Overview

overview

10

Static

static

0430a366d8...b5.exe

windows7_x64

10

0430a366d8...b5.exe

windows10-2004_x64

10

Analysis

  • max time kernel
    122s
  • max time network
    143s
  • platform
    windows7_x64
  • resource
    win7-en-20211208
  • submitted
    12-02-2022 11:31

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    0430a366d8632121a8a56264b30c8805bfcf2e7cded87a7f03799e94e9a77eb5.exe

  • Size

    60KB

  • MD5

    96de5d7d87207a6d3b8af0fd693a90c3

  • SHA1

    314b9b35a92d4e23eeda7d03b74bd62526f44370

  • SHA256

    0430a366d8632121a8a56264b30c8805bfcf2e7cded87a7f03799e94e9a77eb5

  • SHA512

    24d8bc31f38015f15a5f28e54030bc80c3217ac101ba331ca733196984071e6b91bf27c37af48ab24ae037afc8232eb3ff1a10a5d400680df7702825530136e0

Score
10/10
sakulapersistencerattrojan

Malware Config

Signatures

  • Sakula

    Sakula is a remote access trojan with various capabilities.

    trojanratsakula
  • Executes dropped EXE 1 IoCs
  • Deletes itself 1 IoCs
  • Loads dropped DLL 2 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\0430a366d8632121a8a56264b30c8805bfcf2e7cded87a7f03799e94e9a77eb5.exe
    "C:\Users\Admin\AppData\Local\Temp\0430a366d8632121a8a56264b30c8805bfcf2e7cded87a7f03799e94e9a77eb5.exe"
    1⤵
    • Loads dropped DLL
    • Adds Run key to start application
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1156
    • C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
      C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
      2⤵
      • Executes dropped EXE
      PID:592
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\0430a366d8632121a8a56264b30c8805bfcf2e7cded87a7f03799e94e9a77eb5.exe"
      2⤵
      • Deletes itself
      • Suspicious use of WriteProcessMemory
      PID:640
      • C:\Windows\SysWOW64\PING.EXE
        ping 127.0.0.1
        3⤵
        • Runs ping.exe
        PID:1116

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
    MD5

    7fec84b7583e354f19964ff28e77a4c6

    SHA1

    9deb8be598a6fce96c69bfeb20f9c4d0ac135258

    SHA256

    fb04c9afb3465f80a7eb8e3d1f673d264ef9312f109b9dbf9301b70fa7a02da6

    SHA512

    ed6e46a3f0203cd798ac74c662d1f0e95bec74445ded2c43b1c98a2bc4e4f9a6eb045899971e8a46580f3e4abdd71f56edc595271bfcbad035c75604d7cb6e16

    Download Submit
  • \Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
    MD5

    7fec84b7583e354f19964ff28e77a4c6

    SHA1

    9deb8be598a6fce96c69bfeb20f9c4d0ac135258

    SHA256

    fb04c9afb3465f80a7eb8e3d1f673d264ef9312f109b9dbf9301b70fa7a02da6

    SHA512

    ed6e46a3f0203cd798ac74c662d1f0e95bec74445ded2c43b1c98a2bc4e4f9a6eb045899971e8a46580f3e4abdd71f56edc595271bfcbad035c75604d7cb6e16

    Download Submit
  • \Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
    MD5

    7fec84b7583e354f19964ff28e77a4c6

    SHA1

    9deb8be598a6fce96c69bfeb20f9c4d0ac135258

    SHA256

    fb04c9afb3465f80a7eb8e3d1f673d264ef9312f109b9dbf9301b70fa7a02da6

    SHA512

    ed6e46a3f0203cd798ac74c662d1f0e95bec74445ded2c43b1c98a2bc4e4f9a6eb045899971e8a46580f3e4abdd71f56edc595271bfcbad035c75604d7cb6e16

    Download Submit
  • memory/1156-54-0x00000000766D1000-0x00000000766D3000-memory.dmp
    Filesize

    8KB

    Download