sakula | ebe46601e7afaa00a58df26f01d668a07145b0c5a3c642f728db125c8be632fd

General

Target

ebe46601e7afaa00a58df26f01d668a07145b0c5a3c642f728db125c8be632fd.exe
Size

89KB
MD5

91569c57fc342161c479603f3b527c1d
SHA1

14c7a1661620f46c2943fa1ad522631638569b37
SHA256

ebe46601e7afaa00a58df26f01d668a07145b0c5a3c642f728db125c8be632fd
SHA512

f34fa95e96e774ec90222b042549b2e72f0a792a6c6cad550ba48ac0ba1740b8a5f8f15bab9e9759ba4c5648b3aa759b35d6f1b726893d5130f17f7502eff1d5

Score

10^/10

sakula persistence rat trojan

Malware Config

Signatures

Sakula
Sakula is a remote access trojan with various capabilities.
trojan rat sakula

Sakula Payload 2 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe	family_sakula
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe	family_sakula

Executes dropped EXE 1 IoCs

Processes:

MediaCenter.exe

pid process

3400 MediaCenter.exe

pid	process
3400	MediaCenter.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

ebe46601e7afaa00a58df26f01d668a07145b0c5a3c642f728db125c8be632fd.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe"	ebe46601e7afaa00a58df26f01d668a07145b0c5a3c642f728db125c8be632fd.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

4412 PING.EXE
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

ebe46601e7afaa00a58df26f01d668a07145b0c5a3c642f728db125c8be632fd.exe

description pid process

Token: SeIncBasePriorityPrivilege 348 ebe46601e7afaa00a58df26f01d668a07145b0c5a3c642f728db125c8be632fd.exe

pid	process
4412	PING.EXE

description	pid	process
Token: SeIncBasePriorityPrivilege	348	ebe46601e7afaa00a58df26f01d668a07145b0c5a3c642f728db125c8be632fd.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

ebe46601e7afaa00a58df26f01d668a07145b0c5a3c642f728db125c8be632fd.execmd.exe

description	pid	process	target process
PID 348 wrote to memory of 3400	348	ebe46601e7afaa00a58df26f01d668a07145b0c5a3c642f728db125c8be632fd.exe	MediaCenter.exe
PID 348 wrote to memory of 3400	348	ebe46601e7afaa00a58df26f01d668a07145b0c5a3c642f728db125c8be632fd.exe	MediaCenter.exe
PID 348 wrote to memory of 3400	348	ebe46601e7afaa00a58df26f01d668a07145b0c5a3c642f728db125c8be632fd.exe	MediaCenter.exe
PID 348 wrote to memory of 4368	348	ebe46601e7afaa00a58df26f01d668a07145b0c5a3c642f728db125c8be632fd.exe	cmd.exe
PID 348 wrote to memory of 4368	348	ebe46601e7afaa00a58df26f01d668a07145b0c5a3c642f728db125c8be632fd.exe	cmd.exe
PID 348 wrote to memory of 4368	348	ebe46601e7afaa00a58df26f01d668a07145b0c5a3c642f728db125c8be632fd.exe	cmd.exe
PID 4368 wrote to memory of 4412	4368	cmd.exe	PING.EXE
PID 4368 wrote to memory of 4412	4368	cmd.exe	PING.EXE
PID 4368 wrote to memory of 4412	4368	cmd.exe	PING.EXE

C:\Users\Admin\AppData\Local\Temp\ebe46601e7afaa00a58df26f01d668a07145b0c5a3c642f728db125c8be632fd.exe
"C:\Users\Admin\AppData\Local\Temp\ebe46601e7afaa00a58df26f01d668a07145b0c5a3c642f728db125c8be632fd.exe"
1⤵
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:348

C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
2⤵
- Executes dropped EXE
PID:3400

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\ebe46601e7afaa00a58df26f01d668a07145b0c5a3c642f728db125c8be632fd.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:4368

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1
3⤵
- Runs ping.exe
PID:4412

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Remote System Discovery

1

T1018

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe

MD5
980cc6f08bfcd0721374e8ab34e8d1ee

SHA1
c4938a6b742bef4649691f6208ce7ff7c0cdcd21

SHA256
13893d66ef6121ebd93f0f0c9265165a325dc4eb7e06d879e5982a44b49d2737

SHA512
b341f9543ed31b8e226790ca528bbcd844b01c683d8e611f1c580f985f5d9b3d7465f885411db5d983e3adade426d1d7cf3ac340597fc8ad72e7f6ca35459cbc

Download Submit
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe

MD5
980cc6f08bfcd0721374e8ab34e8d1ee

SHA1
c4938a6b742bef4649691f6208ce7ff7c0cdcd21

SHA256
13893d66ef6121ebd93f0f0c9265165a325dc4eb7e06d879e5982a44b49d2737

SHA512
b341f9543ed31b8e226790ca528bbcd844b01c683d8e611f1c580f985f5d9b3d7465f885411db5d983e3adade426d1d7cf3ac340597fc8ad72e7f6ca35459cbc

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads