618733a0c26f169b157e50c683a327f836ef8db6f13d7d0b94f0dd432030eacf

General
Target

618733a0c26f169b157e50c683a327f836ef8db6f13d7d0b94f0dd432030eacf.exe

Filesize

517KB

Completed

24-09-2021 06:15

Score
10/10
MD5

c00d8e2e994ce0664b89481518c2376e

SHA1

8076dbd4cf89f4ddf0fa5f8f90b7664eca6312c2

SHA256

618733a0c26f169b157e50c683a327f836ef8db6f13d7d0b94f0dd432030eacf

Malware Config
Signatures 10

Filter: none

Defense Evasion
Discovery
Persistence
  • Sakula

    Description

    Sakula is a remote access trojan with various capabilities.

  • Sakula Payload

    Reported IOCs

    resourceyara_rule
    behavioral1/files/0x00040000000130b8-60.datfamily_sakula
    behavioral1/files/0x00040000000130b8-62.datfamily_sakula
  • Executes dropped EXE
    MediaCenter.exe

    Reported IOCs

    pidprocess
    2000MediaCenter.exe
  • Deletes itself
    cmd.exe

    Reported IOCs

    pidprocess
    1468cmd.exe
  • Loads dropped DLL
    618733a0c26f169b157e50c683a327f836ef8db6f13d7d0b94f0dd432030eacf.exe

    Reported IOCs

    pidprocess
    1972618733a0c26f169b157e50c683a327f836ef8db6f13d7d0b94f0dd432030eacf.exe
  • Adds Run key to start application
    618733a0c26f169b157e50c683a327f836ef8db6f13d7d0b94f0dd432030eacf.exe

    TTPs

    Registry Run Keys / Startup FolderModify Registry

    Reported IOCs

    descriptioniocprocess
    Set value (str)\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe"618733a0c26f169b157e50c683a327f836ef8db6f13d7d0b94f0dd432030eacf.exe
  • Enumerates physical storage devices

    Description

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

    TTPs

    System Information Discovery
  • Runs ping.exe
    PING.EXE

    TTPs

    Remote System Discovery

    Reported IOCs

    pidprocess
    1740PING.EXE
  • Suspicious use of AdjustPrivilegeToken
    618733a0c26f169b157e50c683a327f836ef8db6f13d7d0b94f0dd432030eacf.exe

    Reported IOCs

    descriptionpidprocess
    Token: SeIncBasePriorityPrivilege1972618733a0c26f169b157e50c683a327f836ef8db6f13d7d0b94f0dd432030eacf.exe
  • Suspicious use of WriteProcessMemory
    618733a0c26f169b157e50c683a327f836ef8db6f13d7d0b94f0dd432030eacf.execmd.exe

    Reported IOCs

    descriptionpidprocesstarget process
    PID 1972 wrote to memory of 20001972618733a0c26f169b157e50c683a327f836ef8db6f13d7d0b94f0dd432030eacf.exeMediaCenter.exe
    PID 1972 wrote to memory of 20001972618733a0c26f169b157e50c683a327f836ef8db6f13d7d0b94f0dd432030eacf.exeMediaCenter.exe
    PID 1972 wrote to memory of 20001972618733a0c26f169b157e50c683a327f836ef8db6f13d7d0b94f0dd432030eacf.exeMediaCenter.exe
    PID 1972 wrote to memory of 20001972618733a0c26f169b157e50c683a327f836ef8db6f13d7d0b94f0dd432030eacf.exeMediaCenter.exe
    PID 1972 wrote to memory of 14681972618733a0c26f169b157e50c683a327f836ef8db6f13d7d0b94f0dd432030eacf.execmd.exe
    PID 1972 wrote to memory of 14681972618733a0c26f169b157e50c683a327f836ef8db6f13d7d0b94f0dd432030eacf.execmd.exe
    PID 1972 wrote to memory of 14681972618733a0c26f169b157e50c683a327f836ef8db6f13d7d0b94f0dd432030eacf.execmd.exe
    PID 1972 wrote to memory of 14681972618733a0c26f169b157e50c683a327f836ef8db6f13d7d0b94f0dd432030eacf.execmd.exe
    PID 1468 wrote to memory of 17401468cmd.exePING.EXE
    PID 1468 wrote to memory of 17401468cmd.exePING.EXE
    PID 1468 wrote to memory of 17401468cmd.exePING.EXE
    PID 1468 wrote to memory of 17401468cmd.exePING.EXE
Processes 4
  • C:\Users\Admin\AppData\Local\Temp\618733a0c26f169b157e50c683a327f836ef8db6f13d7d0b94f0dd432030eacf.exe
    "C:\Users\Admin\AppData\Local\Temp\618733a0c26f169b157e50c683a327f836ef8db6f13d7d0b94f0dd432030eacf.exe"
    Loads dropped DLL
    Adds Run key to start application
    Suspicious use of AdjustPrivilegeToken
    Suspicious use of WriteProcessMemory
    PID:1972
    • C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
      C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
      Executes dropped EXE
      PID:2000
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\618733a0c26f169b157e50c683a327f836ef8db6f13d7d0b94f0dd432030eacf.exe"
      Deletes itself
      Suspicious use of WriteProcessMemory
      PID:1468
      • C:\Windows\SysWOW64\PING.EXE
        ping 127.0.0.1
        Runs ping.exe
        PID:1740
Network
MITRE ATT&CK Matrix
Collection
    Command and Control
      Credential Access
        Defense Evasion
        Execution
          Exfiltration
            Impact
              Initial Access
                Lateral Movement
                  Privilege Escalation
                    Replay Monitor
                    00:00 00:00
                    Downloads
                    • C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe

                      MD5

                      6fb01a3fa8a8a04b30e5777cb0056ce1

                      SHA1

                      67590a2093b2e5b8e9d57d78ed9efc90dad394d1

                      SHA256

                      5f26f9e834d67124c819d9f94caa9067b850b39b29c6e5bbf1d40a5ed21aa282

                      SHA512

                      1fadf067b4ad46d6ab4c0c543e371ba506921dcc4639f00f81da11b3fb92dcedeae2e5e65f7171de145099de7e5de1f79a8e1158aca05709fa831bf3f2b39f3c

                    • \Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe

                      MD5

                      6fb01a3fa8a8a04b30e5777cb0056ce1

                      SHA1

                      67590a2093b2e5b8e9d57d78ed9efc90dad394d1

                      SHA256

                      5f26f9e834d67124c819d9f94caa9067b850b39b29c6e5bbf1d40a5ed21aa282

                      SHA512

                      1fadf067b4ad46d6ab4c0c543e371ba506921dcc4639f00f81da11b3fb92dcedeae2e5e65f7171de145099de7e5de1f79a8e1158aca05709fa831bf3f2b39f3c

                    • memory/1468-64-0x0000000000000000-mapping.dmp

                    • memory/1740-65-0x0000000000000000-mapping.dmp

                    • memory/1972-59-0x0000000076A01000-0x0000000076A03000-memory.dmp

                    • memory/2000-61-0x0000000000000000-mapping.dmp