Overview

overview

10

Static

static

10

c0064a70b0...43.exe

windows7_x64

10

c0064a70b0...43.exe

windows10_x64

10

c0064a70b0...43.exe

windows10-2004_x64

10

Resubmissions

24-02-2022 11:08

220224-m8v1vschc4 10

30-09-2021 12:24

210930-pk2jvahghl 10

Analysis

  • max time kernel
    4294194s
  • max time network
    135s
  • platform
    windows7_x64
  • resource
    win7-20220223-en
  • submitted
    24-02-2022 11:08

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    c0064a70b0d297c43ccc230f852c1ffac7534d58251dec497bab0e7e82f79143.exe

  • Size

    216KB

  • MD5

    dab5f66a4c8f6bcbcdeb2a83c21769c5

  • SHA1

    06e8c2999917c6bc5d4b6359de3222d4379acbb9

  • SHA256

    c0064a70b0d297c43ccc230f852c1ffac7534d58251dec497bab0e7e82f79143

  • SHA512

    3a02669cd6390e5c6b5e1dd8711c300790cd78419a512830325c497fad7a5864aeaac6e0622dd39ab3bd3bafad49f5ad968d0d6c24c961adb9cafb7b64869854

Score
10/10
sakulapersistencerattrojan

Malware Config

Signatures

  • Sakula

    Sakula is a remote access trojan with various capabilities.

    trojanratsakula
  • Sakula Payload 4 IoCs
  • Executes dropped EXE 1 IoCs
  • Deletes itself 1 IoCs
  • Loads dropped DLL 1 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\c0064a70b0d297c43ccc230f852c1ffac7534d58251dec497bab0e7e82f79143.exe
    "C:\Users\Admin\AppData\Local\Temp\c0064a70b0d297c43ccc230f852c1ffac7534d58251dec497bab0e7e82f79143.exe"
    1⤵
    • Loads dropped DLL
    • Adds Run key to start application
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1204
    • C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
      C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
      2⤵
      • Executes dropped EXE
      PID:476
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\c0064a70b0d297c43ccc230f852c1ffac7534d58251dec497bab0e7e82f79143.exe"
      2⤵
      • Deletes itself
      • Suspicious use of WriteProcessMemory
      PID:392
      • C:\Windows\SysWOW64\PING.EXE
        ping 127.0.0.1
        3⤵
        • Runs ping.exe
        PID:1916

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1
T1060

Privilege Escalation

Defense Evasion

Modify Registry

1
T1112

Credential Access

Discovery

System Information Discovery

1
T1082

Remote System Discovery

1
T1018

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
    MD5

    eba26bb075a47deb69c50651936b1854

    SHA1

    01b1ed1857cf0a618ed074b74562b4b6e48f9a39

    SHA256

    9e2e358064c3ff4d30d4c99c95254f4763bbab8141213f2d67902dff41f3ac72

    SHA512

    18298ac13571b4953ee046f426f16c96d6ff7a4eb783a57c64cb3fc26569b0a660f6b3a3e39237c4f48362a64075d193dee551c89ebcbfc3d541836592a0bfd0

    Download Submit
  • \Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
    MD5

    eba26bb075a47deb69c50651936b1854

    SHA1

    01b1ed1857cf0a618ed074b74562b4b6e48f9a39

    SHA256

    9e2e358064c3ff4d30d4c99c95254f4763bbab8141213f2d67902dff41f3ac72

    SHA512

    18298ac13571b4953ee046f426f16c96d6ff7a4eb783a57c64cb3fc26569b0a660f6b3a3e39237c4f48362a64075d193dee551c89ebcbfc3d541836592a0bfd0

    Download Submit
  • memory/476-59-0x0000000000400000-0x0000000000420000-memory.dmp
    Filesize

    128KB

    Download
  • memory/1204-54-0x0000000075CC1000-0x0000000075CC3000-memory.dmp
    Filesize

    8KB

    Download
  • memory/1204-58-0x0000000000400000-0x0000000000420000-memory.dmp
    Filesize

    128KB

    Download