sakula | 1709486f5b27fff1fa5c34135bc8a5999e4e74e7041e1cefeb55fc75426543d1

General

Target

1709486f5b27fff1fa5c34135bc8a5999e4e74e7041e1cefeb55fc75426543d1.exe
Size

216KB
MD5

c0cb2603d8b7146804f64d28aabf9dd1
SHA1

aac0df39bb5d9d123c403a51f75aa9eab7fffb97
SHA256

1709486f5b27fff1fa5c34135bc8a5999e4e74e7041e1cefeb55fc75426543d1
SHA512

9367dd04737cdebbc35b5b7f35b066bfd63d4fe83cb3cfccfd28381b2e2095ef869d4c7220b4fb10cc150c4adf84a58e022150a388f668fc5cca10e87b72cfb6

Score

10^/10

sakula persistence rat suricata trojan

Malware Config

Signatures

Sakula
Sakula is a remote access trojan with various capabilities.
trojan rat sakula

Sakula Payload 4 IoCs

Processes:

resource	yara_rule
\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe	family_sakula
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe	family_sakula
behavioral1/memory/856-58-0x0000000000400000-0x0000000000420000-memory.dmp	family_sakula
behavioral1/memory/1212-59-0x0000000000400000-0x0000000000420000-memory.dmp	family_sakula

suricata: ET MALWARE SUSPICIOUS UA (iexplore)
suricata: ET MALWARE SUSPICIOUS UA (iexplore)
suricata
suricata: ET MALWARE Sakula/Mivast RAT CnC Beacon 1
suricata: ET MALWARE Sakula/Mivast RAT CnC Beacon 1
suricata
Executes dropped EXE 1 IoCs

Processes:

MediaCenter.exe

pid process

1212 MediaCenter.exe
Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

1996 cmd.exe
Loads dropped DLL 1 IoCs

Processes:

1709486f5b27fff1fa5c34135bc8a5999e4e74e7041e1cefeb55fc75426543d1.exe

pid process

856 1709486f5b27fff1fa5c34135bc8a5999e4e74e7041e1cefeb55fc75426543d1.exe

pid	process
1212	MediaCenter.exe

pid	process
1996	cmd.exe

pid	process
856	1709486f5b27fff1fa5c34135bc8a5999e4e74e7041e1cefeb55fc75426543d1.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

1709486f5b27fff1fa5c34135bc8a5999e4e74e7041e1cefeb55fc75426543d1.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe"	1709486f5b27fff1fa5c34135bc8a5999e4e74e7041e1cefeb55fc75426543d1.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

1968 PING.EXE
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

1709486f5b27fff1fa5c34135bc8a5999e4e74e7041e1cefeb55fc75426543d1.exe

description pid process

Token: SeIncBasePriorityPrivilege 856 1709486f5b27fff1fa5c34135bc8a5999e4e74e7041e1cefeb55fc75426543d1.exe

pid	process
1968	PING.EXE

description	pid	process
Token: SeIncBasePriorityPrivilege	856	1709486f5b27fff1fa5c34135bc8a5999e4e74e7041e1cefeb55fc75426543d1.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

1709486f5b27fff1fa5c34135bc8a5999e4e74e7041e1cefeb55fc75426543d1.execmd.exe

description	pid	process	target process
PID 856 wrote to memory of 1212	856	1709486f5b27fff1fa5c34135bc8a5999e4e74e7041e1cefeb55fc75426543d1.exe	MediaCenter.exe
PID 856 wrote to memory of 1212	856	1709486f5b27fff1fa5c34135bc8a5999e4e74e7041e1cefeb55fc75426543d1.exe	MediaCenter.exe
PID 856 wrote to memory of 1212	856	1709486f5b27fff1fa5c34135bc8a5999e4e74e7041e1cefeb55fc75426543d1.exe	MediaCenter.exe
PID 856 wrote to memory of 1212	856	1709486f5b27fff1fa5c34135bc8a5999e4e74e7041e1cefeb55fc75426543d1.exe	MediaCenter.exe
PID 856 wrote to memory of 1996	856	1709486f5b27fff1fa5c34135bc8a5999e4e74e7041e1cefeb55fc75426543d1.exe	cmd.exe
PID 856 wrote to memory of 1996	856	1709486f5b27fff1fa5c34135bc8a5999e4e74e7041e1cefeb55fc75426543d1.exe	cmd.exe
PID 856 wrote to memory of 1996	856	1709486f5b27fff1fa5c34135bc8a5999e4e74e7041e1cefeb55fc75426543d1.exe	cmd.exe
PID 856 wrote to memory of 1996	856	1709486f5b27fff1fa5c34135bc8a5999e4e74e7041e1cefeb55fc75426543d1.exe	cmd.exe
PID 1996 wrote to memory of 1968	1996	cmd.exe	PING.EXE
PID 1996 wrote to memory of 1968	1996	cmd.exe	PING.EXE
PID 1996 wrote to memory of 1968	1996	cmd.exe	PING.EXE
PID 1996 wrote to memory of 1968	1996	cmd.exe	PING.EXE

C:\Users\Admin\AppData\Local\Temp\1709486f5b27fff1fa5c34135bc8a5999e4e74e7041e1cefeb55fc75426543d1.exe
"C:\Users\Admin\AppData\Local\Temp\1709486f5b27fff1fa5c34135bc8a5999e4e74e7041e1cefeb55fc75426543d1.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:856

C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
2⤵
- Executes dropped EXE
PID:1212

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\1709486f5b27fff1fa5c34135bc8a5999e4e74e7041e1cefeb55fc75426543d1.exe"
2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:1996

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1
3⤵
- Runs ping.exe
PID:1968

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Remote System Discovery

1

T1018

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe

MD5
92cfedb7e528fe562464809aa78b126d

SHA1
d7dbdb8c133e068dac6c498838992cad1a7c7f91

SHA256
fe9f8239147451f1cd3ad0cae24b3c7c4435c8756d0dea9ccd4af3a66bb4f5bd

SHA512
e4a38fe666f8a582ae5d46b617fb257b0c90a09121ed241aca92260dc2e0b676d01eb07f245ec0327818efb62d808a0a2624c5f32d8a79fd9cfade714c067b34

Download Submit
\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe

MD5
92cfedb7e528fe562464809aa78b126d

SHA1
d7dbdb8c133e068dac6c498838992cad1a7c7f91

SHA256
fe9f8239147451f1cd3ad0cae24b3c7c4435c8756d0dea9ccd4af3a66bb4f5bd

SHA512
e4a38fe666f8a582ae5d46b617fb257b0c90a09121ed241aca92260dc2e0b676d01eb07f245ec0327818efb62d808a0a2624c5f32d8a79fd9cfade714c067b34

Download Submit
memory/856-54-0x0000000075891000-0x0000000075893000-memory.dmp

Filesize
8KB

Download
memory/856-58-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/1212-59-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads