sakula | 48459e241cccaf0c4ada704f7f3dae691c89cd10a60f808d8d402a9df05448d5

General

Target

48459e241cccaf0c4ada704f7f3dae691c89cd10a60f808d8d402a9df05448d5.exe
Size

89KB
MD5

f349ee3706c815a79a60d2534284935d
SHA1

13ff314b0f85e4a5c76c2d332842b7a541dd2606
SHA256

48459e241cccaf0c4ada704f7f3dae691c89cd10a60f808d8d402a9df05448d5
SHA512

dc017f851e92dce7c63183a98626579c72b60d5c283cf8d8abd0ccc0f227407a29c223bef5bc3f80cf23340013800584fd56630de78badd3cfd4716566877550

Score

10^/10

sakula persistence rat trojan

Malware Config

Signatures

Sakula
Sakula is a remote access trojan with various capabilities.
trojan rat sakula

Sakula Payload 2 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe	family_sakula
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe	family_sakula

Executes dropped EXE 1 IoCs

Processes:

MediaCenter.exe

pid process

3152 MediaCenter.exe

pid	process
3152	MediaCenter.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

48459e241cccaf0c4ada704f7f3dae691c89cd10a60f808d8d402a9df05448d5.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe"	48459e241cccaf0c4ada704f7f3dae691c89cd10a60f808d8d402a9df05448d5.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

1060 PING.EXE
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

48459e241cccaf0c4ada704f7f3dae691c89cd10a60f808d8d402a9df05448d5.exe

description pid process

Token: SeIncBasePriorityPrivilege 2680 48459e241cccaf0c4ada704f7f3dae691c89cd10a60f808d8d402a9df05448d5.exe

pid	process
1060	PING.EXE

description	pid	process
Token: SeIncBasePriorityPrivilege	2680	48459e241cccaf0c4ada704f7f3dae691c89cd10a60f808d8d402a9df05448d5.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

48459e241cccaf0c4ada704f7f3dae691c89cd10a60f808d8d402a9df05448d5.execmd.exe

description	pid	process	target process
PID 2680 wrote to memory of 3152	2680	48459e241cccaf0c4ada704f7f3dae691c89cd10a60f808d8d402a9df05448d5.exe	MediaCenter.exe
PID 2680 wrote to memory of 3152	2680	48459e241cccaf0c4ada704f7f3dae691c89cd10a60f808d8d402a9df05448d5.exe	MediaCenter.exe
PID 2680 wrote to memory of 3152	2680	48459e241cccaf0c4ada704f7f3dae691c89cd10a60f808d8d402a9df05448d5.exe	MediaCenter.exe
PID 2680 wrote to memory of 2180	2680	48459e241cccaf0c4ada704f7f3dae691c89cd10a60f808d8d402a9df05448d5.exe	cmd.exe
PID 2680 wrote to memory of 2180	2680	48459e241cccaf0c4ada704f7f3dae691c89cd10a60f808d8d402a9df05448d5.exe	cmd.exe
PID 2680 wrote to memory of 2180	2680	48459e241cccaf0c4ada704f7f3dae691c89cd10a60f808d8d402a9df05448d5.exe	cmd.exe
PID 2180 wrote to memory of 1060	2180	cmd.exe	PING.EXE
PID 2180 wrote to memory of 1060	2180	cmd.exe	PING.EXE
PID 2180 wrote to memory of 1060	2180	cmd.exe	PING.EXE

C:\Users\Admin\AppData\Local\Temp\48459e241cccaf0c4ada704f7f3dae691c89cd10a60f808d8d402a9df05448d5.exe
"C:\Users\Admin\AppData\Local\Temp\48459e241cccaf0c4ada704f7f3dae691c89cd10a60f808d8d402a9df05448d5.exe"
1⤵
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2680

C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
2⤵
- Executes dropped EXE
PID:3152

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\48459e241cccaf0c4ada704f7f3dae691c89cd10a60f808d8d402a9df05448d5.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:2180

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1
3⤵
- Runs ping.exe
PID:1060

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Remote System Discovery

1

T1018

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe

MD5
5b70502e0c9b8d83808806004b96945b

SHA1
1fb9337d6fc5cb9c55bde3ad7b532146719c3eb9

SHA256
f593f6e31a358d4a8ca84c7a67e7727bd038e96e19830d15108a3a297ae9f351

SHA512
1a16933108f88ccbe7b5cff6206fe680c70725860493c18d7c9d3b1823d46dce21bf1d49b158cc5d6f5de9f1385996c6c205c8ddcf2cc9caf9d51e6435426d5c

Download Submit
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe

MD5
5b70502e0c9b8d83808806004b96945b

SHA1
1fb9337d6fc5cb9c55bde3ad7b532146719c3eb9

SHA256
f593f6e31a358d4a8ca84c7a67e7727bd038e96e19830d15108a3a297ae9f351

SHA512
1a16933108f88ccbe7b5cff6206fe680c70725860493c18d7c9d3b1823d46dce21bf1d49b158cc5d6f5de9f1385996c6c205c8ddcf2cc9caf9d51e6435426d5c

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads