sakula | 898b9cc780196111ebf157de1fbb8362abf21da678147f1198d237017c896cb9

General

Target

898b9cc780196111ebf157de1fbb8362abf21da678147f1198d237017c896cb9.exe
Size

89KB
MD5

62d4777dd8953743d26510f00b74f444
SHA1

8e23f62d8701f9e050c241680c15c3220bf78228
SHA256

898b9cc780196111ebf157de1fbb8362abf21da678147f1198d237017c896cb9
SHA512

9efb88bfb322e741e7d67411cb01581cd2b81b71920688840c3ffbc746f2c9250964aca8b4f146c9e70f7f809602059cc455dc8f7ffbfff8c9a1c9ced557cfe3

Score

10^/10

sakula persistence rat trojan

Malware Config

Signatures

Sakula
Sakula is a remote access trojan with various capabilities.
trojan rat sakula

Sakula Payload 2 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe	family_sakula
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe	family_sakula

Executes dropped EXE 1 IoCs

Processes:

MediaCenter.exe

pid process

3228 MediaCenter.exe

pid	process
3228	MediaCenter.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

898b9cc780196111ebf157de1fbb8362abf21da678147f1198d237017c896cb9.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe"	898b9cc780196111ebf157de1fbb8362abf21da678147f1198d237017c896cb9.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

4396 PING.EXE
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

898b9cc780196111ebf157de1fbb8362abf21da678147f1198d237017c896cb9.exe

description pid process

Token: SeIncBasePriorityPrivilege 3420 898b9cc780196111ebf157de1fbb8362abf21da678147f1198d237017c896cb9.exe

pid	process
4396	PING.EXE

description	pid	process
Token: SeIncBasePriorityPrivilege	3420	898b9cc780196111ebf157de1fbb8362abf21da678147f1198d237017c896cb9.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

898b9cc780196111ebf157de1fbb8362abf21da678147f1198d237017c896cb9.execmd.exe

description	pid	process	target process
PID 3420 wrote to memory of 3228	3420	898b9cc780196111ebf157de1fbb8362abf21da678147f1198d237017c896cb9.exe	MediaCenter.exe
PID 3420 wrote to memory of 3228	3420	898b9cc780196111ebf157de1fbb8362abf21da678147f1198d237017c896cb9.exe	MediaCenter.exe
PID 3420 wrote to memory of 3228	3420	898b9cc780196111ebf157de1fbb8362abf21da678147f1198d237017c896cb9.exe	MediaCenter.exe
PID 3420 wrote to memory of 4252	3420	898b9cc780196111ebf157de1fbb8362abf21da678147f1198d237017c896cb9.exe	cmd.exe
PID 3420 wrote to memory of 4252	3420	898b9cc780196111ebf157de1fbb8362abf21da678147f1198d237017c896cb9.exe	cmd.exe
PID 3420 wrote to memory of 4252	3420	898b9cc780196111ebf157de1fbb8362abf21da678147f1198d237017c896cb9.exe	cmd.exe
PID 4252 wrote to memory of 4396	4252	cmd.exe	PING.EXE
PID 4252 wrote to memory of 4396	4252	cmd.exe	PING.EXE
PID 4252 wrote to memory of 4396	4252	cmd.exe	PING.EXE

C:\Users\Admin\AppData\Local\Temp\898b9cc780196111ebf157de1fbb8362abf21da678147f1198d237017c896cb9.exe
"C:\Users\Admin\AppData\Local\Temp\898b9cc780196111ebf157de1fbb8362abf21da678147f1198d237017c896cb9.exe"
1⤵
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3420

C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
2⤵
- Executes dropped EXE
PID:3228

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\898b9cc780196111ebf157de1fbb8362abf21da678147f1198d237017c896cb9.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:4252

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1
3⤵
- Runs ping.exe
PID:4396

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Remote System Discovery

1

T1018

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe

MD5
f9f0267533915bd566e60d273a451770

SHA1
4ad80379da0e2b5d1619e05c519af5a20922cde5

SHA256
61b9a98afe3db013954845ba3a6de3ab495e8bbef33cecf04e8bed03e5c5e342

SHA512
4475da203d127e7f5f937c53a80ca28c89feeff63eed5f66a6492bb4832e2ac4f234019c79ce83513da2531b5b2bd347a382ef5e2aa4e80c7694cecbfafb9356

Download Submit
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe

MD5
f9f0267533915bd566e60d273a451770

SHA1
4ad80379da0e2b5d1619e05c519af5a20922cde5

SHA256
61b9a98afe3db013954845ba3a6de3ab495e8bbef33cecf04e8bed03e5c5e342

SHA512
4475da203d127e7f5f937c53a80ca28c89feeff63eed5f66a6492bb4832e2ac4f234019c79ce83513da2531b5b2bd347a382ef5e2aa4e80c7694cecbfafb9356

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads