sakula | bc22523add8140bf785a7a0bb446e95275dcedea3de642f23000e5c705044385

General

Target

bc22523add8140bf785a7a0bb446e95275dcedea3de642f23000e5c705044385.exe
Size

89KB
MD5

faed2bcd842e81c180a6ac9dde78f8d5
SHA1

dca21e88ad4e7ae8b0a7214cb53863ac2dfee60c
SHA256

bc22523add8140bf785a7a0bb446e95275dcedea3de642f23000e5c705044385
SHA512

1ae6581bde17c7b7836d95713eb38c9e3120345b02d339eaf78d7f4089fb917326ae0d4372ec84ca5855ea4e9cce63f39962ee6712664826afa73a4c0b0656f2

Score

10^/10

sakula persistence rat suricata trojan

Malware Config

Signatures

Sakula
Sakula is a remote access trojan with various capabilities.
trojan rat sakula

Sakula Payload 2 IoCs

Processes:

resource	yara_rule
\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe	family_sakula
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe	family_sakula

suricata: ET MALWARE SUSPICIOUS UA (iexplore)
suricata: ET MALWARE SUSPICIOUS UA (iexplore)
suricata
suricata: ET MALWARE Sakula/Mivast RAT CnC Beacon 1
suricata: ET MALWARE Sakula/Mivast RAT CnC Beacon 1
suricata
Executes dropped EXE 1 IoCs

Processes:

MediaCenter.exe

pid process

1600 MediaCenter.exe
Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

968 cmd.exe
Loads dropped DLL 1 IoCs

Processes:

bc22523add8140bf785a7a0bb446e95275dcedea3de642f23000e5c705044385.exe

pid process

1204 bc22523add8140bf785a7a0bb446e95275dcedea3de642f23000e5c705044385.exe

pid	process
1600	MediaCenter.exe

pid	process
968	cmd.exe

pid	process
1204	bc22523add8140bf785a7a0bb446e95275dcedea3de642f23000e5c705044385.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

bc22523add8140bf785a7a0bb446e95275dcedea3de642f23000e5c705044385.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe"	bc22523add8140bf785a7a0bb446e95275dcedea3de642f23000e5c705044385.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

796 PING.EXE
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

bc22523add8140bf785a7a0bb446e95275dcedea3de642f23000e5c705044385.exe

description pid process

Token: SeIncBasePriorityPrivilege 1204 bc22523add8140bf785a7a0bb446e95275dcedea3de642f23000e5c705044385.exe

pid	process
796	PING.EXE

description	pid	process
Token: SeIncBasePriorityPrivilege	1204	bc22523add8140bf785a7a0bb446e95275dcedea3de642f23000e5c705044385.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

bc22523add8140bf785a7a0bb446e95275dcedea3de642f23000e5c705044385.execmd.exe

description	pid	process	target process
PID 1204 wrote to memory of 1600	1204	bc22523add8140bf785a7a0bb446e95275dcedea3de642f23000e5c705044385.exe	MediaCenter.exe
PID 1204 wrote to memory of 1600	1204	bc22523add8140bf785a7a0bb446e95275dcedea3de642f23000e5c705044385.exe	MediaCenter.exe
PID 1204 wrote to memory of 1600	1204	bc22523add8140bf785a7a0bb446e95275dcedea3de642f23000e5c705044385.exe	MediaCenter.exe
PID 1204 wrote to memory of 1600	1204	bc22523add8140bf785a7a0bb446e95275dcedea3de642f23000e5c705044385.exe	MediaCenter.exe
PID 1204 wrote to memory of 968	1204	bc22523add8140bf785a7a0bb446e95275dcedea3de642f23000e5c705044385.exe	cmd.exe
PID 1204 wrote to memory of 968	1204	bc22523add8140bf785a7a0bb446e95275dcedea3de642f23000e5c705044385.exe	cmd.exe
PID 1204 wrote to memory of 968	1204	bc22523add8140bf785a7a0bb446e95275dcedea3de642f23000e5c705044385.exe	cmd.exe
PID 1204 wrote to memory of 968	1204	bc22523add8140bf785a7a0bb446e95275dcedea3de642f23000e5c705044385.exe	cmd.exe
PID 968 wrote to memory of 796	968	cmd.exe	PING.EXE
PID 968 wrote to memory of 796	968	cmd.exe	PING.EXE
PID 968 wrote to memory of 796	968	cmd.exe	PING.EXE
PID 968 wrote to memory of 796	968	cmd.exe	PING.EXE

C:\Users\Admin\AppData\Local\Temp\bc22523add8140bf785a7a0bb446e95275dcedea3de642f23000e5c705044385.exe
"C:\Users\Admin\AppData\Local\Temp\bc22523add8140bf785a7a0bb446e95275dcedea3de642f23000e5c705044385.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1204

C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
2⤵
- Executes dropped EXE
PID:1600

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\bc22523add8140bf785a7a0bb446e95275dcedea3de642f23000e5c705044385.exe"
2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:968

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1
3⤵
- Runs ping.exe
PID:796

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Remote System Discovery

1

T1018

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe

MD5
7fafbf38b2e31140750a6c4eb949d8f1

SHA1
5a6b3331b5b2b4cfb5ee3b994f4b6b0f8aed9d68

SHA256
479f9bcdbf0a093556dc0d45f9a053a1b8ce00d571023efa5a903de156fe87d2

SHA512
e2570e3ee8cd6a80b4cd8e475b2c6e5a644c77a309d6b76b26f90f1eeb658d7af65dc629e50019b0cd815fd8bed8dcd57b117481c0f116fd73bc0b1e3ed0faa3

Download Submit
\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe

MD5
7fafbf38b2e31140750a6c4eb949d8f1

SHA1
5a6b3331b5b2b4cfb5ee3b994f4b6b0f8aed9d68

SHA256
479f9bcdbf0a093556dc0d45f9a053a1b8ce00d571023efa5a903de156fe87d2

SHA512
e2570e3ee8cd6a80b4cd8e475b2c6e5a644c77a309d6b76b26f90f1eeb658d7af65dc629e50019b0cd815fd8bed8dcd57b117481c0f116fd73bc0b1e3ed0faa3

Download Submit
memory/1204-54-0x0000000075CE1000-0x0000000075CE3000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads