sakula | 23b27a9e7cc687d9249337923cc720c8d3fee98d782f42c9d7fe04738826eb2f

General

Target

23b27a9e7cc687d9249337923cc720c8d3fee98d782f42c9d7fe04738826eb2f.exe
Size

89KB
MD5

fcad5bdeb3eb2eaa6e1c2bb9d9eb2cc0
SHA1

8a32cdd3834e0629eeb47ca2b5f019497cfcb66b
SHA256

23b27a9e7cc687d9249337923cc720c8d3fee98d782f42c9d7fe04738826eb2f
SHA512

6a3a2f9942ed774f2d2c2839196146666d114473fbc6cced7a36134a5dc373949e2ebb440b21c93d4d6e0e4f120806de3a1d573ca7efe27fff193c420282f35c

Score

10^/10

sakula persistence rat suricata trojan

Malware Config

Signatures

Sakula
Sakula is a remote access trojan with various capabilities.
trojan rat sakula

Sakula Payload 2 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe	family_sakula
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe	family_sakula

suricata: ET MALWARE SUSPICIOUS UA (iexplore)
suricata: ET MALWARE SUSPICIOUS UA (iexplore)
suricata
suricata: ET MALWARE Sakula/Mivast RAT CnC Beacon 1
suricata: ET MALWARE Sakula/Mivast RAT CnC Beacon 1
suricata
Executes dropped EXE 1 IoCs

Processes:

MediaCenter.exe

pid process

392 MediaCenter.exe

pid	process
392	MediaCenter.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

23b27a9e7cc687d9249337923cc720c8d3fee98d782f42c9d7fe04738826eb2f.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe"	23b27a9e7cc687d9249337923cc720c8d3fee98d782f42c9d7fe04738826eb2f.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

1928 PING.EXE
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

23b27a9e7cc687d9249337923cc720c8d3fee98d782f42c9d7fe04738826eb2f.exe

description pid process

Token: SeIncBasePriorityPrivilege 3800 23b27a9e7cc687d9249337923cc720c8d3fee98d782f42c9d7fe04738826eb2f.exe

pid	process
1928	PING.EXE

description	pid	process
Token: SeIncBasePriorityPrivilege	3800	23b27a9e7cc687d9249337923cc720c8d3fee98d782f42c9d7fe04738826eb2f.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

23b27a9e7cc687d9249337923cc720c8d3fee98d782f42c9d7fe04738826eb2f.execmd.exe

description	pid	process	target process
PID 3800 wrote to memory of 392	3800	23b27a9e7cc687d9249337923cc720c8d3fee98d782f42c9d7fe04738826eb2f.exe	MediaCenter.exe
PID 3800 wrote to memory of 392	3800	23b27a9e7cc687d9249337923cc720c8d3fee98d782f42c9d7fe04738826eb2f.exe	MediaCenter.exe
PID 3800 wrote to memory of 392	3800	23b27a9e7cc687d9249337923cc720c8d3fee98d782f42c9d7fe04738826eb2f.exe	MediaCenter.exe
PID 3800 wrote to memory of 3940	3800	23b27a9e7cc687d9249337923cc720c8d3fee98d782f42c9d7fe04738826eb2f.exe	cmd.exe
PID 3800 wrote to memory of 3940	3800	23b27a9e7cc687d9249337923cc720c8d3fee98d782f42c9d7fe04738826eb2f.exe	cmd.exe
PID 3800 wrote to memory of 3940	3800	23b27a9e7cc687d9249337923cc720c8d3fee98d782f42c9d7fe04738826eb2f.exe	cmd.exe
PID 3940 wrote to memory of 1928	3940	cmd.exe	PING.EXE
PID 3940 wrote to memory of 1928	3940	cmd.exe	PING.EXE
PID 3940 wrote to memory of 1928	3940	cmd.exe	PING.EXE

C:\Users\Admin\AppData\Local\Temp\23b27a9e7cc687d9249337923cc720c8d3fee98d782f42c9d7fe04738826eb2f.exe
"C:\Users\Admin\AppData\Local\Temp\23b27a9e7cc687d9249337923cc720c8d3fee98d782f42c9d7fe04738826eb2f.exe"
1⤵
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3800

C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
2⤵
- Executes dropped EXE
PID:392

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\23b27a9e7cc687d9249337923cc720c8d3fee98d782f42c9d7fe04738826eb2f.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:3940

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1
3⤵
- Runs ping.exe
PID:1928

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Remote System Discovery

1

T1018

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe

MD5
78b42398f6db4c17d6aa2716077d687e

SHA1
fd55190b0658e7e6dad65711538f16038cc3dce8

SHA256
e114ab2e0803cac73f515e455fbc9ca82c55ed0278a951ed675166879109d3ac

SHA512
f0d9c21c1359810a398d73c889391cd3ebd587a4c53cc21c759151c243e40d0da90169524de9f52c062a1f26cdccd56a98ba144c29c9577c4672703ac4be28da

Download Submit
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe

MD5
78b42398f6db4c17d6aa2716077d687e

SHA1
fd55190b0658e7e6dad65711538f16038cc3dce8

SHA256
e114ab2e0803cac73f515e455fbc9ca82c55ed0278a951ed675166879109d3ac

SHA512
f0d9c21c1359810a398d73c889391cd3ebd587a4c53cc21c759151c243e40d0da90169524de9f52c062a1f26cdccd56a98ba144c29c9577c4672703ac4be28da

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads