Overview

overview

10

Static

static

0677097640...0f.exe

windows7_x64

10

0677097640...0f.exe

windows10-2004_x64

10

Analysis

  • max time kernel
    125s
  • max time network
    155s
  • platform
    windows7_x64
  • resource
    win7-en-20211208
  • submitted
    12-02-2022 10:40

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    06770976402c60f83914385bda147d6b6051db98a57436093bf739c76216980f.exe

  • Size

    36KB

  • MD5

    48a1a958c1b63834a424884c733859ca

  • SHA1

    c473b0c37a80da99a6d5636d819fa41a7f6ec4da

  • SHA256

    06770976402c60f83914385bda147d6b6051db98a57436093bf739c76216980f

  • SHA512

    477646efd64e6d53173f620e429eb5291289ff1d8431cd474dd9b9e876d8a29deba1b2fe6e2dc7941bb69657dfc1726edb1790cdf22404aad9488a9e68cfd44a

Score
10/10
sakulapersistencerattrojan

Malware Config

Signatures

  • Sakula

    Sakula is a remote access trojan with various capabilities.

    trojanratsakula
  • Executes dropped EXE 1 IoCs
  • Deletes itself 1 IoCs
  • Loads dropped DLL 2 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\06770976402c60f83914385bda147d6b6051db98a57436093bf739c76216980f.exe
    "C:\Users\Admin\AppData\Local\Temp\06770976402c60f83914385bda147d6b6051db98a57436093bf739c76216980f.exe"
    1⤵
    • Loads dropped DLL
    • Adds Run key to start application
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1592
    • C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
      C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
      2⤵
      • Executes dropped EXE
      PID:1320
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\06770976402c60f83914385bda147d6b6051db98a57436093bf739c76216980f.exe"
      2⤵
      • Deletes itself
      • Suspicious use of WriteProcessMemory
      PID:824
      • C:\Windows\SysWOW64\PING.EXE
        ping 127.0.0.1
        3⤵
        • Runs ping.exe
        PID:2024

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
    MD5

    25c7e55b3da472a1531e56efcfff1d69

    SHA1

    550d48dd0ee3412526409ce0dd557484baa05542

    SHA256

    d6020a8ee5dd0ff048a01412c9320c43e5283177e5a3ce2c2d2da6792089f9de

    SHA512

    b61d70cd8292f9c2db1ecb3b8628409d900c2e9169f949e7dbb38cf8f8b67286efd36021a50cc7f873ca4a509a7417e9c88d43ff511b0d59193b604531dab54d

    Download Submit
  • \Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
    MD5

    25c7e55b3da472a1531e56efcfff1d69

    SHA1

    550d48dd0ee3412526409ce0dd557484baa05542

    SHA256

    d6020a8ee5dd0ff048a01412c9320c43e5283177e5a3ce2c2d2da6792089f9de

    SHA512

    b61d70cd8292f9c2db1ecb3b8628409d900c2e9169f949e7dbb38cf8f8b67286efd36021a50cc7f873ca4a509a7417e9c88d43ff511b0d59193b604531dab54d

    Download Submit
  • \Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
    MD5

    25c7e55b3da472a1531e56efcfff1d69

    SHA1

    550d48dd0ee3412526409ce0dd557484baa05542

    SHA256

    d6020a8ee5dd0ff048a01412c9320c43e5283177e5a3ce2c2d2da6792089f9de

    SHA512

    b61d70cd8292f9c2db1ecb3b8628409d900c2e9169f949e7dbb38cf8f8b67286efd36021a50cc7f873ca4a509a7417e9c88d43ff511b0d59193b604531dab54d

    Download Submit
  • memory/1592-55-0x00000000758A1000-0x00000000758A3000-memory.dmp
    Filesize

    8KB

    Download