sakula | 18b43c1756d027b8012cca4ef6244a492f35ba9726c47c83490f838a7425a13e

General

Target

18b43c1756d027b8012cca4ef6244a492f35ba9726c47c83490f838a7425a13e.exe
Size

58KB
MD5

a03d4358fbde9f132cfb8306f825cfc2
SHA1

3fd663d77105ee467fa5766f26baf3d4b85003d3
SHA256

18b43c1756d027b8012cca4ef6244a492f35ba9726c47c83490f838a7425a13e
SHA512

d076802abcb6b898ef86c060f5cfaec7c04880f0c66d67e136ba85e76966910328692a6a314b63a856426140a26db48a81a447806aef87e7126fc015bd63c899

Score

10^/10

sakula persistence rat trojan

Malware Config

Signatures

Sakula
Sakula is a remote access trojan with various capabilities.
trojan rat sakula
Executes dropped EXE 1 IoCs

Processes:

MediaCenter.exe

pid process

1620 MediaCenter.exe
Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

1964 cmd.exe

pid	process
1620	MediaCenter.exe

pid	process
1964	cmd.exe

Loads dropped DLL 2 IoCs

Processes:

18b43c1756d027b8012cca4ef6244a492f35ba9726c47c83490f838a7425a13e.exe

pid	process
1652	18b43c1756d027b8012cca4ef6244a492f35ba9726c47c83490f838a7425a13e.exe
1652	18b43c1756d027b8012cca4ef6244a492f35ba9726c47c83490f838a7425a13e.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

18b43c1756d027b8012cca4ef6244a492f35ba9726c47c83490f838a7425a13e.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe"	18b43c1756d027b8012cca4ef6244a492f35ba9726c47c83490f838a7425a13e.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

872 PING.EXE
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

18b43c1756d027b8012cca4ef6244a492f35ba9726c47c83490f838a7425a13e.exe

description pid process

Token: SeIncBasePriorityPrivilege 1652 18b43c1756d027b8012cca4ef6244a492f35ba9726c47c83490f838a7425a13e.exe

pid	process
872	PING.EXE

description	pid	process
Token: SeIncBasePriorityPrivilege	1652	18b43c1756d027b8012cca4ef6244a492f35ba9726c47c83490f838a7425a13e.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

18b43c1756d027b8012cca4ef6244a492f35ba9726c47c83490f838a7425a13e.execmd.exe

description	pid	process	target process
PID 1652 wrote to memory of 1620	1652	18b43c1756d027b8012cca4ef6244a492f35ba9726c47c83490f838a7425a13e.exe	MediaCenter.exe
PID 1652 wrote to memory of 1620	1652	18b43c1756d027b8012cca4ef6244a492f35ba9726c47c83490f838a7425a13e.exe	MediaCenter.exe
PID 1652 wrote to memory of 1620	1652	18b43c1756d027b8012cca4ef6244a492f35ba9726c47c83490f838a7425a13e.exe	MediaCenter.exe
PID 1652 wrote to memory of 1620	1652	18b43c1756d027b8012cca4ef6244a492f35ba9726c47c83490f838a7425a13e.exe	MediaCenter.exe
PID 1652 wrote to memory of 1964	1652	18b43c1756d027b8012cca4ef6244a492f35ba9726c47c83490f838a7425a13e.exe	cmd.exe
PID 1652 wrote to memory of 1964	1652	18b43c1756d027b8012cca4ef6244a492f35ba9726c47c83490f838a7425a13e.exe	cmd.exe
PID 1652 wrote to memory of 1964	1652	18b43c1756d027b8012cca4ef6244a492f35ba9726c47c83490f838a7425a13e.exe	cmd.exe
PID 1652 wrote to memory of 1964	1652	18b43c1756d027b8012cca4ef6244a492f35ba9726c47c83490f838a7425a13e.exe	cmd.exe
PID 1964 wrote to memory of 872	1964	cmd.exe	PING.EXE
PID 1964 wrote to memory of 872	1964	cmd.exe	PING.EXE
PID 1964 wrote to memory of 872	1964	cmd.exe	PING.EXE
PID 1964 wrote to memory of 872	1964	cmd.exe	PING.EXE

C:\Users\Admin\AppData\Local\Temp\18b43c1756d027b8012cca4ef6244a492f35ba9726c47c83490f838a7425a13e.exe
"C:\Users\Admin\AppData\Local\Temp\18b43c1756d027b8012cca4ef6244a492f35ba9726c47c83490f838a7425a13e.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1652

C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
2⤵
- Executes dropped EXE
PID:1620

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\18b43c1756d027b8012cca4ef6244a492f35ba9726c47c83490f838a7425a13e.exe"
2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:1964

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1
3⤵
- Runs ping.exe
PID:872

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Remote System Discovery

1

T1018

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe

MD5
3c53ca9fe4b8806a4c6fa78e61efea2d

SHA1
1049495820588fc03828a93a29895c728bc10c33

SHA256
bab01480d297d527c19d5cb581987ebc0222fe5a6ab21dc3b490a386c9b1da08

SHA512
677a1777f4b862bb480fd814732b717e0d93ff9d36aca4f2f79b29a0eb02ef8b92ffc9891d1c1fb02bec1434d92f96b1e54bdbb5f6698ef2032a058f4dd1aa7e

Download Submit
\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe

MD5
3c53ca9fe4b8806a4c6fa78e61efea2d

SHA1
1049495820588fc03828a93a29895c728bc10c33

SHA256
bab01480d297d527c19d5cb581987ebc0222fe5a6ab21dc3b490a386c9b1da08

SHA512
677a1777f4b862bb480fd814732b717e0d93ff9d36aca4f2f79b29a0eb02ef8b92ffc9891d1c1fb02bec1434d92f96b1e54bdbb5f6698ef2032a058f4dd1aa7e

Download Submit
\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe

MD5
3c53ca9fe4b8806a4c6fa78e61efea2d

SHA1
1049495820588fc03828a93a29895c728bc10c33

SHA256
bab01480d297d527c19d5cb581987ebc0222fe5a6ab21dc3b490a386c9b1da08

SHA512
677a1777f4b862bb480fd814732b717e0d93ff9d36aca4f2f79b29a0eb02ef8b92ffc9891d1c1fb02bec1434d92f96b1e54bdbb5f6698ef2032a058f4dd1aa7e

Download Submit
memory/1652-55-0x0000000076641000-0x0000000076643000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads