sakula | 8a819e450fbd2edc9716dbdea0f56bafc9dbb8274e502cdb9aff3f7c6bfd9b56

General

Target

8a819e450fbd2edc9716dbdea0f56bafc9dbb8274e502cdb9aff3f7c6bfd9b56.exe
Size

320KB
MD5

69314300da7a4a0e95be545b804565dd
SHA1

514a30aef41f24b74e34225858863897c5220eb6
SHA256

8a819e450fbd2edc9716dbdea0f56bafc9dbb8274e502cdb9aff3f7c6bfd9b56
SHA512

1dc5cd0196ebd22b0b23a1908edc6af84bbd70827b0281b7a13387d191153c34c4e37c8449e8e91cf8585591f9d3bc8b3b8afdfc5786034cd7f9ecafe89037c0

Score

10^/10

sakula persistence rat trojan

Malware Config

Signatures

Sakula
Sakula is a remote access trojan with various capabilities.
trojan rat sakula

Sakula Payload 2 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe	family_sakula
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe	family_sakula

Executes dropped EXE 1 IoCs

Processes:

MediaCenter.exe

pid process

3404 MediaCenter.exe

pid	process
3404	MediaCenter.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

8a819e450fbd2edc9716dbdea0f56bafc9dbb8274e502cdb9aff3f7c6bfd9b56.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe"	8a819e450fbd2edc9716dbdea0f56bafc9dbb8274e502cdb9aff3f7c6bfd9b56.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

4236 PING.EXE
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

8a819e450fbd2edc9716dbdea0f56bafc9dbb8274e502cdb9aff3f7c6bfd9b56.exe

description pid process

Token: SeIncBasePriorityPrivilege 1672 8a819e450fbd2edc9716dbdea0f56bafc9dbb8274e502cdb9aff3f7c6bfd9b56.exe

pid	process
4236	PING.EXE

description	pid	process
Token: SeIncBasePriorityPrivilege	1672	8a819e450fbd2edc9716dbdea0f56bafc9dbb8274e502cdb9aff3f7c6bfd9b56.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

8a819e450fbd2edc9716dbdea0f56bafc9dbb8274e502cdb9aff3f7c6bfd9b56.execmd.exe

description	pid	process	target process
PID 1672 wrote to memory of 3404	1672	8a819e450fbd2edc9716dbdea0f56bafc9dbb8274e502cdb9aff3f7c6bfd9b56.exe	MediaCenter.exe
PID 1672 wrote to memory of 3404	1672	8a819e450fbd2edc9716dbdea0f56bafc9dbb8274e502cdb9aff3f7c6bfd9b56.exe	MediaCenter.exe
PID 1672 wrote to memory of 3404	1672	8a819e450fbd2edc9716dbdea0f56bafc9dbb8274e502cdb9aff3f7c6bfd9b56.exe	MediaCenter.exe
PID 1672 wrote to memory of 4288	1672	8a819e450fbd2edc9716dbdea0f56bafc9dbb8274e502cdb9aff3f7c6bfd9b56.exe	cmd.exe
PID 1672 wrote to memory of 4288	1672	8a819e450fbd2edc9716dbdea0f56bafc9dbb8274e502cdb9aff3f7c6bfd9b56.exe	cmd.exe
PID 1672 wrote to memory of 4288	1672	8a819e450fbd2edc9716dbdea0f56bafc9dbb8274e502cdb9aff3f7c6bfd9b56.exe	cmd.exe
PID 4288 wrote to memory of 4236	4288	cmd.exe	PING.EXE
PID 4288 wrote to memory of 4236	4288	cmd.exe	PING.EXE
PID 4288 wrote to memory of 4236	4288	cmd.exe	PING.EXE

C:\Users\Admin\AppData\Local\Temp\8a819e450fbd2edc9716dbdea0f56bafc9dbb8274e502cdb9aff3f7c6bfd9b56.exe
"C:\Users\Admin\AppData\Local\Temp\8a819e450fbd2edc9716dbdea0f56bafc9dbb8274e502cdb9aff3f7c6bfd9b56.exe"
1⤵
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1672

C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
2⤵
- Executes dropped EXE
PID:3404

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\8a819e450fbd2edc9716dbdea0f56bafc9dbb8274e502cdb9aff3f7c6bfd9b56.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:4288

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1
3⤵
- Runs ping.exe
PID:4236

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Remote System Discovery

1

T1018

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe

MD5
b4b0d2b0df60e423a0df1bc59ae4cda7

SHA1
d00943754311b04df7168392fc0a1a9e86113df7

SHA256
76006fb875011a25d04f227f7ab3eba8b2eb3ab4600d6ce81b7281a924f78606

SHA512
ce9bd08cbe44ae871e03f327612870dce5ef7f2ec75e9f27f150f64da9411f8cdbf25bf8d96125b2c89a0b8d1ed766b2da2e102a5d10ff7eb5efee35c50a0765

Download Submit
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe

MD5
b4b0d2b0df60e423a0df1bc59ae4cda7

SHA1
d00943754311b04df7168392fc0a1a9e86113df7

SHA256
76006fb875011a25d04f227f7ab3eba8b2eb3ab4600d6ce81b7281a924f78606

SHA512
ce9bd08cbe44ae871e03f327612870dce5ef7f2ec75e9f27f150f64da9411f8cdbf25bf8d96125b2c89a0b8d1ed766b2da2e102a5d10ff7eb5efee35c50a0765

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads