sakula | ad382c5acb55890cb0f62880897b5b25455d8f0d30bf2985bdc2ac04f6f85ce6

General

Target

ad382c5acb55890cb0f62880897b5b25455d8f0d30bf2985bdc2ac04f6f85ce6.exe
Size

89KB
MD5

5ff5916c9f7c593d1d589c97c571b45a
SHA1

9d65a6cd35f8aacdf0965a3c4c1e609fefd97157
SHA256

ad382c5acb55890cb0f62880897b5b25455d8f0d30bf2985bdc2ac04f6f85ce6
SHA512

c59be83ada047f3742ee87900516d5f66863a16139b6f39cfc266b62b763b8a9defabff2120ad880b43d6efb6de804b2d417fd0d29a92a64157dc1e7034f4633

Score

10^/10

sakula persistence rat trojan

Malware Config

Signatures

Sakula
Sakula is a remote access trojan with various capabilities.
trojan rat sakula

Sakula Payload 2 IoCs

Processes:

resource	yara_rule
\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe	family_sakula
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe	family_sakula

Executes dropped EXE 1 IoCs

Processes:

MediaCenter.exe

pid process

288 MediaCenter.exe
Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

1988 cmd.exe
Loads dropped DLL 1 IoCs

Processes:

ad382c5acb55890cb0f62880897b5b25455d8f0d30bf2985bdc2ac04f6f85ce6.exe

pid process

744 ad382c5acb55890cb0f62880897b5b25455d8f0d30bf2985bdc2ac04f6f85ce6.exe

pid	process
288	MediaCenter.exe

pid	process
1988	cmd.exe

pid	process
744	ad382c5acb55890cb0f62880897b5b25455d8f0d30bf2985bdc2ac04f6f85ce6.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

ad382c5acb55890cb0f62880897b5b25455d8f0d30bf2985bdc2ac04f6f85ce6.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe"	ad382c5acb55890cb0f62880897b5b25455d8f0d30bf2985bdc2ac04f6f85ce6.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

1460 PING.EXE
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

ad382c5acb55890cb0f62880897b5b25455d8f0d30bf2985bdc2ac04f6f85ce6.exe

description pid process

Token: SeIncBasePriorityPrivilege 744 ad382c5acb55890cb0f62880897b5b25455d8f0d30bf2985bdc2ac04f6f85ce6.exe

pid	process
1460	PING.EXE

description	pid	process
Token: SeIncBasePriorityPrivilege	744	ad382c5acb55890cb0f62880897b5b25455d8f0d30bf2985bdc2ac04f6f85ce6.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

ad382c5acb55890cb0f62880897b5b25455d8f0d30bf2985bdc2ac04f6f85ce6.execmd.exe

description	pid	process	target process
PID 744 wrote to memory of 288	744	ad382c5acb55890cb0f62880897b5b25455d8f0d30bf2985bdc2ac04f6f85ce6.exe	MediaCenter.exe
PID 744 wrote to memory of 288	744	ad382c5acb55890cb0f62880897b5b25455d8f0d30bf2985bdc2ac04f6f85ce6.exe	MediaCenter.exe
PID 744 wrote to memory of 288	744	ad382c5acb55890cb0f62880897b5b25455d8f0d30bf2985bdc2ac04f6f85ce6.exe	MediaCenter.exe
PID 744 wrote to memory of 288	744	ad382c5acb55890cb0f62880897b5b25455d8f0d30bf2985bdc2ac04f6f85ce6.exe	MediaCenter.exe
PID 744 wrote to memory of 1988	744	ad382c5acb55890cb0f62880897b5b25455d8f0d30bf2985bdc2ac04f6f85ce6.exe	cmd.exe
PID 744 wrote to memory of 1988	744	ad382c5acb55890cb0f62880897b5b25455d8f0d30bf2985bdc2ac04f6f85ce6.exe	cmd.exe
PID 744 wrote to memory of 1988	744	ad382c5acb55890cb0f62880897b5b25455d8f0d30bf2985bdc2ac04f6f85ce6.exe	cmd.exe
PID 744 wrote to memory of 1988	744	ad382c5acb55890cb0f62880897b5b25455d8f0d30bf2985bdc2ac04f6f85ce6.exe	cmd.exe
PID 1988 wrote to memory of 1460	1988	cmd.exe	PING.EXE
PID 1988 wrote to memory of 1460	1988	cmd.exe	PING.EXE
PID 1988 wrote to memory of 1460	1988	cmd.exe	PING.EXE
PID 1988 wrote to memory of 1460	1988	cmd.exe	PING.EXE

C:\Users\Admin\AppData\Local\Temp\ad382c5acb55890cb0f62880897b5b25455d8f0d30bf2985bdc2ac04f6f85ce6.exe
"C:\Users\Admin\AppData\Local\Temp\ad382c5acb55890cb0f62880897b5b25455d8f0d30bf2985bdc2ac04f6f85ce6.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:744

C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
2⤵
- Executes dropped EXE
PID:288

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\ad382c5acb55890cb0f62880897b5b25455d8f0d30bf2985bdc2ac04f6f85ce6.exe"
2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:1988

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1
3⤵
- Runs ping.exe
PID:1460

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Remote System Discovery

1

T1018

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe

MD5
39462a837a1648d8f3e70451c6d5fa2d

SHA1
1061568bba44df01e9d0e0921b2c76296c164ec4

SHA256
5e1e46ba3f11cb2f941723dd197d2c7547b2307139864db065f94862d548b834

SHA512
9fb24f2c1ba0d515339e6f78b4c1ee6f4db5bf7ae43b0765aa1e77261c0f81c43414c15bafbb3d043f8aa8cf317c2caf81f7d12d34a1c25789f07ab7f9169a34

Download Submit
\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe

MD5
39462a837a1648d8f3e70451c6d5fa2d

SHA1
1061568bba44df01e9d0e0921b2c76296c164ec4

SHA256
5e1e46ba3f11cb2f941723dd197d2c7547b2307139864db065f94862d548b834

SHA512
9fb24f2c1ba0d515339e6f78b4c1ee6f4db5bf7ae43b0765aa1e77261c0f81c43414c15bafbb3d043f8aa8cf317c2caf81f7d12d34a1c25789f07ab7f9169a34

Download Submit
memory/744-54-0x0000000076041000-0x0000000076043000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads