sakula | c6088899bcb77e5d642999ebb0f440e28b795007735023b38d4965c0ae02a05e

General

Target

c6088899bcb77e5d642999ebb0f440e28b795007735023b38d4965c0ae02a05e.exe
Size

89KB
MD5

2ca3f59590a5aeab648f292bf19f4a5e
SHA1

bf3cb57d73c580f710388c9d574de074bbca5d7a
SHA256

c6088899bcb77e5d642999ebb0f440e28b795007735023b38d4965c0ae02a05e
SHA512

c0ce4574fd307e9f2069fc2f390a935fc1dc1f4a0c0f2711ad69ae14da07bb037c6d4d51917f36a012e428e544b760776265a0ead6adb67fee7c1496f4c25ca2

Score

10^/10

sakula persistence rat trojan

Malware Config

Signatures

Sakula
Sakula is a remote access trojan with various capabilities.
trojan rat sakula

Sakula Payload 2 IoCs

Processes:

resource	yara_rule
\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe	family_sakula
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe	family_sakula

Executes dropped EXE 1 IoCs

Processes:

MediaCenter.exe

pid process

1740 MediaCenter.exe
Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

1780 cmd.exe
Loads dropped DLL 1 IoCs

Processes:

c6088899bcb77e5d642999ebb0f440e28b795007735023b38d4965c0ae02a05e.exe

pid process

1288 c6088899bcb77e5d642999ebb0f440e28b795007735023b38d4965c0ae02a05e.exe

pid	process
1740	MediaCenter.exe

pid	process
1780	cmd.exe

pid	process
1288	c6088899bcb77e5d642999ebb0f440e28b795007735023b38d4965c0ae02a05e.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

c6088899bcb77e5d642999ebb0f440e28b795007735023b38d4965c0ae02a05e.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe"	c6088899bcb77e5d642999ebb0f440e28b795007735023b38d4965c0ae02a05e.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

432 PING.EXE
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

c6088899bcb77e5d642999ebb0f440e28b795007735023b38d4965c0ae02a05e.exe

description pid process

Token: SeIncBasePriorityPrivilege 1288 c6088899bcb77e5d642999ebb0f440e28b795007735023b38d4965c0ae02a05e.exe

pid	process
432	PING.EXE

description	pid	process
Token: SeIncBasePriorityPrivilege	1288	c6088899bcb77e5d642999ebb0f440e28b795007735023b38d4965c0ae02a05e.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

c6088899bcb77e5d642999ebb0f440e28b795007735023b38d4965c0ae02a05e.execmd.exe

description	pid	process	target process
PID 1288 wrote to memory of 1740	1288	c6088899bcb77e5d642999ebb0f440e28b795007735023b38d4965c0ae02a05e.exe	MediaCenter.exe
PID 1288 wrote to memory of 1740	1288	c6088899bcb77e5d642999ebb0f440e28b795007735023b38d4965c0ae02a05e.exe	MediaCenter.exe
PID 1288 wrote to memory of 1740	1288	c6088899bcb77e5d642999ebb0f440e28b795007735023b38d4965c0ae02a05e.exe	MediaCenter.exe
PID 1288 wrote to memory of 1740	1288	c6088899bcb77e5d642999ebb0f440e28b795007735023b38d4965c0ae02a05e.exe	MediaCenter.exe
PID 1288 wrote to memory of 1780	1288	c6088899bcb77e5d642999ebb0f440e28b795007735023b38d4965c0ae02a05e.exe	cmd.exe
PID 1288 wrote to memory of 1780	1288	c6088899bcb77e5d642999ebb0f440e28b795007735023b38d4965c0ae02a05e.exe	cmd.exe
PID 1288 wrote to memory of 1780	1288	c6088899bcb77e5d642999ebb0f440e28b795007735023b38d4965c0ae02a05e.exe	cmd.exe
PID 1288 wrote to memory of 1780	1288	c6088899bcb77e5d642999ebb0f440e28b795007735023b38d4965c0ae02a05e.exe	cmd.exe
PID 1780 wrote to memory of 432	1780	cmd.exe	PING.EXE
PID 1780 wrote to memory of 432	1780	cmd.exe	PING.EXE
PID 1780 wrote to memory of 432	1780	cmd.exe	PING.EXE
PID 1780 wrote to memory of 432	1780	cmd.exe	PING.EXE

C:\Users\Admin\AppData\Local\Temp\c6088899bcb77e5d642999ebb0f440e28b795007735023b38d4965c0ae02a05e.exe
"C:\Users\Admin\AppData\Local\Temp\c6088899bcb77e5d642999ebb0f440e28b795007735023b38d4965c0ae02a05e.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1288

C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
2⤵
- Executes dropped EXE
PID:1740

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\c6088899bcb77e5d642999ebb0f440e28b795007735023b38d4965c0ae02a05e.exe"
2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:1780

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1
3⤵
- Runs ping.exe
PID:432

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Remote System Discovery

1

T1018

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe

MD5
a499eb744b45d78d47473ebf8c2dbc5e

SHA1
e6fc18f914bd96bf86d722aa9f950fb352115553

SHA256
d6a2ae333c9a86b33ce4a4aae2c595dab23e2eecdf3c41b0d001c2ad4d66d7aa

SHA512
2b10887cd51ead136163de0b1714efeb533d4f6e825ebb47a57d23ec2fcc8ff2a643b1661eeb5d0c4f71cd1e59c1554ad95a78c56288acf3d9b91c2d5c1c31de

Download Submit
\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe

MD5
a499eb744b45d78d47473ebf8c2dbc5e

SHA1
e6fc18f914bd96bf86d722aa9f950fb352115553

SHA256
d6a2ae333c9a86b33ce4a4aae2c595dab23e2eecdf3c41b0d001c2ad4d66d7aa

SHA512
2b10887cd51ead136163de0b1714efeb533d4f6e825ebb47a57d23ec2fcc8ff2a643b1661eeb5d0c4f71cd1e59c1554ad95a78c56288acf3d9b91c2d5c1c31de

Download Submit
memory/1288-55-0x0000000075D61000-0x0000000075D63000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads