Overview

overview

10

Static

static

3

c78e7c778f...bb.exe

windows7-x64

10

c78e7c778f...bb.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    156s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
  • submitted
    14-03-2024 03:23

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    c78e7c778f8104632283c4c92bba2dbb.exe

  • Size

    58KB

  • MD5

    c78e7c778f8104632283c4c92bba2dbb

  • SHA1

    d071031863ed7237cf17aa1fcf57c6873f6ff373

  • SHA256

    a41b78d189d6c68ec887203917c59d3cc36cbdde3835b226d8650d2410888fbd

  • SHA512

    ac5d31876227f32a339e572c4115a78dba86c1fac03ca9ec857ab1c63acde8afe0971ed42be0d18737b6d4d2ca4719ea2f5b89c5af0d439f2b6d531b1e473af8

  • SSDEEP

    1536:iZioIoCwbYP4nuEApQK4TQbtY2gA9DX+ytBO8c3G3eTJ/G:iEoIlwIguEA4c5DgA9DOyq0eFe

Score
10/10
sakulapersistencerattrojan

Malware Config

Signatures

  • Sakula

    Sakula is a remote access trojan with various capabilities.

    trojanratsakula
  • Sakula payload 4 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\c78e7c778f8104632283c4c92bba2dbb.exe
    "C:\Users\Admin\AppData\Local\Temp\c78e7c778f8104632283c4c92bba2dbb.exe"
    1⤵
    • Checks computer location settings
    • Adds Run key to start application
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:348
    • C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
      C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
      2⤵
      • Executes dropped EXE
      PID:5116
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\c78e7c778f8104632283c4c92bba2dbb.exe"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:4400
      • C:\Windows\SysWOW64\PING.EXE
        ping 127.0.0.1
        3⤵
        • Runs ping.exe
        PID:4200

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
    Filesize

    58KB

    MD5

    6aaded2e364631f81da8a8e4adcb4dee

    SHA1

    ccce74e84b5c659b69d5d99a3f6f489bd9f1a73a

    SHA256

    2fa2bafa9fdea8b489171e55532aae1fca8acbabff63baca37086e2d77bb56f8

    SHA512

    7cc878f2252ea01ef6e92f294612ac54f1348c0c5101835d944a8d9a46f8e1faeb4c3cdecdbad1865b92b9b85f10bb0a3376a5fd88917b21b2cae19e1d9e3698

    Download Submit

  • memory/348-0-0x0000000000400000-0x000000000041A000-memory.dmp

    Filesize

    104KB

    Download

  • memory/348-6-0x0000000000400000-0x000000000041A000-memory.dmp

    Filesize

    104KB

    Download

  • memory/348-12-0x0000000000400000-0x000000000041A000-memory.dmp

    Filesize

    104KB

    Download

  • memory/5116-5-0x0000000000400000-0x000000000041A000-memory.dmp

    Filesize

    104KB

    Download

  • memory/5116-7-0x0000000000400000-0x000000000041A000-memory.dmp

    Filesize

    104KB

    Download

  • memory/5116-18-0x0000000000400000-0x000000000041A000-memory.dmp

    Filesize

    104KB

    Download