sakula | d5d024a63dbc694980ec512dae9694334acc3de16b0c29b22faf707eb70ad159

General

Target

d5d024a63dbc694980ec512dae9694334acc3de16b0c29b22faf707eb70ad159.exe
Size

79KB
MD5

065aa01311ca8f3e0016d8ae546d30a4
SHA1

fd4fc9439e932952dfb9ef5ce25312aeb70358b1
SHA256

d5d024a63dbc694980ec512dae9694334acc3de16b0c29b22faf707eb70ad159
SHA512

ce244bf0d7bcac927be6f2b29302314f4b1b6016323d14758c564a4935ebb359d2a3ff0dd816a2ef98cc7fe4cdc7c28d3441d7a3cf74bed688b9be8ee75fa4ff

Score

10^/10

sakula persistence rat trojan

Malware Config

Signatures

Sakula
Sakula is a remote access trojan with various capabilities.
trojan rat sakula

Sakula Payload 2 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe	family_sakula
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe	family_sakula

Executes dropped EXE 1 IoCs

Processes:

MediaCenter.exe

pid process

2220 MediaCenter.exe

pid	process
2220	MediaCenter.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

d5d024a63dbc694980ec512dae9694334acc3de16b0c29b22faf707eb70ad159.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe"	d5d024a63dbc694980ec512dae9694334acc3de16b0c29b22faf707eb70ad159.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

3584 PING.EXE
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

d5d024a63dbc694980ec512dae9694334acc3de16b0c29b22faf707eb70ad159.exe

description pid process

Token: SeIncBasePriorityPrivilege 3052 d5d024a63dbc694980ec512dae9694334acc3de16b0c29b22faf707eb70ad159.exe

pid	process
3584	PING.EXE

description	pid	process
Token: SeIncBasePriorityPrivilege	3052	d5d024a63dbc694980ec512dae9694334acc3de16b0c29b22faf707eb70ad159.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

d5d024a63dbc694980ec512dae9694334acc3de16b0c29b22faf707eb70ad159.execmd.exe

description	pid	process	target process
PID 3052 wrote to memory of 2220	3052	d5d024a63dbc694980ec512dae9694334acc3de16b0c29b22faf707eb70ad159.exe	MediaCenter.exe
PID 3052 wrote to memory of 2220	3052	d5d024a63dbc694980ec512dae9694334acc3de16b0c29b22faf707eb70ad159.exe	MediaCenter.exe
PID 3052 wrote to memory of 2220	3052	d5d024a63dbc694980ec512dae9694334acc3de16b0c29b22faf707eb70ad159.exe	MediaCenter.exe
PID 3052 wrote to memory of 3020	3052	d5d024a63dbc694980ec512dae9694334acc3de16b0c29b22faf707eb70ad159.exe	cmd.exe
PID 3052 wrote to memory of 3020	3052	d5d024a63dbc694980ec512dae9694334acc3de16b0c29b22faf707eb70ad159.exe	cmd.exe
PID 3052 wrote to memory of 3020	3052	d5d024a63dbc694980ec512dae9694334acc3de16b0c29b22faf707eb70ad159.exe	cmd.exe
PID 3020 wrote to memory of 3584	3020	cmd.exe	PING.EXE
PID 3020 wrote to memory of 3584	3020	cmd.exe	PING.EXE
PID 3020 wrote to memory of 3584	3020	cmd.exe	PING.EXE

C:\Users\Admin\AppData\Local\Temp\d5d024a63dbc694980ec512dae9694334acc3de16b0c29b22faf707eb70ad159.exe
"C:\Users\Admin\AppData\Local\Temp\d5d024a63dbc694980ec512dae9694334acc3de16b0c29b22faf707eb70ad159.exe"
1⤵
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3052

C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
2⤵
- Executes dropped EXE
PID:2220

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\d5d024a63dbc694980ec512dae9694334acc3de16b0c29b22faf707eb70ad159.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:3020

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1
3⤵
- Runs ping.exe
PID:3584

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Remote System Discovery

1

T1018

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe

MD5
f086c4bd16c81c757f73cd07f58bf87b

SHA1
ddaeef1869a66b76eedf385245d1bdeb4f9d80de

SHA256
3bf6cc09e6bd9a505ce04925689fd3283db0bca1cfa064a254ec300b4368cab5

SHA512
4aded88e485dff0e50c546a0110bf48c4ddbad9491ccec2111607a390a4442381979ecca08fe1f148bb2c0e18bbc09282679e14a4c1271c2bb2c742562d3b4ff

Download Submit
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe

MD5
f086c4bd16c81c757f73cd07f58bf87b

SHA1
ddaeef1869a66b76eedf385245d1bdeb4f9d80de

SHA256
3bf6cc09e6bd9a505ce04925689fd3283db0bca1cfa064a254ec300b4368cab5

SHA512
4aded88e485dff0e50c546a0110bf48c4ddbad9491ccec2111607a390a4442381979ecca08fe1f148bb2c0e18bbc09282679e14a4c1271c2bb2c742562d3b4ff

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads