Overview

overview

10

Static

static

5

651914d246...31.exe

windows7-x64

10

651914d246...31.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    119s
  • max time network
    103s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    22/12/2024, 10:30 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    651914d24649c40f8459d5af74ea2c829438f0bbc937da3687085fb56a964b31.exe

  • Size

    43KB

  • MD5

    4e30d88b2a30edbead66b794a0b5a5f5

  • SHA1

    5c8279c0166194bcadcb5c0694c22b4f0f703cfe

  • SHA256

    651914d24649c40f8459d5af74ea2c829438f0bbc937da3687085fb56a964b31

  • SHA512

    f49527b87799346d5aa967b37eff5d6849ba05a729c108f8f5a47dc4985a239d2868d2cd75566694bc4fa946c46658a5fbaa079713712cc9b2157a3d6311975b

  • SSDEEP

    768:+U9XnKJv8KrtPNxT4oreP7cIK3yQpdk6x8pf9m4P/S0hVvIZiGDZ6RO8nHE8taqY:+U9abrtX4oocIK3yQkaY9z/S0hhy6k8y

Score
10/10
sakuladiscoverypersistencerattrojanupx

Malware Config

Signatures

  • Sakula

    Sakula is a remote access trojan with various capabilities.

    trojanratsakula
  • Sakula family
    sakula
  • Sakula payload 4 IoCs
  • Deletes itself 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 2 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • UPX packed file 7 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs

    Adversaries may check for Internet connectivity on compromised systems.

    discovery
  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\651914d24649c40f8459d5af74ea2c829438f0bbc937da3687085fb56a964b31.exe
    "C:\Users\Admin\AppData\Local\Temp\651914d24649c40f8459d5af74ea2c829438f0bbc937da3687085fb56a964b31.exe"
    1⤵
    • Loads dropped DLL
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2748
    • C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
      C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      PID:2776
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\651914d24649c40f8459d5af74ea2c829438f0bbc937da3687085fb56a964b31.exe"
      2⤵
      • Deletes itself
      • System Location Discovery: System Language Discovery
      • System Network Configuration Discovery: Internet Connection Discovery
      • Suspicious use of WriteProcessMemory
      PID:1220
      • C:\Windows\SysWOW64\PING.EXE
        ping 127.0.0.1
        3⤵
        • System Location Discovery: System Language Discovery
        • System Network Configuration Discovery: Internet Connection Discovery
        • Runs ping.exe
        PID:596

Network

  • flag-us
    DNS
    citrix.vipreclod.com
    MediaCenter.exe
    Remote address:
    8.8.8.8:53
    Request
    citrix.vipreclod.com
    IN A
    Response
  • 184.22.175.13:80
    MediaCenter.exe
    152 B
     3
  • 184.22.175.13:80
    MediaCenter.exe
    152 B
     3
  • 8.8.8.8:53
    citrix.vipreclod.com
    dns
    MediaCenter.exe
    66 B
     134 B
     1
    1

    DNS Request

    citrix.vipreclod.com

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
    Filesize

    43KB

    MD5

    681e7a228666befca754f0fb8782d80e

    SHA1

    370b8d9654650b03720917586636bb90ecb2dcd1

    SHA256

    ce1c5424cbb68855202086b34e8de3c634e5458d389d1f98ba34978123b66a82

    SHA512

    c8f1f4499be99aa5f0eb2ebc917060b9ccedaedf3d6e3ef504ffad980a68fe21377b368380c8c915d0645ef084a17345a731373ce718d693852b85057b89c3bc

    Download Submit

  • memory/2748-0-0x0000000000C40000-0x0000000000C5F000-memory.dmp

    Filesize

    124KB

    Download

  • memory/2748-9-0x00000000009F0000-0x0000000000A0F000-memory.dmp

    Filesize

    124KB

    Download

  • memory/2748-11-0x0000000000C40000-0x0000000000C5F000-memory.dmp

    Filesize

    124KB

    Download

  • memory/2748-12-0x00000000009F0000-0x0000000000A0F000-memory.dmp

    Filesize

    124KB

    Download

  • memory/2748-13-0x00000000009F0000-0x0000000000A0F000-memory.dmp

    Filesize

    124KB

    Download

  • memory/2748-22-0x0000000000C40000-0x0000000000C5F000-memory.dmp

    Filesize

    124KB

    Download

  • memory/2748-23-0x00000000009F0000-0x0000000000A0F000-memory.dmp

    Filesize

    124KB

    Download

  • memory/2776-10-0x00000000009F0000-0x0000000000A0F000-memory.dmp

    Filesize

    124KB

    Download

  • memory/2776-14-0x00000000009F0000-0x0000000000A0F000-memory.dmp

    Filesize

    124KB

    Download

  • memory/2776-28-0x00000000009F0000-0x0000000000A0F000-memory.dmp

    Filesize

    124KB

    Download

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.