sakula | 98b2fa93b884c2708f8a3eafeb3c203711e64e718d0a91fe456146612db3b987

General

Target

98b2fa93b884c2708f8a3eafeb3c203711e64e718d0a91fe456146612db3b987.exe
Size

79KB
MD5

023ef99bc3c84b8df3f837454c0e1629
SHA1

a6c4a242ef5f5657d4c39ed7de075f0d6bcbaadf
SHA256

98b2fa93b884c2708f8a3eafeb3c203711e64e718d0a91fe456146612db3b987
SHA512

9da14aed7b424b1d046b2b7d27a596d807b48186943f2dc338e07245a0f7bfaa7c52bd0f999562616925c4f5c601e2e62afdba808e674ad6dad1e010bed769d4

Score

10^/10

sakula persistence rat trojan

Malware Config

Signatures

Sakula
Sakula is a remote access trojan with various capabilities.
trojan rat sakula

Sakula Payload 2 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe	family_sakula
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe	family_sakula

Executes dropped EXE 1 IoCs

Processes:

MediaCenter.exe

pid process

1208 MediaCenter.exe

pid	process
1208	MediaCenter.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

98b2fa93b884c2708f8a3eafeb3c203711e64e718d0a91fe456146612db3b987.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe"	98b2fa93b884c2708f8a3eafeb3c203711e64e718d0a91fe456146612db3b987.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

2212 PING.EXE
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

98b2fa93b884c2708f8a3eafeb3c203711e64e718d0a91fe456146612db3b987.exe

description pid process

Token: SeIncBasePriorityPrivilege 2452 98b2fa93b884c2708f8a3eafeb3c203711e64e718d0a91fe456146612db3b987.exe

pid	process
2212	PING.EXE

description	pid	process
Token: SeIncBasePriorityPrivilege	2452	98b2fa93b884c2708f8a3eafeb3c203711e64e718d0a91fe456146612db3b987.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

98b2fa93b884c2708f8a3eafeb3c203711e64e718d0a91fe456146612db3b987.execmd.exe

description	pid	process	target process
PID 2452 wrote to memory of 1208	2452	98b2fa93b884c2708f8a3eafeb3c203711e64e718d0a91fe456146612db3b987.exe	MediaCenter.exe
PID 2452 wrote to memory of 1208	2452	98b2fa93b884c2708f8a3eafeb3c203711e64e718d0a91fe456146612db3b987.exe	MediaCenter.exe
PID 2452 wrote to memory of 1208	2452	98b2fa93b884c2708f8a3eafeb3c203711e64e718d0a91fe456146612db3b987.exe	MediaCenter.exe
PID 2452 wrote to memory of 2240	2452	98b2fa93b884c2708f8a3eafeb3c203711e64e718d0a91fe456146612db3b987.exe	cmd.exe
PID 2452 wrote to memory of 2240	2452	98b2fa93b884c2708f8a3eafeb3c203711e64e718d0a91fe456146612db3b987.exe	cmd.exe
PID 2452 wrote to memory of 2240	2452	98b2fa93b884c2708f8a3eafeb3c203711e64e718d0a91fe456146612db3b987.exe	cmd.exe
PID 2240 wrote to memory of 2212	2240	cmd.exe	PING.EXE
PID 2240 wrote to memory of 2212	2240	cmd.exe	PING.EXE
PID 2240 wrote to memory of 2212	2240	cmd.exe	PING.EXE

C:\Users\Admin\AppData\Local\Temp\98b2fa93b884c2708f8a3eafeb3c203711e64e718d0a91fe456146612db3b987.exe
"C:\Users\Admin\AppData\Local\Temp\98b2fa93b884c2708f8a3eafeb3c203711e64e718d0a91fe456146612db3b987.exe"
1⤵
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2452

C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
2⤵
- Executes dropped EXE
PID:1208

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\98b2fa93b884c2708f8a3eafeb3c203711e64e718d0a91fe456146612db3b987.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:2240

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1
3⤵
- Runs ping.exe
PID:2212

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Remote System Discovery

1

T1018

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe

MD5
d9824f732ddb607b52b968397cb39bf7

SHA1
21ec815e2fef042f3fe1f36e7fa59b793aca66bc

SHA256
d512a89456e85f40635f6bc3dfdbebb6cb96b07cb02fe5f2a6dfb4dc9780106f

SHA512
2cb08b769ae9627ba1f3b36611ad0e9315987b7c1e69f03416a1e158172c1f74f02e32385ac5eef9dce80b15a27fd9794aa1e4a393e2a57d71f0f77ee14128a4

Download Submit
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe

MD5
d9824f732ddb607b52b968397cb39bf7

SHA1
21ec815e2fef042f3fe1f36e7fa59b793aca66bc

SHA256
d512a89456e85f40635f6bc3dfdbebb6cb96b07cb02fe5f2a6dfb4dc9780106f

SHA512
2cb08b769ae9627ba1f3b36611ad0e9315987b7c1e69f03416a1e158172c1f74f02e32385ac5eef9dce80b15a27fd9794aa1e4a393e2a57d71f0f77ee14128a4

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads