Overview

overview

10

Static

static

10

05a412b6a9...a3.exe

windows7_x64

10

05a412b6a9...a3.exe

windows10-2004_x64

10

Analysis

  • max time kernel
    132s
  • max time network
    163s
  • platform
    windows7_x64
  • resource
    win7-en-20211208
  • submitted
    12-02-2022 10:58

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    05a412b6a9b4374a59c00182b8b2c47512729f8e20d398690a840586b7a1dba3.exe

  • Size

    99KB

  • MD5

    282e691dbddb8724cacb290909da4b24

  • SHA1

    8d8e303778b6a9210fa10a18b35237b32754086a

  • SHA256

    05a412b6a9b4374a59c00182b8b2c47512729f8e20d398690a840586b7a1dba3

  • SHA512

    ae084f85fbb73746792e67244e431cf6308544ea460eb748e789d8b614586fe3d512a770f2cac1bcf413fb61528d22d8d4f22386597d006f2cc4900540242b28

Score
10/10
sakulapersistencerattrojan

Malware Config

Signatures

  • Sakula

    Sakula is a remote access trojan with various capabilities.

    trojanratsakula
  • Sakula Payload 3 IoCs
  • Executes dropped EXE 1 IoCs
  • Deletes itself 1 IoCs
  • Loads dropped DLL 2 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\05a412b6a9b4374a59c00182b8b2c47512729f8e20d398690a840586b7a1dba3.exe
    "C:\Users\Admin\AppData\Local\Temp\05a412b6a9b4374a59c00182b8b2c47512729f8e20d398690a840586b7a1dba3.exe"
    1⤵
    • Loads dropped DLL
    • Adds Run key to start application
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1684
    • C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
      C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
      2⤵
      • Executes dropped EXE
      PID:1892
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\05a412b6a9b4374a59c00182b8b2c47512729f8e20d398690a840586b7a1dba3.exe"
      2⤵
      • Deletes itself
      • Suspicious use of WriteProcessMemory
      PID:1172
      • C:\Windows\SysWOW64\PING.EXE
        ping 127.0.0.1
        3⤵
        • Runs ping.exe
        PID:952

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
    MD5

    623f6e414a9561ee3d49305cd00ec1b1

    SHA1

    7ddb29c65565dabf1fd8bf29287704d7cd525cc6

    SHA256

    c3c4dc32d5d2f4ad39086dd11ad570b3efe2a71a656032b2945f871dff403041

    SHA512

    26b0e15b492dfccf2ec46fa9783bc8e879f0bb01cf65e62dc7663c356a38d9330e5369ab2ba743e066279cfa224550a7f73f840c62abf891cfeedb313ea791a0

    Download Submit
  • \Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
    MD5

    623f6e414a9561ee3d49305cd00ec1b1

    SHA1

    7ddb29c65565dabf1fd8bf29287704d7cd525cc6

    SHA256

    c3c4dc32d5d2f4ad39086dd11ad570b3efe2a71a656032b2945f871dff403041

    SHA512

    26b0e15b492dfccf2ec46fa9783bc8e879f0bb01cf65e62dc7663c356a38d9330e5369ab2ba743e066279cfa224550a7f73f840c62abf891cfeedb313ea791a0

    Download Submit
  • \Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
    MD5

    623f6e414a9561ee3d49305cd00ec1b1

    SHA1

    7ddb29c65565dabf1fd8bf29287704d7cd525cc6

    SHA256

    c3c4dc32d5d2f4ad39086dd11ad570b3efe2a71a656032b2945f871dff403041

    SHA512

    26b0e15b492dfccf2ec46fa9783bc8e879f0bb01cf65e62dc7663c356a38d9330e5369ab2ba743e066279cfa224550a7f73f840c62abf891cfeedb313ea791a0

    Download Submit
  • memory/1684-54-0x0000000075D61000-0x0000000075D63000-memory.dmp
    Filesize

    8KB

    Download