880

    SHA256

    ec3ee3d406db18461afc510483aa916c2056ba721e8719e57433f301ba375aa0

    SHA512

    dbd77e0ba32deab3dfbac6d2a1bbfaf1821119eebdc6e8a2d40fc7106f13ddf62a3781f7ffa1e752b8773f771a522559342b5844e21dfb9dbf559a19dfba30eb

    Download Submit
  • \Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
    MD5

    07e7e639722c46e293ff5d7a35dd29c4

    SHA1

    2ddd474332aa01b9685aef32005b1b6a0b4ba880

    SHA256

    ec3ee3d406db18461afc510483aa916c2056ba721e8719e57433f301ba375aa0

    SHA512

    dbd77e0ba32deab3dfbac6d2a1bbfaf1821119eebdc6e8a2d40fc7106f13ddf62a3781f7ffa1e752b8773f771a522559342b5844e21dfb9dbf559a19dfba30eb

    Download Submit
  • memory/1760-54-0x0000000075341000-0x0000000075343000-memory.dmp
    Filesize

    8KB

    Download