sakula | 9723119a19a2fa3daa93d23ad98bb4c34e0747222a868648b2bfa392b3ad93f3

General

Target

9723119a19a2fa3daa93d23ad98bb4c34e0747222a868648b2bfa392b3ad93f3.exe
Size

92KB
MD5

0f218e73da96af2939e75ebea7c958dc
SHA1

a20645513c85b2f8381b45245e58963698baf39b
SHA256

9723119a19a2fa3daa93d23ad98bb4c34e0747222a868648b2bfa392b3ad93f3
SHA512

b3b57777849f7df472cc44b00dad8cdaef9354e9a5316a2c4de5d6972d5077e6faac0902b89284e3873d64c9dde5616ba15a556baeedfe53bbd0e41ee9858dee

Score

10^/10

sakula persistence rat trojan

Malware Config

Signatures

Sakula
Sakula is a remote access trojan with various capabilities.
trojan rat sakula

Sakula Payload 6 IoCs

Processes:

resource	yara_rule
\Users\Admin\AppData\Local\Temp\MicroMedia\AdobeUpdate.exe	family_sakula
C:\Users\Admin\AppData\Local\Temp\MicroMedia\AdobeUpdate.exe	family_sakula
C:\Users\Admin\AppData\Local\Temp\MicroMedia\AdobeUpdate.exe	family_sakula
\Users\Admin\AppData\Local\Temp\MicroMedia\AdobeUpdate.exe	family_sakula
\Users\Admin\AppData\Local\Temp\MicroMedia\AdobeUpdate.exe	family_sakula
\Users\Admin\AppData\Local\Temp\MicroMedia\AdobeUpdate.exe	family_sakula

Executes dropped EXE 1 IoCs

Processes:

AdobeUpdate.exe

pid process

1456 AdobeUpdate.exe
Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

1652 cmd.exe
Loads dropped DLL 4 IoCs

Processes:

9723119a19a2fa3daa93d23ad98bb4c34e0747222a868648b2bfa392b3ad93f3.exeAdobeUpdate.exe

pid process

1616 9723119a19a2fa3daa93d23ad98bb4c34e0747222a868648b2bfa392b3ad93f3.exe
1456 AdobeUpdate.exe
1456 AdobeUpdate.exe
1456 AdobeUpdate.exe

pid	process
1456	AdobeUpdate.exe

pid	process
1652	cmd.exe

pid	process
1616	9723119a19a2fa3daa93d23ad98bb4c34e0747222a868648b2bfa392b3ad93f3.exe
1456	AdobeUpdate.exe
1456	AdobeUpdate.exe
1456	AdobeUpdate.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

9723119a19a2fa3daa93d23ad98bb4c34e0747222a868648b2bfa392b3ad93f3.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\AdobeUpdate = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\AdobeUpdate.exe"	9723119a19a2fa3daa93d23ad98bb4c34e0747222a868648b2bfa392b3ad93f3.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

1140 PING.EXE
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

9723119a19a2fa3daa93d23ad98bb4c34e0747222a868648b2bfa392b3ad93f3.exe

description pid process

Token: SeIncBasePriorityPrivilege 1616 9723119a19a2fa3daa93d23ad98bb4c34e0747222a868648b2bfa392b3ad93f3.exe

pid	process
1140	PING.EXE

description	pid	process
Token: SeIncBasePriorityPrivilege	1616	9723119a19a2fa3daa93d23ad98bb4c34e0747222a868648b2bfa392b3ad93f3.exe

Suspicious use of WriteProcessMemory 15 IoCs

Processes:

9723119a19a2fa3daa93d23ad98bb4c34e0747222a868648b2bfa392b3ad93f3.execmd.exe

description	pid	process	target process
PID 1616 wrote to memory of 1456	1616	9723119a19a2fa3daa93d23ad98bb4c34e0747222a868648b2bfa392b3ad93f3.exe	AdobeUpdate.exe
PID 1616 wrote to memory of 1456	1616	9723119a19a2fa3daa93d23ad98bb4c34e0747222a868648b2bfa392b3ad93f3.exe	AdobeUpdate.exe
PID 1616 wrote to memory of 1456	1616	9723119a19a2fa3daa93d23ad98bb4c34e0747222a868648b2bfa392b3ad93f3.exe	AdobeUpdate.exe
PID 1616 wrote to memory of 1456	1616	9723119a19a2fa3daa93d23ad98bb4c34e0747222a868648b2bfa392b3ad93f3.exe	AdobeUpdate.exe
PID 1616 wrote to memory of 1456	1616	9723119a19a2fa3daa93d23ad98bb4c34e0747222a868648b2bfa392b3ad93f3.exe	AdobeUpdate.exe
PID 1616 wrote to memory of 1456	1616	9723119a19a2fa3daa93d23ad98bb4c34e0747222a868648b2bfa392b3ad93f3.exe	AdobeUpdate.exe
PID 1616 wrote to memory of 1456	1616	9723119a19a2fa3daa93d23ad98bb4c34e0747222a868648b2bfa392b3ad93f3.exe	AdobeUpdate.exe
PID 1616 wrote to memory of 1652	1616	9723119a19a2fa3daa93d23ad98bb4c34e0747222a868648b2bfa392b3ad93f3.exe	cmd.exe
PID 1616 wrote to memory of 1652	1616	9723119a19a2fa3daa93d23ad98bb4c34e0747222a868648b2bfa392b3ad93f3.exe	cmd.exe
PID 1616 wrote to memory of 1652	1616	9723119a19a2fa3daa93d23ad98bb4c34e0747222a868648b2bfa392b3ad93f3.exe	cmd.exe
PID 1616 wrote to memory of 1652	1616	9723119a19a2fa3daa93d23ad98bb4c34e0747222a868648b2bfa392b3ad93f3.exe	cmd.exe
PID 1652 wrote to memory of 1140	1652	cmd.exe	PING.EXE
PID 1652 wrote to memory of 1140	1652	cmd.exe	PING.EXE
PID 1652 wrote to memory of 1140	1652	cmd.exe	PING.EXE
PID 1652 wrote to memory of 1140	1652	cmd.exe	PING.EXE

C:\Users\Admin\AppData\Local\Temp\9723119a19a2fa3daa93d23ad98bb4c34e0747222a868648b2bfa392b3ad93f3.exe
"C:\Users\Admin\AppData\Local\Temp\9723119a19a2fa3daa93d23ad98bb4c34e0747222a868648b2bfa392b3ad93f3.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1616

C:\Users\Admin\AppData\Local\Temp\MicroMedia\AdobeUpdate.exe
C:\Users\Admin\AppData\Local\Temp\MicroMedia\AdobeUpdate.exe
2⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1456

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\9723119a19a2fa3daa93d23ad98bb4c34e0747222a868648b2bfa392b3ad93f3.exe"
2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:1652

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1
3⤵
- Runs ping.exe
PID:1140

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Remote System Discovery

1

T1018

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\MicroMedia\AdobeUpdate.exe

MD5
93b8c2fe509087d9b4482bb10326eb6f

SHA1
5bd9f0f382de51313245fba57fb7d3dd9e11b4f0

SHA256
a031236e6a3d8517297d3075405596ac539d6a592b8578ad4c8de0b7cec56837

SHA512
ca39c2cd8a3183a8c2d6bf1727444f36dd414f246f99b00e664ef3d2f87c71cdc1db2832c686ad2a200d4cb342f242f9dde12e9424fd4b25e1e9163a69b141a9

Download Submit
C:\Users\Admin\AppData\Local\Temp\MicroMedia\AdobeUpdate.exe

MD5
93b8c2fe509087d9b4482bb10326eb6f

SHA1
5bd9f0f382de51313245fba57fb7d3dd9e11b4f0

SHA256
a031236e6a3d8517297d3075405596ac539d6a592b8578ad4c8de0b7cec56837

SHA512
ca39c2cd8a3183a8c2d6bf1727444f36dd414f246f99b00e664ef3d2f87c71cdc1db2832c686ad2a200d4cb342f242f9dde12e9424fd4b25e1e9163a69b141a9

Download Submit
\Users\Admin\AppData\Local\Temp\MicroMedia\AdobeUpdate.exe

MD5
93b8c2fe509087d9b4482bb10326eb6f

SHA1
5bd9f0f382de51313245fba57fb7d3dd9e11b4f0

SHA256
a031236e6a3d8517297d3075405596ac539d6a592b8578ad4c8de0b7cec56837

SHA512
ca39c2cd8a3183a8c2d6bf1727444f36dd414f246f99b00e664ef3d2f87c71cdc1db2832c686ad2a200d4cb342f242f9dde12e9424fd4b25e1e9163a69b141a9

Download Submit
\Users\Admin\AppData\Local\Temp\MicroMedia\AdobeUpdate.exe

MD5
93b8c2fe509087d9b4482bb10326eb6f

SHA1
5bd9f0f382de51313245fba57fb7d3dd9e11b4f0

SHA256
a031236e6a3d8517297d3075405596ac539d6a592b8578ad4c8de0b7cec56837

SHA512
ca39c2cd8a3183a8c2d6bf1727444f36dd414f246f99b00e664ef3d2f87c71cdc1db2832c686ad2a200d4cb342f242f9dde12e9424fd4b25e1e9163a69b141a9

Download Submit
\Users\Admin\AppData\Local\Temp\MicroMedia\AdobeUpdate.exe

MD5
93b8c2fe509087d9b4482bb10326eb6f

SHA1
5bd9f0f382de51313245fba57fb7d3dd9e11b4f0

SHA256
a031236e6a3d8517297d3075405596ac539d6a592b8578ad4c8de0b7cec56837

SHA512
ca39c2cd8a3183a8c2d6bf1727444f36dd414f246f99b00e664ef3d2f87c71cdc1db2832c686ad2a200d4cb342f242f9dde12e9424fd4b25e1e9163a69b141a9

Download Submit
\Users\Admin\AppData\Local\Temp\MicroMedia\AdobeUpdate.exe

MD5
93b8c2fe509087d9b4482bb10326eb6f

SHA1
5bd9f0f382de51313245fba57fb7d3dd9e11b4f0

SHA256
a031236e6a3d8517297d3075405596ac539d6a592b8578ad4c8de0b7cec56837

SHA512
ca39c2cd8a3183a8c2d6bf1727444f36dd414f246f99b00e664ef3d2f87c71cdc1db2832c686ad2a200d4cb342f242f9dde12e9424fd4b25e1e9163a69b141a9

Download Submit
memory/1616-55-0x0000000076921000-0x0000000076923000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads