sakula | 4d21da09b2ca0226c812692ab7cba60af1c8d58ff97dda500df2f850b2c38ef2

General

Target

4d21da09b2ca0226c812692ab7cba60af1c8d58ff97dda500df2f850b2c38ef2.exe
Size

137KB
MD5

3f0ba1cd12bab7ba5875d1b02e45dfcf
SHA1

a5dfa8bbf1643274d0ef0902626172019173bf52
SHA256

4d21da09b2ca0226c812692ab7cba60af1c8d58ff97dda500df2f850b2c38ef2
SHA512

c221fb23fc92a4d2550defcaea6f422a33e7035506ede6b0193ebc10aab5561e08c8bb7fe38852faf8996e954c6c17e2b66b4600db92e5e5be83d9d79f233884

Score

10^/10

sakula persistence rat trojan upx

Malware Config

Signatures

Sakula
Sakula is a remote access trojan with various capabilities.
trojan rat sakula

ACProtect 1.3x - 1.4x DLL software 2 IoCs

Detects file using ACProtect software.

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MicroSoftSecurityLogin.ocx	acprotect
\Users\Admin\AppData\Local\Temp\MicroMedia\MicroSoftSecurityLogin.ocx	acprotect

Drops file in Drivers directory 1 IoCs

Processes:

MediaCenter.exe

description ioc process

File opened for modification C:\Windows\system32\drivers\etc\hosts MediaCenter.exe
Executes dropped EXE 1 IoCs

Processes:

MediaCenter.exe

pid process

2316 MediaCenter.exe

description	ioc	process
File opened for modification	C:\Windows\system32\drivers\etc\hosts	MediaCenter.exe

pid	process
2316	MediaCenter.exe

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MicroSoftSecurityLogin.ocx	upx
\Users\Admin\AppData\Local\Temp\MicroMedia\MicroSoftSecurityLogin.ocx	upx

Loads dropped DLL 1 IoCs

Processes:

regsvr32.exe

pid process

972 regsvr32.exe

pid	process
972	regsvr32.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

MediaCenter.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe"	MediaCenter.exe

Modifies registry class 64 IoCs

Processes:

regsvr32.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\SECURE.SecureCtrl.1\CLSID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{9A2AA809-5F01-456E-883F-F37C1513FEF7}\ = "Secure Control"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{9A2AA809-5F01-456E-883F-F37C1513FEF7}\TypeLib\ = "{623BF701-D62F-4D1D-BBF8-88A84101DA38}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BEA13025-5E7F-4B89-ACAC-CBD6D86536CC}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{9A2AA809-5F01-456E-883F-F37C1513FEF7}\ToolboxBitmap32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MICROM~1\\MICROS~1.OCX, 1"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{623BF701-D62F-4D1D-BBF8-88A84101DA38}\1.0\FLAGS\ = "2"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{623BF701-D62F-4D1D-BBF8-88A84101DA38}\1.0\0\win32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{623BF701-D62F-4D1D-BBF8-88A84101DA38}\1.0\HELPDIR\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{9A2AA809-5F01-456E-883F-F37C1513FEF7}\MiscStatus\1\ = "132241"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{9A2AA809-5F01-456E-883F-F37C1513FEF7}\Control\	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{623BF701-D62F-4D1D-BBF8-88A84101DA38}\1.0\0	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{623BF701-D62F-4D1D-BBF8-88A84101DA38}\1.0\0\win32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MicroSoftSecurityLogin.ocx"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{5B3188BE-42C4-4826-85E6-66206941C8AD}\TypeLib	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\SECURE.SecureCtrl.1\CLSID\ = "{9A2AA809-5F01-456E-883F-F37C1513FEF7}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{9A2AA809-5F01-456E-883F-F37C1513FEF7}\ToolboxBitmap32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BEA13025-5E7F-4B89-ACAC-CBD6D86536CC}\TypeLib	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BEA13025-5E7F-4B89-ACAC-CBD6D86536CC}\TypeLib\Version = "1.0"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{5B3188BE-42C4-4826-85E6-66206941C8AD}\ = "_DSecure"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{5B3188BE-42C4-4826-85E6-66206941C8AD}\TypeLib\ = "{623BF701-D62F-4D1D-BBF8-88A84101DA38}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{5B3188BE-42C4-4826-85E6-66206941C8AD}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{5B3188BE-42C4-4826-85E6-66206941C8AD}\TypeLib\Version = "1.0"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{BEA13025-5E7F-4B89-ACAC-CBD6D86536CC}\TypeLib\ = "{623BF701-D62F-4D1D-BBF8-88A84101DA38}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{9A2AA809-5F01-456E-883F-F37C1513FEF7}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{5B3188BE-42C4-4826-85E6-66206941C8AD}\ProxyStubClsid32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{5B3188BE-42C4-4826-85E6-66206941C8AD}\TypeLib\ = "{623BF701-D62F-4D1D-BBF8-88A84101DA38}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{BEA13025-5E7F-4B89-ACAC-CBD6D86536CC}\TypeLib\Version = "1.0"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7ECC23E8-41D6-492E-BFF6-8551E11CF286}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7ECC23E8-41D6-492E-BFF6-8551E11CF286}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MICROM~1\\MICROS~1.OCX"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{9A2AA809-5F01-456E-883F-F37C1513FEF7}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MICROM~1\\MICROS~1.OCX"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{9A2AA809-5F01-456E-883F-F37C1513FEF7}\MiscStatus\ = "0"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{623BF701-D62F-4D1D-BBF8-88A84101DA38}\1.0\ = "secure ActiveX Control module"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{5B3188BE-42C4-4826-85E6-66206941C8AD}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{BEA13025-5E7F-4B89-ACAC-CBD6D86536CC}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BEA13025-5E7F-4B89-ACAC-CBD6D86536CC}\ProxyStubClsid32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BEA13025-5E7F-4B89-ACAC-CBD6D86536CC}\TypeLib\ = "{623BF701-D62F-4D1D-BBF8-88A84101DA38}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{9A2AA809-5F01-456E-883F-F37C1513FEF7}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{9A2AA809-5F01-456E-883F-F37C1513FEF7}\Version\ = "1.0"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{5B3188BE-42C4-4826-85E6-66206941C8AD}\TypeLib	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{5B3188BE-42C4-4826-85E6-66206941C8AD}\ = "_DSecure"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{BEA13025-5E7F-4B89-ACAC-CBD6D86536CC}\ = "_DSecureEvents"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{BEA13025-5E7F-4B89-ACAC-CBD6D86536CC}\TypeLib	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{9A2AA809-5F01-456E-883F-F37C1513FEF7}\MiscStatus	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{9A2AA809-5F01-456E-883F-F37C1513FEF7}\Version	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{623BF701-D62F-4D1D-BBF8-88A84101DA38}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{5B3188BE-42C4-4826-85E6-66206941C8AD}\TypeLib\Version = "1.0"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BEA13025-5E7F-4B89-ACAC-CBD6D86536CC}\ = "_DSecureEvents"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BEA13025-5E7F-4B89-ACAC-CBD6D86536CC}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{9A2AA809-5F01-456E-883F-F37C1513FEF7}\ProgID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{623BF701-D62F-4D1D-BBF8-88A84101DA38}\1.0\HELPDIR	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{5B3188BE-42C4-4826-85E6-66206941C8AD}\ProxyStubClsid32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{BEA13025-5E7F-4B89-ACAC-CBD6D86536CC}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\SECURE.SecureCtrl.1\ = "Secure Control"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{9A2AA809-5F01-456E-883F-F37C1513FEF7}\Control	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{5B3188BE-42C4-4826-85E6-66206941C8AD}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{5B3188BE-42C4-4826-85E6-66206941C8AD}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{9A2AA809-5F01-456E-883F-F37C1513FEF7}\ProgID\ = "SECURE.SecureCtrl.1"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{623BF701-D62F-4D1D-BBF8-88A84101DA38}\1.0\FLAGS	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{9A2AA809-5F01-456E-883F-F37C1513FEF7}\MiscStatus\1	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{623BF701-D62F-4D1D-BBF8-88A84101DA38}\1.0	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{9A2AA809-5F01-456E-883F-F37C1513FEF7}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{BEA13025-5E7F-4B89-ACAC-CBD6D86536CC}\ProxyStubClsid32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7ECC23E8-41D6-492E-BFF6-8551E11CF286}\ = "Secure Property Page"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7ECC23E8-41D6-492E-BFF6-8551E11CF286}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\SECURE.SecureCtrl.1	regsvr32.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

4d21da09b2ca0226c812692ab7cba60af1c8d58ff97dda500df2f850b2c38ef2.exe

description pid process

Token: SeIncBasePriorityPrivilege 2776 4d21da09b2ca0226c812692ab7cba60af1c8d58ff97dda500df2f850b2c38ef2.exe

description	pid	process
Token: SeIncBasePriorityPrivilege	2776	4d21da09b2ca0226c812692ab7cba60af1c8d58ff97dda500df2f850b2c38ef2.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

4d21da09b2ca0226c812692ab7cba60af1c8d58ff97dda500df2f850b2c38ef2.exeMediaCenter.exe

description	pid	process	target process
PID 2776 wrote to memory of 2316	2776	4d21da09b2ca0226c812692ab7cba60af1c8d58ff97dda500df2f850b2c38ef2.exe	MediaCenter.exe
PID 2776 wrote to memory of 2316	2776	4d21da09b2ca0226c812692ab7cba60af1c8d58ff97dda500df2f850b2c38ef2.exe	MediaCenter.exe
PID 2776 wrote to memory of 2316	2776	4d21da09b2ca0226c812692ab7cba60af1c8d58ff97dda500df2f850b2c38ef2.exe	MediaCenter.exe
PID 2776 wrote to memory of 580	2776	4d21da09b2ca0226c812692ab7cba60af1c8d58ff97dda500df2f850b2c38ef2.exe	cmd.exe
PID 2776 wrote to memory of 580	2776	4d21da09b2ca0226c812692ab7cba60af1c8d58ff97dda500df2f850b2c38ef2.exe	cmd.exe
PID 2776 wrote to memory of 580	2776	4d21da09b2ca0226c812692ab7cba60af1c8d58ff97dda500df2f850b2c38ef2.exe	cmd.exe
PID 2316 wrote to memory of 972	2316	MediaCenter.exe	regsvr32.exe
PID 2316 wrote to memory of 972	2316	MediaCenter.exe	regsvr32.exe
PID 2316 wrote to memory of 972	2316	MediaCenter.exe	regsvr32.exe

C:\Users\Admin\AppData\Local\Temp\4d21da09b2ca0226c812692ab7cba60af1c8d58ff97dda500df2f850b2c38ef2.exe
"C:\Users\Admin\AppData\Local\Temp\4d21da09b2ca0226c812692ab7cba60af1c8d58ff97dda500df2f850b2c38ef2.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2776

C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
2⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2316

C:\Windows\SysWOW64\regsvr32.exe
regsvr32.exe /s C:\Users\Admin\AppData\Local\Temp\MicroMedia\MicroSoftSecurityLogin.ocx
3⤵
- Loads dropped DLL
- Modifies registry class
PID:972

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\4D21DA~1.EXE > nul
2⤵
PID:580

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe

MD5
3f0ba1cd12bab7ba5875d1b02e45dfcf

SHA1
a5dfa8bbf1643274d0ef0902626172019173bf52

SHA256
4d21da09b2ca0226c812692ab7cba60af1c8d58ff97dda500df2f850b2c38ef2

SHA512
c221fb23fc92a4d2550defcaea6f422a33e7035506ede6b0193ebc10aab5561e08c8bb7fe38852faf8996e954c6c17e2b66b4600db92e5e5be83d9d79f233884

Download Submit
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe

MD5
3f0ba1cd12bab7ba5875d1b02e45dfcf

SHA1
a5dfa8bbf1643274d0ef0902626172019173bf52

SHA256
4d21da09b2ca0226c812692ab7cba60af1c8d58ff97dda500df2f850b2c38ef2

SHA512
c221fb23fc92a4d2550defcaea6f422a33e7035506ede6b0193ebc10aab5561e08c8bb7fe38852faf8996e954c6c17e2b66b4600db92e5e5be83d9d79f233884

Download Submit
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MicroSoftSecurityLogin.ocx

MD5
bc99d3f41dfca74f2b40ce4d4f959af0

SHA1
ae605ef5075020dc8666d0fc29936e8eeb30d19c

SHA256
4086ae5b9737802b6a93a0466d2daf310ba80af82f52b55148b7382b83167bb5

SHA512
41feda0f3c7b781108a641211124e2e72094722ab6a011fde57498501395b38c43ab10b81be13fdc0165838453b9d02c6f472baa72f1b57bc210c83a2fcfb6b0

Download Submit
\Users\Admin\AppData\Local\Temp\MicroMedia\MicroSoftSecurityLogin.ocx

MD5
bc99d3f41dfca74f2b40ce4d4f959af0

SHA1
ae605ef5075020dc8666d0fc29936e8eeb30d19c

SHA256
4086ae5b9737802b6a93a0466d2daf310ba80af82f52b55148b7382b83167bb5

SHA512
41feda0f3c7b781108a641211124e2e72094722ab6a011fde57498501395b38c43ab10b81be13fdc0165838453b9d02c6f472baa72f1b57bc210c83a2fcfb6b0

Download Submit
memory/2776-117-0x0000000010000000-0x0000000010025000-memory.dmp

Filesize
148KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads