sakula | 194cb19eee281bf9c5ec68f8c02af28bfdd103d1952e7ab5d4e4a808e361ae2e

General

Target

194cb19eee281bf9c5ec68f8c02af28bfdd103d1952e7ab5d4e4a808e361ae2e.exe
Size

58KB
MD5

f92cefd120143642dec344b1ef274b66
SHA1

bd718fb5b00dd59ff62da41438ccdb1dc6ee108b
SHA256

194cb19eee281bf9c5ec68f8c02af28bfdd103d1952e7ab5d4e4a808e361ae2e
SHA512

bde6931b9fe7e2c0bf817c9d3387086e9b85992cc9fede4fb5841acc1bade3a6fd943e09ea07fad9b2c8c50068303dbddd40e048beed79586b3199fe140925c2

Score

10^/10

sakula persistence rat trojan

Malware Config

Signatures

Sakula
Sakula is a remote access trojan with various capabilities.
trojan rat sakula
Executes dropped EXE 1 IoCs

Processes:

MediaCenter.exe

pid process

4888 MediaCenter.exe

pid	process
4888	MediaCenter.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

194cb19eee281bf9c5ec68f8c02af28bfdd103d1952e7ab5d4e4a808e361ae2e.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation	194cb19eee281bf9c5ec68f8c02af28bfdd103d1952e7ab5d4e4a808e361ae2e.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

194cb19eee281bf9c5ec68f8c02af28bfdd103d1952e7ab5d4e4a808e361ae2e.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe"	194cb19eee281bf9c5ec68f8c02af28bfdd103d1952e7ab5d4e4a808e361ae2e.exe

Drops file in Windows directory 8 IoCs

Processes:

svchost.exeTiWorker.exe

description	ioc	process
File opened for modification	C:\Windows\SoftwareDistribution\DataStore\DataStore.edb	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\DataStore\DataStore.jfm	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\ReportingEvents.log	svchost.exe
File opened for modification	C:\Windows\Logs\CBS\CBS.log	TiWorker.exe
File opened for modification	C:\Windows\WinSxS\pending.xml	TiWorker.exe
File opened for modification	C:\Windows\WindowsUpdate.log	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\DataStore\Logs\edb.chk	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\DataStore\Logs\edb.log	svchost.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

1512 PING.EXE

pid	process
1512	PING.EXE

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

svchost.exe194cb19eee281bf9c5ec68f8c02af28bfdd103d1952e7ab5d4e4a808e361ae2e.exeTiWorker.exe

description	pid	process
Token: SeShutdownPrivilege	4464	svchost.exe
Token: SeCreatePagefilePrivilege	4464	svchost.exe
Token: SeShutdownPrivilege	4464	svchost.exe
Token: SeCreatePagefilePrivilege	4464	svchost.exe
Token: SeShutdownPrivilege	4464	svchost.exe
Token: SeCreatePagefilePrivilege	4464	svchost.exe
Token: SeIncBasePriorityPrivilege	3068	194cb19eee281bf9c5ec68f8c02af28bfdd103d1952e7ab5d4e4a808e361ae2e.exe
Token: SeSecurityPrivilege	4836	TiWorker.exe
Token: SeRestorePrivilege	4836	TiWorker.exe
Token: SeBackupPrivilege	4836	TiWorker.exe
Token: SeBackupPrivilege	4836	TiWorker.exe
Token: SeRestorePrivilege	4836	TiWorker.exe
Token: SeSecurityPrivilege	4836	TiWorker.exe
Token: SeBackupPrivilege	4836	TiWorker.exe
Token: SeRestorePrivilege	4836	TiWorker.exe
Token: SeSecurityPrivilege	4836	TiWorker.exe
Token: SeBackupPrivilege	4836	TiWorker.exe
Token: SeRestorePrivilege	4836	TiWorker.exe
Token: SeSecurityPrivilege	4836	TiWorker.exe
Token: SeBackupPrivilege	4836	TiWorker.exe
Token: SeRestorePrivilege	4836	TiWorker.exe
Token: SeSecurityPrivilege	4836	TiWorker.exe
Token: SeBackupPrivilege	4836	TiWorker.exe
Token: SeRestorePrivilege	4836	TiWorker.exe
Token: SeSecurityPrivilege	4836	TiWorker.exe
Token: SeBackupPrivilege	4836	TiWorker.exe
Token: SeRestorePrivilege	4836	TiWorker.exe
Token: SeSecurityPrivilege	4836	TiWorker.exe
Token: SeBackupPrivilege	4836	TiWorker.exe
Token: SeRestorePrivilege	4836	TiWorker.exe
Token: SeSecurityPrivilege	4836	TiWorker.exe
Token: SeBackupPrivilege	4836	TiWorker.exe
Token: SeRestorePrivilege	4836	TiWorker.exe
Token: SeSecurityPrivilege	4836	TiWorker.exe
Token: SeBackupPrivilege	4836	TiWorker.exe
Token: SeRestorePrivilege	4836	TiWorker.exe
Token: SeSecurityPrivilege	4836	TiWorker.exe
Token: SeBackupPrivilege	4836	TiWorker.exe
Token: SeRestorePrivilege	4836	TiWorker.exe
Token: SeSecurityPrivilege	4836	TiWorker.exe
Token: SeBackupPrivilege	4836	TiWorker.exe
Token: SeRestorePrivilege	4836	TiWorker.exe
Token: SeSecurityPrivilege	4836	TiWorker.exe
Token: SeBackupPrivilege	4836	TiWorker.exe
Token: SeRestorePrivilege	4836	TiWorker.exe
Token: SeSecurityPrivilege	4836	TiWorker.exe
Token: SeBackupPrivilege	4836	TiWorker.exe
Token: SeRestorePrivilege	4836	TiWorker.exe
Token: SeSecurityPrivilege	4836	TiWorker.exe
Token: SeBackupPrivilege	4836	TiWorker.exe
Token: SeRestorePrivilege	4836	TiWorker.exe
Token: SeSecurityPrivilege	4836	TiWorker.exe
Token: SeBackupPrivilege	4836	TiWorker.exe
Token: SeRestorePrivilege	4836	TiWorker.exe
Token: SeSecurityPrivilege	4836	TiWorker.exe
Token: SeBackupPrivilege	4836	TiWorker.exe
Token: SeRestorePrivilege	4836	TiWorker.exe
Token: SeSecurityPrivilege	4836	TiWorker.exe
Token: SeBackupPrivilege	4836	TiWorker.exe
Token: SeRestorePrivilege	4836	TiWorker.exe
Token: SeSecurityPrivilege	4836	TiWorker.exe
Token: SeBackupPrivilege	4836	TiWorker.exe
Token: SeRestorePrivilege	4836	TiWorker.exe
Token: SeSecurityPrivilege	4836	TiWorker.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

194cb19eee281bf9c5ec68f8c02af28bfdd103d1952e7ab5d4e4a808e361ae2e.execmd.exe

description	pid	process	target process
PID 3068 wrote to memory of 4888	3068	194cb19eee281bf9c5ec68f8c02af28bfdd103d1952e7ab5d4e4a808e361ae2e.exe	MediaCenter.exe
PID 3068 wrote to memory of 4888	3068	194cb19eee281bf9c5ec68f8c02af28bfdd103d1952e7ab5d4e4a808e361ae2e.exe	MediaCenter.exe
PID 3068 wrote to memory of 4888	3068	194cb19eee281bf9c5ec68f8c02af28bfdd103d1952e7ab5d4e4a808e361ae2e.exe	MediaCenter.exe
PID 3068 wrote to memory of 4536	3068	194cb19eee281bf9c5ec68f8c02af28bfdd103d1952e7ab5d4e4a808e361ae2e.exe	cmd.exe
PID 3068 wrote to memory of 4536	3068	194cb19eee281bf9c5ec68f8c02af28bfdd103d1952e7ab5d4e4a808e361ae2e.exe	cmd.exe
PID 3068 wrote to memory of 4536	3068	194cb19eee281bf9c5ec68f8c02af28bfdd103d1952e7ab5d4e4a808e361ae2e.exe	cmd.exe
PID 4536 wrote to memory of 1512	4536	cmd.exe	PING.EXE
PID 4536 wrote to memory of 1512	4536	cmd.exe	PING.EXE
PID 4536 wrote to memory of 1512	4536	cmd.exe	PING.EXE

C:\Users\Admin\AppData\Local\Temp\194cb19eee281bf9c5ec68f8c02af28bfdd103d1952e7ab5d4e4a808e361ae2e.exe
"C:\Users\Admin\AppData\Local\Temp\194cb19eee281bf9c5ec68f8c02af28bfdd103d1952e7ab5d4e4a808e361ae2e.exe"
1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3068

C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
2⤵
- Executes dropped EXE
PID:4888

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\194cb19eee281bf9c5ec68f8c02af28bfdd103d1952e7ab5d4e4a808e361ae2e.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:4536

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1
3⤵
- Runs ping.exe
PID:1512

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:4464

C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:4836

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

Remote System Discovery

1

T1018

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe

MD5
eb4fb8ca3aec90e3bb5c089f531c78d4

SHA1
bb2406bf951c12b33f58f590f3e9d07357aa74e6

SHA256
152744251d66f678c4798482725567680460ae4ad4addc775046a8ed9bd33e6b

SHA512
17207f81f8d63aa462790011047cdeba17d4d39968ab2a5e109836d6ba35c7a39f3404fbf5d10b400fc1555818781b85c09412cda786ecd45d6fe081bddd2bbf

Download Submit
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe

MD5
eb4fb8ca3aec90e3bb5c089f531c78d4

SHA1
bb2406bf951c12b33f58f590f3e9d07357aa74e6

SHA256
152744251d66f678c4798482725567680460ae4ad4addc775046a8ed9bd33e6b

SHA512
17207f81f8d63aa462790011047cdeba17d4d39968ab2a5e109836d6ba35c7a39f3404fbf5d10b400fc1555818781b85c09412cda786ecd45d6fe081bddd2bbf

Download Submit
memory/4464-133-0x0000020E37780000-0x0000020E37790000-memory.dmp

Filesize
64KB

Download
memory/4464-132-0x0000020E37720000-0x0000020E37730000-memory.dmp

Filesize
64KB

Download
memory/4464-134-0x0000020E39E50000-0x0000020E39E54000-memory.dmp

Filesize
16KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads