sakula | 7f83769b44c52df97a30633b8b7fca359b6fdb5c1fc8c74ae1da7d5040cb5f7e

General

Target

7f83769b44c52df97a30633b8b7fca359b6fdb5c1fc8c74ae1da7d5040cb5f7e.exe
Size

92KB
MD5

80eb86542ce7ad99acc53a9f85b01885
SHA1

bd89cd830863d02164c0d1d42f76b7a8d4c523fd
SHA256

7f83769b44c52df97a30633b8b7fca359b6fdb5c1fc8c74ae1da7d5040cb5f7e
SHA512

fcb0f9a0790a705fd6f2bb7742650684634c7b4b2624d87aaf62f207d67fcd03ebea366bb3db04b89137da4936a5d6054abea56390d0f255b42ca9671ed99411

Score

10^/10

sakula persistence rat trojan

Malware Config

Signatures

Sakula
Sakula is a remote access trojan with various capabilities.
trojan rat sakula

Sakula Payload 2 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\MicroMedia\AdobeUpdate.exe	family_sakula
C:\Users\Admin\AppData\Local\Temp\MicroMedia\AdobeUpdate.exe	family_sakula

Executes dropped EXE 1 IoCs

Processes:

AdobeUpdate.exe

pid process

3452 AdobeUpdate.exe

pid	process
3452	AdobeUpdate.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

7f83769b44c52df97a30633b8b7fca359b6fdb5c1fc8c74ae1da7d5040cb5f7e.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\AdobeUpdate = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\AdobeUpdate.exe"	7f83769b44c52df97a30633b8b7fca359b6fdb5c1fc8c74ae1da7d5040cb5f7e.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

4056 PING.EXE
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

7f83769b44c52df97a30633b8b7fca359b6fdb5c1fc8c74ae1da7d5040cb5f7e.exe

description pid process

Token: SeIncBasePriorityPrivilege 2640 7f83769b44c52df97a30633b8b7fca359b6fdb5c1fc8c74ae1da7d5040cb5f7e.exe

pid	process
4056	PING.EXE

description	pid	process
Token: SeIncBasePriorityPrivilege	2640	7f83769b44c52df97a30633b8b7fca359b6fdb5c1fc8c74ae1da7d5040cb5f7e.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

7f83769b44c52df97a30633b8b7fca359b6fdb5c1fc8c74ae1da7d5040cb5f7e.execmd.exe

description	pid	process	target process
PID 2640 wrote to memory of 3452	2640	7f83769b44c52df97a30633b8b7fca359b6fdb5c1fc8c74ae1da7d5040cb5f7e.exe	AdobeUpdate.exe
PID 2640 wrote to memory of 3452	2640	7f83769b44c52df97a30633b8b7fca359b6fdb5c1fc8c74ae1da7d5040cb5f7e.exe	AdobeUpdate.exe
PID 2640 wrote to memory of 3452	2640	7f83769b44c52df97a30633b8b7fca359b6fdb5c1fc8c74ae1da7d5040cb5f7e.exe	AdobeUpdate.exe
PID 2640 wrote to memory of 3284	2640	7f83769b44c52df97a30633b8b7fca359b6fdb5c1fc8c74ae1da7d5040cb5f7e.exe	cmd.exe
PID 2640 wrote to memory of 3284	2640	7f83769b44c52df97a30633b8b7fca359b6fdb5c1fc8c74ae1da7d5040cb5f7e.exe	cmd.exe
PID 2640 wrote to memory of 3284	2640	7f83769b44c52df97a30633b8b7fca359b6fdb5c1fc8c74ae1da7d5040cb5f7e.exe	cmd.exe
PID 3284 wrote to memory of 4056	3284	cmd.exe	PING.EXE
PID 3284 wrote to memory of 4056	3284	cmd.exe	PING.EXE
PID 3284 wrote to memory of 4056	3284	cmd.exe	PING.EXE

C:\Users\Admin\AppData\Local\Temp\7f83769b44c52df97a30633b8b7fca359b6fdb5c1fc8c74ae1da7d5040cb5f7e.exe
"C:\Users\Admin\AppData\Local\Temp\7f83769b44c52df97a30633b8b7fca359b6fdb5c1fc8c74ae1da7d5040cb5f7e.exe"
1⤵
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2640

C:\Users\Admin\AppData\Local\Temp\MicroMedia\AdobeUpdate.exe
C:\Users\Admin\AppData\Local\Temp\MicroMedia\AdobeUpdate.exe
2⤵
- Executes dropped EXE
PID:3452

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\7f83769b44c52df97a30633b8b7fca359b6fdb5c1fc8c74ae1da7d5040cb5f7e.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:3284

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1
3⤵
- Runs ping.exe
PID:4056

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Remote System Discovery

1

T1018

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\MicroMedia\AdobeUpdate.exe

MD5
468f6e80d39e3efc53faffeadaac7700

SHA1
4fd2e6cb472c9ec3f186e890e647ed4533a61dc9

SHA256
1e48adc3cbf0daac957f5187b371419c17d32872272785d0948a608a22c00069

SHA512
6e179c66d46b082d8c7da6b954281f09ec3a9b378b7a18ea81b05a70c5a67943a7d4e0e7ec4cb072d876ec37da6dace7e09ddc55a376622991727aff73b5e0ee

Download Submit
C:\Users\Admin\AppData\Local\Temp\MicroMedia\AdobeUpdate.exe

MD5
468f6e80d39e3efc53faffeadaac7700

SHA1
4fd2e6cb472c9ec3f186e890e647ed4533a61dc9

SHA256
1e48adc3cbf0daac957f5187b371419c17d32872272785d0948a608a22c00069

SHA512
6e179c66d46b082d8c7da6b954281f09ec3a9b378b7a18ea81b05a70c5a67943a7d4e0e7ec4cb072d876ec37da6dace7e09ddc55a376622991727aff73b5e0ee

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads