sakula | a2e5236b9facabd44e2291c6fe7289a1022f1a461db2894c99e3fc91c51e5c24

General

Target

a2e5236b9facabd44e2291c6fe7289a1022f1a461db2894c99e3fc91c51e5c24.exe
Size

58KB
MD5

eb8e2d67cde387d87a3d78a52a477fb4
SHA1

4138900c2fd72ddfa8fbeedb74bdc460d9a3a42b
SHA256

a2e5236b9facabd44e2291c6fe7289a1022f1a461db2894c99e3fc91c51e5c24
SHA512

d085267cbfdb096391e5d80353fa08ca9d448e225ce3505f0cd1fb5c45728a7c4495c537d079e8c894baaa94ab07f5e22a2cc7430dc42b870e4da37de0ac32c0

Score

10^/10

Sakula
Sakula is a remote access trojan with various capabilities.
trojan rat sakula

Executes dropped EXE 1 IoCs

pid	Process
1652	MediaCenter.exe

Deletes itself 1 IoCs

pid	Process
1732	cmd.exe

Loads dropped DLL 2 IoCs

pid	Process
1096	a2e5236b9facabd44e2291c6fe7289a1022f1a461db2894c99e3fc91c51e5c24.exe
1096	a2e5236b9facabd44e2291c6fe7289a1022f1a461db2894c99e3fc91c51e5c24.exe

Adds Run key to start application 2 TTPs 1 IoCs

Registry Run Keys / Startup Folder

Modify Registry

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe"	a2e5236b9facabd44e2291c6fe7289a1022f1a461db2894c99e3fc91c51e5c24.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

pid	Process
1772	PING.EXE

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	1096	a2e5236b9facabd44e2291c6fe7289a1022f1a461db2894c99e3fc91c51e5c24.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1096 wrote to memory of 1652	1096	a2e5236b9facabd44e2291c6fe7289a1022f1a461db2894c99e3fc91c51e5c24.exe	25
PID 1096 wrote to memory of 1652	1096	a2e5236b9facabd44e2291c6fe7289a1022f1a461db2894c99e3fc91c51e5c24.exe	25
PID 1096 wrote to memory of 1652	1096	a2e5236b9facabd44e2291c6fe7289a1022f1a461db2894c99e3fc91c51e5c24.exe	25
PID 1096 wrote to memory of 1652	1096	a2e5236b9facabd44e2291c6fe7289a1022f1a461db2894c99e3fc91c51e5c24.exe	25
PID 1096 wrote to memory of 1732	1096	a2e5236b9facabd44e2291c6fe7289a1022f1a461db2894c99e3fc91c51e5c24.exe	28
PID 1096 wrote to memory of 1732	1096	a2e5236b9facabd44e2291c6fe7289a1022f1a461db2894c99e3fc91c51e5c24.exe	28
PID 1096 wrote to memory of 1732	1096	a2e5236b9facabd44e2291c6fe7289a1022f1a461db2894c99e3fc91c51e5c24.exe	28
PID 1096 wrote to memory of 1732	1096	a2e5236b9facabd44e2291c6fe7289a1022f1a461db2894c99e3fc91c51e5c24.exe	28
PID 1732 wrote to memory of 1772	1732	cmd.exe	30
PID 1732 wrote to memory of 1772	1732	cmd.exe	30
PID 1732 wrote to memory of 1772	1732	cmd.exe	30
PID 1732 wrote to memory of 1772	1732	cmd.exe	30

C:\Users\Admin\AppData\Local\Temp\a2e5236b9facabd44e2291c6fe7289a1022f1a461db2894c99e3fc91c51e5c24.exe
"C:\Users\Admin\AppData\Local\Temp\a2e5236b9facabd44e2291c6fe7289a1022f1a461db2894c99e3fc91c51e5c24.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1096
- C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
  C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
  2⤵
  - Executes dropped EXE
  PID:1652
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\a2e5236b9facabd44e2291c6fe7289a1022f1a461db2894c99e3fc91c51e5c24.exe"
  2⤵
  - Deletes itself
  - Suspicious use of WriteProcessMemory
  PID:1732
- - C:\Windows\SysWOW64\PING.EXE
    ping 127.0.0.1
    3⤵
    - Runs ping.exe
    PID:1772