Overview

overview

10

Static

static

3

3006126806...66.exe

windows7-x64

10

3006126806...66.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    141s
  • max time network
    142s
  • platform
    windows7_x64
  • resource
    win7-20231215-en
  • resource tags

    arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
  • submitted
    19-12-2023 13:16

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    30061268063116f854b0d852633da766.exe

  • Size

    35KB

  • MD5

    30061268063116f854b0d852633da766

  • SHA1

    b884240ccdca0945936936d5bdbb5e9c1be5644a

  • SHA256

    6cf59fb86fb64ec86d78df143339d3c2c6e35eef58d3b256bc727075e5d59389

  • SHA512

    763c99c80a65920d1742cbcc8f32e815d34dfcdaa35d1a17fd2746a53d172206f01bd7560d23e7e52b370353c2d277892161574b69ded0f5244be5e0f1f11289

  • SSDEEP

    768:lwbYGCv4nuEcJpQK4TQbtKvXwXgA9lJJea+yGCJQqeWnAEv2647D7:lwbYP4nuEApQK4TQbtY2gA9DX+ytBOF

Score
10/10
sakulapersistencerattrojan

Malware Config

Signatures

  • Sakula

    Sakula is a remote access trojan with various capabilities.

    trojanratsakula
  • Sakula payload 4 IoCs
  • Deletes itself 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 2 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\30061268063116f854b0d852633da766.exe
    "C:\Users\Admin\AppData\Local\Temp\30061268063116f854b0d852633da766.exe"
    1⤵
    • Loads dropped DLL
    • Adds Run key to start application
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2036
    • C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
      C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
      2⤵
      • Executes dropped EXE
      PID:2024
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\30061268063116f854b0d852633da766.exe"
      2⤵
      • Deletes itself
      • Suspicious use of WriteProcessMemory
      PID:2696
      • C:\Windows\SysWOW64\PING.EXE
        ping 127.0.0.1
        3⤵
        • Runs ping.exe
        PID:2600

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
    Filesize

    35KB

    MD5

    f2d4af4d6212ce64a67a78c3fc76c268

    SHA1

    74ce8a8da65511340fd6036333171254d1149d59

    SHA256

    3020990b928fe857b27aa374cebdc1a5ddeb15e3d45b00353f25230cdbc6f2b4

    SHA512

    fdf309f6be1761973b019aab015c12473e1f90dba82b1418a712e7495878ce3a9d325a2d5641c915e033901e54735e685b4e7db1c8430ab442d62f3d0f61a442

    Download Submit
  • memory/2024-11-0x0000000000400000-0x000000000041A000-memory.dmp
    Filesize

    104KB

    Download
  • memory/2024-24-0x0000000000400000-0x000000000041A000-memory.dmp
    Filesize

    104KB

    Download
  • memory/2036-0-0x0000000000400000-0x000000000041A000-memory.dmp
    Filesize

    104KB

    Download
  • memory/2036-9-0x0000000000220000-0x000000000023A000-memory.dmp
    Filesize

    104KB

    Download
  • memory/2036-10-0x0000000000220000-0x000000000023A000-memory.dmp
    Filesize

    104KB

    Download
  • memory/2036-12-0x0000000000400000-0x000000000041A000-memory.dmp
    Filesize

    104KB

    Download
  • memory/2036-16-0x0000000000220000-0x000000000023A000-memory.dmp
    Filesize

    104KB

    Download
  • memory/2036-19-0x0000000000400000-0x000000000041A000-memory.dmp
    Filesize

    104KB

    Download