sakula | 618733a0c26f169b157e50c683a327f836ef8db6f13d7d0b94f0dd432030eacf

General

Target

618733a0c26f169b157e50c683a327f836ef8db6f13d7d0b94f0dd432030eacf.exe
Size

517KB
MD5

c00d8e2e994ce0664b89481518c2376e
SHA1

8076dbd4cf89f4ddf0fa5f8f90b7664eca6312c2
SHA256

618733a0c26f169b157e50c683a327f836ef8db6f13d7d0b94f0dd432030eacf
SHA512

5b030171e3f3065ef47155c16225a0ab9e21fffce79037d6a37b4a35496df70967f752777562c4e22b7726aa0780489c2f5329cf07c2a02cfb6b82c96e059f62

Score

10^/10

Sakula
Sakula is a remote access trojan with various capabilities.
trojan rat sakula

Sakula Payload 2 IoCs

resource	yara_rule
behavioral1/files/0x00040000000130b8-60.dat	family_sakula
behavioral1/files/0x00040000000130b8-62.dat	family_sakula

Executes dropped EXE 1 IoCs

pid	Process
2000	MediaCenter.exe

Deletes itself 1 IoCs

pid	Process
1468	cmd.exe

Loads dropped DLL 1 IoCs

pid	Process
1972	618733a0c26f169b157e50c683a327f836ef8db6f13d7d0b94f0dd432030eacf.exe

Adds Run key to start application 2 TTPs 1 IoCs

Registry Run Keys / Startup Folder

Modify Registry

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe"	618733a0c26f169b157e50c683a327f836ef8db6f13d7d0b94f0dd432030eacf.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

pid	Process
1740	PING.EXE

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	1972	618733a0c26f169b157e50c683a327f836ef8db6f13d7d0b94f0dd432030eacf.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1972 wrote to memory of 2000	1972	618733a0c26f169b157e50c683a327f836ef8db6f13d7d0b94f0dd432030eacf.exe	27
PID 1972 wrote to memory of 2000	1972	618733a0c26f169b157e50c683a327f836ef8db6f13d7d0b94f0dd432030eacf.exe	27
PID 1972 wrote to memory of 2000	1972	618733a0c26f169b157e50c683a327f836ef8db6f13d7d0b94f0dd432030eacf.exe	27
PID 1972 wrote to memory of 2000	1972	618733a0c26f169b157e50c683a327f836ef8db6f13d7d0b94f0dd432030eacf.exe	27
PID 1972 wrote to memory of 1468	1972	618733a0c26f169b157e50c683a327f836ef8db6f13d7d0b94f0dd432030eacf.exe	30
PID 1972 wrote to memory of 1468	1972	618733a0c26f169b157e50c683a327f836ef8db6f13d7d0b94f0dd432030eacf.exe	30
PID 1972 wrote to memory of 1468	1972	618733a0c26f169b157e50c683a327f836ef8db6f13d7d0b94f0dd432030eacf.exe	30
PID 1972 wrote to memory of 1468	1972	618733a0c26f169b157e50c683a327f836ef8db6f13d7d0b94f0dd432030eacf.exe	30
PID 1468 wrote to memory of 1740	1468	cmd.exe	32
PID 1468 wrote to memory of 1740	1468	cmd.exe	32
PID 1468 wrote to memory of 1740	1468	cmd.exe	32
PID 1468 wrote to memory of 1740	1468	cmd.exe	32

C:\Users\Admin\AppData\Local\Temp\618733a0c26f169b157e50c683a327f836ef8db6f13d7d0b94f0dd432030eacf.exe
"C:\Users\Admin\AppData\Local\Temp\618733a0c26f169b157e50c683a327f836ef8db6f13d7d0b94f0dd432030eacf.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1972
- C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
  C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
  2⤵
  - Executes dropped EXE
  PID:2000
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\618733a0c26f169b157e50c683a327f836ef8db6f13d7d0b94f0dd432030eacf.exe"
  2⤵
  - Deletes itself
  - Suspicious use of WriteProcessMemory
  PID:1468
- - C:\Windows\SysWOW64\PING.EXE
    ping 127.0.0.1
    3⤵
    - Runs ping.exe
    PID:1740