sakula | 9723119a19a2fa3daa93d23ad98bb4c34e0747222a868648b2bfa392b3ad93f3

General

Target

9723119a19a2fa3daa93d23ad98bb4c34e0747222a868648b2bfa392b3ad93f3.exe
Size

92KB
MD5

0f218e73da96af2939e75ebea7c958dc
SHA1

a20645513c85b2f8381b45245e58963698baf39b
SHA256

9723119a19a2fa3daa93d23ad98bb4c34e0747222a868648b2bfa392b3ad93f3
SHA512

b3b57777849f7df472cc44b00dad8cdaef9354e9a5316a2c4de5d6972d5077e6faac0902b89284e3873d64c9dde5616ba15a556baeedfe53bbd0e41ee9858dee

Score

10^/10

sakula persistence rat trojan

Malware Config

Signatures

Sakula
Sakula is a remote access trojan with various capabilities.
trojan rat sakula

Sakula Payload 2 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\MicroMedia\AdobeUpdate.exe	family_sakula
C:\Users\Admin\AppData\Local\Temp\MicroMedia\AdobeUpdate.exe	family_sakula

Executes dropped EXE 1 IoCs

Processes:

AdobeUpdate.exe

pid process

3092 AdobeUpdate.exe

pid	process
3092	AdobeUpdate.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

9723119a19a2fa3daa93d23ad98bb4c34e0747222a868648b2bfa392b3ad93f3.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\AdobeUpdate = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\AdobeUpdate.exe"	9723119a19a2fa3daa93d23ad98bb4c34e0747222a868648b2bfa392b3ad93f3.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

2112 PING.EXE
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

9723119a19a2fa3daa93d23ad98bb4c34e0747222a868648b2bfa392b3ad93f3.exe

description pid process

Token: SeIncBasePriorityPrivilege 528 9723119a19a2fa3daa93d23ad98bb4c34e0747222a868648b2bfa392b3ad93f3.exe

pid	process
2112	PING.EXE

description	pid	process
Token: SeIncBasePriorityPrivilege	528	9723119a19a2fa3daa93d23ad98bb4c34e0747222a868648b2bfa392b3ad93f3.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

9723119a19a2fa3daa93d23ad98bb4c34e0747222a868648b2bfa392b3ad93f3.execmd.exe

description	pid	process	target process
PID 528 wrote to memory of 3092	528	9723119a19a2fa3daa93d23ad98bb4c34e0747222a868648b2bfa392b3ad93f3.exe	AdobeUpdate.exe
PID 528 wrote to memory of 3092	528	9723119a19a2fa3daa93d23ad98bb4c34e0747222a868648b2bfa392b3ad93f3.exe	AdobeUpdate.exe
PID 528 wrote to memory of 3092	528	9723119a19a2fa3daa93d23ad98bb4c34e0747222a868648b2bfa392b3ad93f3.exe	AdobeUpdate.exe
PID 528 wrote to memory of 832	528	9723119a19a2fa3daa93d23ad98bb4c34e0747222a868648b2bfa392b3ad93f3.exe	cmd.exe
PID 528 wrote to memory of 832	528	9723119a19a2fa3daa93d23ad98bb4c34e0747222a868648b2bfa392b3ad93f3.exe	cmd.exe
PID 528 wrote to memory of 832	528	9723119a19a2fa3daa93d23ad98bb4c34e0747222a868648b2bfa392b3ad93f3.exe	cmd.exe
PID 832 wrote to memory of 2112	832	cmd.exe	PING.EXE
PID 832 wrote to memory of 2112	832	cmd.exe	PING.EXE
PID 832 wrote to memory of 2112	832	cmd.exe	PING.EXE

C:\Users\Admin\AppData\Local\Temp\9723119a19a2fa3daa93d23ad98bb4c34e0747222a868648b2bfa392b3ad93f3.exe
"C:\Users\Admin\AppData\Local\Temp\9723119a19a2fa3daa93d23ad98bb4c34e0747222a868648b2bfa392b3ad93f3.exe"
1⤵
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:528

C:\Users\Admin\AppData\Local\Temp\MicroMedia\AdobeUpdate.exe
C:\Users\Admin\AppData\Local\Temp\MicroMedia\AdobeUpdate.exe
2⤵
- Executes dropped EXE
PID:3092

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\9723119a19a2fa3daa93d23ad98bb4c34e0747222a868648b2bfa392b3ad93f3.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:832

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1
3⤵
- Runs ping.exe
PID:2112

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Remote System Discovery

1

T1018

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\MicroMedia\AdobeUpdate.exe

MD5
b90f11eb6463c64a3161056affc8d8cd

SHA1
7fa033073721cfc1efac60c8aeae6025700b3a3f

SHA256
86b20b35be68ce380bac081f293a870818718c502c0a88d0e29cde67226627d1

SHA512
bb9e7d665b82a847c4ded21a8b1a8c1c76e4c96d465976f8058adcba9f06b50f5f424a08ef48fbd72ec828e219f8003a5bf5e802fa40f5e9f15265b68337d3c3

Download Submit
C:\Users\Admin\AppData\Local\Temp\MicroMedia\AdobeUpdate.exe

MD5
b90f11eb6463c64a3161056affc8d8cd

SHA1
7fa033073721cfc1efac60c8aeae6025700b3a3f

SHA256
86b20b35be68ce380bac081f293a870818718c502c0a88d0e29cde67226627d1

SHA512
bb9e7d665b82a847c4ded21a8b1a8c1c76e4c96d465976f8058adcba9f06b50f5f424a08ef48fbd72ec828e219f8003a5bf5e802fa40f5e9f15265b68337d3c3

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads