sakula | 23b27a9e7cc687d9249337923cc720c8d3fee98d782f42c9d7fe04738826eb2f

General

Target

23b27a9e7cc687d9249337923cc720c8d3fee98d782f42c9d7fe04738826eb2f.exe
Size

89KB
MD5

fcad5bdeb3eb2eaa6e1c2bb9d9eb2cc0
SHA1

8a32cdd3834e0629eeb47ca2b5f019497cfcb66b
SHA256

23b27a9e7cc687d9249337923cc720c8d3fee98d782f42c9d7fe04738826eb2f
SHA512

6a3a2f9942ed774f2d2c2839196146666d114473fbc6cced7a36134a5dc373949e2ebb440b21c93d4d6e0e4f120806de3a1d573ca7efe27fff193c420282f35c

Score

10^/10

sakula persistence rat suricata trojan

Malware Config

Signatures

Sakula
Sakula is a remote access trojan with various capabilities.
trojan rat sakula

Sakula Payload 2 IoCs

Processes:

resource	yara_rule
\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe	family_sakula
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe	family_sakula

suricata: ET MALWARE SUSPICIOUS UA (iexplore)
suricata: ET MALWARE SUSPICIOUS UA (iexplore)
suricata
suricata: ET MALWARE Sakula/Mivast RAT CnC Beacon 1
suricata: ET MALWARE Sakula/Mivast RAT CnC Beacon 1
suricata
Executes dropped EXE 1 IoCs

Processes:

MediaCenter.exe

pid process

308 MediaCenter.exe
Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

392 cmd.exe
Loads dropped DLL 1 IoCs

Processes:

23b27a9e7cc687d9249337923cc720c8d3fee98d782f42c9d7fe04738826eb2f.exe

pid process

976 23b27a9e7cc687d9249337923cc720c8d3fee98d782f42c9d7fe04738826eb2f.exe

pid	process
308	MediaCenter.exe

pid	process
392	cmd.exe

pid	process
976	23b27a9e7cc687d9249337923cc720c8d3fee98d782f42c9d7fe04738826eb2f.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

23b27a9e7cc687d9249337923cc720c8d3fee98d782f42c9d7fe04738826eb2f.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe"	23b27a9e7cc687d9249337923cc720c8d3fee98d782f42c9d7fe04738826eb2f.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

1944 PING.EXE
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

23b27a9e7cc687d9249337923cc720c8d3fee98d782f42c9d7fe04738826eb2f.exe

description pid process

Token: SeIncBasePriorityPrivilege 976 23b27a9e7cc687d9249337923cc720c8d3fee98d782f42c9d7fe04738826eb2f.exe

pid	process
1944	PING.EXE

description	pid	process
Token: SeIncBasePriorityPrivilege	976	23b27a9e7cc687d9249337923cc720c8d3fee98d782f42c9d7fe04738826eb2f.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

23b27a9e7cc687d9249337923cc720c8d3fee98d782f42c9d7fe04738826eb2f.execmd.exe

description	pid	process	target process
PID 976 wrote to memory of 308	976	23b27a9e7cc687d9249337923cc720c8d3fee98d782f42c9d7fe04738826eb2f.exe	MediaCenter.exe
PID 976 wrote to memory of 308	976	23b27a9e7cc687d9249337923cc720c8d3fee98d782f42c9d7fe04738826eb2f.exe	MediaCenter.exe
PID 976 wrote to memory of 308	976	23b27a9e7cc687d9249337923cc720c8d3fee98d782f42c9d7fe04738826eb2f.exe	MediaCenter.exe
PID 976 wrote to memory of 308	976	23b27a9e7cc687d9249337923cc720c8d3fee98d782f42c9d7fe04738826eb2f.exe	MediaCenter.exe
PID 976 wrote to memory of 392	976	23b27a9e7cc687d9249337923cc720c8d3fee98d782f42c9d7fe04738826eb2f.exe	cmd.exe
PID 976 wrote to memory of 392	976	23b27a9e7cc687d9249337923cc720c8d3fee98d782f42c9d7fe04738826eb2f.exe	cmd.exe
PID 976 wrote to memory of 392	976	23b27a9e7cc687d9249337923cc720c8d3fee98d782f42c9d7fe04738826eb2f.exe	cmd.exe
PID 976 wrote to memory of 392	976	23b27a9e7cc687d9249337923cc720c8d3fee98d782f42c9d7fe04738826eb2f.exe	cmd.exe
PID 392 wrote to memory of 1944	392	cmd.exe	PING.EXE
PID 392 wrote to memory of 1944	392	cmd.exe	PING.EXE
PID 392 wrote to memory of 1944	392	cmd.exe	PING.EXE
PID 392 wrote to memory of 1944	392	cmd.exe	PING.EXE

C:\Users\Admin\AppData\Local\Temp\23b27a9e7cc687d9249337923cc720c8d3fee98d782f42c9d7fe04738826eb2f.exe
"C:\Users\Admin\AppData\Local\Temp\23b27a9e7cc687d9249337923cc720c8d3fee98d782f42c9d7fe04738826eb2f.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:976

C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
2⤵
- Executes dropped EXE
PID:308

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\23b27a9e7cc687d9249337923cc720c8d3fee98d782f42c9d7fe04738826eb2f.exe"
2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:392

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1
3⤵
- Runs ping.exe
PID:1944

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Remote System Discovery

1

T1018

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe

MD5
b73ab56f3a6089aaddb108d8cc1ec251

SHA1
7a8446b1d7f64b8b9b3a0f757bf406d1b7bac459

SHA256
d625aa01b1de7618a3b5bc18bb457631f24ef9102d7022c7a81c877b7614fec5

SHA512
cc3f63dba0c5dd3beb1a697248814512b70a422ee12d12c12946d5e9fd4eac0c85b3dde17ed69ff38c5e6f9d05ed0a07373173f5638cf717b0ec37e393c74b6a

Download Submit
\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe

MD5
b73ab56f3a6089aaddb108d8cc1ec251

SHA1
7a8446b1d7f64b8b9b3a0f757bf406d1b7bac459

SHA256
d625aa01b1de7618a3b5bc18bb457631f24ef9102d7022c7a81c877b7614fec5

SHA512
cc3f63dba0c5dd3beb1a697248814512b70a422ee12d12c12946d5e9fd4eac0c85b3dde17ed69ff38c5e6f9d05ed0a07373173f5638cf717b0ec37e393c74b6a

Download Submit
memory/976-54-0x0000000076491000-0x0000000076493000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads