sakula | c6088899bcb77e5d642999ebb0f440e28b795007735023b38d4965c0ae02a05e

General

Target

c6088899bcb77e5d642999ebb0f440e28b795007735023b38d4965c0ae02a05e.exe
Size

89KB
MD5

2ca3f59590a5aeab648f292bf19f4a5e
SHA1

bf3cb57d73c580f710388c9d574de074bbca5d7a
SHA256

c6088899bcb77e5d642999ebb0f440e28b795007735023b38d4965c0ae02a05e
SHA512

c0ce4574fd307e9f2069fc2f390a935fc1dc1f4a0c0f2711ad69ae14da07bb037c6d4d51917f36a012e428e544b760776265a0ead6adb67fee7c1496f4c25ca2

Score

10^/10

sakula persistence rat trojan

Malware Config

Signatures

Sakula
Sakula is a remote access trojan with various capabilities.
trojan rat sakula

Sakula Payload 2 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe	family_sakula
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe	family_sakula

Executes dropped EXE 1 IoCs

Processes:

MediaCenter.exe

pid process

2868 MediaCenter.exe

pid	process
2868	MediaCenter.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

c6088899bcb77e5d642999ebb0f440e28b795007735023b38d4965c0ae02a05e.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe"	c6088899bcb77e5d642999ebb0f440e28b795007735023b38d4965c0ae02a05e.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

1496 PING.EXE
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

c6088899bcb77e5d642999ebb0f440e28b795007735023b38d4965c0ae02a05e.exe

description pid process

Token: SeIncBasePriorityPrivilege 2844 c6088899bcb77e5d642999ebb0f440e28b795007735023b38d4965c0ae02a05e.exe

pid	process
1496	PING.EXE

description	pid	process
Token: SeIncBasePriorityPrivilege	2844	c6088899bcb77e5d642999ebb0f440e28b795007735023b38d4965c0ae02a05e.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

c6088899bcb77e5d642999ebb0f440e28b795007735023b38d4965c0ae02a05e.execmd.exe

description	pid	process	target process
PID 2844 wrote to memory of 2868	2844	c6088899bcb77e5d642999ebb0f440e28b795007735023b38d4965c0ae02a05e.exe	MediaCenter.exe
PID 2844 wrote to memory of 2868	2844	c6088899bcb77e5d642999ebb0f440e28b795007735023b38d4965c0ae02a05e.exe	MediaCenter.exe
PID 2844 wrote to memory of 2868	2844	c6088899bcb77e5d642999ebb0f440e28b795007735023b38d4965c0ae02a05e.exe	MediaCenter.exe
PID 2844 wrote to memory of 3548	2844	c6088899bcb77e5d642999ebb0f440e28b795007735023b38d4965c0ae02a05e.exe	cmd.exe
PID 2844 wrote to memory of 3548	2844	c6088899bcb77e5d642999ebb0f440e28b795007735023b38d4965c0ae02a05e.exe	cmd.exe
PID 2844 wrote to memory of 3548	2844	c6088899bcb77e5d642999ebb0f440e28b795007735023b38d4965c0ae02a05e.exe	cmd.exe
PID 3548 wrote to memory of 1496	3548	cmd.exe	PING.EXE
PID 3548 wrote to memory of 1496	3548	cmd.exe	PING.EXE
PID 3548 wrote to memory of 1496	3548	cmd.exe	PING.EXE

C:\Users\Admin\AppData\Local\Temp\c6088899bcb77e5d642999ebb0f440e28b795007735023b38d4965c0ae02a05e.exe
"C:\Users\Admin\AppData\Local\Temp\c6088899bcb77e5d642999ebb0f440e28b795007735023b38d4965c0ae02a05e.exe"
1⤵
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2844

C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
2⤵
- Executes dropped EXE
PID:2868

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\c6088899bcb77e5d642999ebb0f440e28b795007735023b38d4965c0ae02a05e.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:3548

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1
3⤵
- Runs ping.exe
PID:1496

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Remote System Discovery

1

T1018

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe

MD5
ee4106fb9925171165ee6b46d63e75a2

SHA1
c12538be22f90aab8f0a6e7ef1de3936a2c1e5c7

SHA256
13b093e7c4ab208690baa99ad86345b09ff2b14ff5e6e634689e5d2f6aeb6c1f

SHA512
70b6875e6b36abac40534e717c63d8dcc425825c28da78c697740e4922f629fc24138a82a4cd2a2569f53cf278cd09a6f91a2c065748e23b17b19680c38cdb99

Download Submit
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe

MD5
ee4106fb9925171165ee6b46d63e75a2

SHA1
c12538be22f90aab8f0a6e7ef1de3936a2c1e5c7

SHA256
13b093e7c4ab208690baa99ad86345b09ff2b14ff5e6e634689e5d2f6aeb6c1f

SHA512
70b6875e6b36abac40534e717c63d8dcc425825c28da78c697740e4922f629fc24138a82a4cd2a2569f53cf278cd09a6f91a2c065748e23b17b19680c38cdb99

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads