sakula | 1825ba49aa1326ae4b233d1084b1df16828d0bba19491a3599eb46b30cd4c622

General

Target

1825ba49aa1326ae4b233d1084b1df16828d0bba19491a3599eb46b30cd4c622.exe
Size

80KB
MD5

7fed7c619c05b394f7c954c8e7527586
SHA1

972fff94c657faba73bfe311326ff542ed5d7df5
SHA256

1825ba49aa1326ae4b233d1084b1df16828d0bba19491a3599eb46b30cd4c622
SHA512

61f84f26f46c7ca59c31da3516d666c53f0a5552129fd8ad1af11d677f16f30929a77d8f6bb5d8a2db72c144d59bc4a0de9b671d4f5ea55b3e948fb4b88d850c

Score

10^/10

sakula persistence rat trojan

Malware Config

Signatures

Sakula
Sakula is a remote access trojan with various capabilities.
trojan rat sakula

Sakula Payload 3 IoCs

Processes:

resource	yara_rule
\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe	family_sakula
\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe	family_sakula
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe	family_sakula

Executes dropped EXE 1 IoCs

Processes:

MediaCenter.exe

pid process

1316 MediaCenter.exe
Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

1084 cmd.exe

pid	process
1316	MediaCenter.exe

pid	process
1084	cmd.exe

Loads dropped DLL 2 IoCs

Processes:

1825ba49aa1326ae4b233d1084b1df16828d0bba19491a3599eb46b30cd4c622.exe

pid	process
1600	1825ba49aa1326ae4b233d1084b1df16828d0bba19491a3599eb46b30cd4c622.exe
1600	1825ba49aa1326ae4b233d1084b1df16828d0bba19491a3599eb46b30cd4c622.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

1825ba49aa1326ae4b233d1084b1df16828d0bba19491a3599eb46b30cd4c622.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe"	1825ba49aa1326ae4b233d1084b1df16828d0bba19491a3599eb46b30cd4c622.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

780 PING.EXE
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

1825ba49aa1326ae4b233d1084b1df16828d0bba19491a3599eb46b30cd4c622.exe

description pid process

Token: SeIncBasePriorityPrivilege 1600 1825ba49aa1326ae4b233d1084b1df16828d0bba19491a3599eb46b30cd4c622.exe

pid	process
780	PING.EXE

description	pid	process
Token: SeIncBasePriorityPrivilege	1600	1825ba49aa1326ae4b233d1084b1df16828d0bba19491a3599eb46b30cd4c622.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

1825ba49aa1326ae4b233d1084b1df16828d0bba19491a3599eb46b30cd4c622.execmd.exe

description	pid	process	target process
PID 1600 wrote to memory of 1316	1600	1825ba49aa1326ae4b233d1084b1df16828d0bba19491a3599eb46b30cd4c622.exe	MediaCenter.exe
PID 1600 wrote to memory of 1316	1600	1825ba49aa1326ae4b233d1084b1df16828d0bba19491a3599eb46b30cd4c622.exe	MediaCenter.exe
PID 1600 wrote to memory of 1316	1600	1825ba49aa1326ae4b233d1084b1df16828d0bba19491a3599eb46b30cd4c622.exe	MediaCenter.exe
PID 1600 wrote to memory of 1316	1600	1825ba49aa1326ae4b233d1084b1df16828d0bba19491a3599eb46b30cd4c622.exe	MediaCenter.exe
PID 1600 wrote to memory of 1084	1600	1825ba49aa1326ae4b233d1084b1df16828d0bba19491a3599eb46b30cd4c622.exe	cmd.exe
PID 1600 wrote to memory of 1084	1600	1825ba49aa1326ae4b233d1084b1df16828d0bba19491a3599eb46b30cd4c622.exe	cmd.exe
PID 1600 wrote to memory of 1084	1600	1825ba49aa1326ae4b233d1084b1df16828d0bba19491a3599eb46b30cd4c622.exe	cmd.exe
PID 1600 wrote to memory of 1084	1600	1825ba49aa1326ae4b233d1084b1df16828d0bba19491a3599eb46b30cd4c622.exe	cmd.exe
PID 1084 wrote to memory of 780	1084	cmd.exe	PING.EXE
PID 1084 wrote to memory of 780	1084	cmd.exe	PING.EXE
PID 1084 wrote to memory of 780	1084	cmd.exe	PING.EXE
PID 1084 wrote to memory of 780	1084	cmd.exe	PING.EXE

C:\Users\Admin\AppData\Local\Temp\1825ba49aa1326ae4b233d1084b1df16828d0bba19491a3599eb46b30cd4c622.exe
"C:\Users\Admin\AppData\Local\Temp\1825ba49aa1326ae4b233d1084b1df16828d0bba19491a3599eb46b30cd4c622.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1600

C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
2⤵
- Executes dropped EXE
PID:1316

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\1825ba49aa1326ae4b233d1084b1df16828d0bba19491a3599eb46b30cd4c622.exe"
2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:1084

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1
3⤵
- Runs ping.exe
PID:780

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Remote System Discovery

1

T1018

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe

MD5
b9e8f97340637641526b2643c3570ff5

SHA1
90abd8009d2af251d9babf7dc06700b54d64215a

SHA256
36ad2640182e6932ce3d3cd5036f0c745e91b4ce7ef8a80ba2e60393a495f7f0

SHA512
4f93de824026468bac1ec2aee31229f69ec9631a268407734fd1427c8ff2f6d20ee3d3437d62f7b4d664a1c4affab17ca0c1790bd1a9212aeff6dd1866353a64

Download Submit
\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe

MD5
b9e8f97340637641526b2643c3570ff5

SHA1
90abd8009d2af251d9babf7dc06700b54d64215a

SHA256
36ad2640182e6932ce3d3cd5036f0c745e91b4ce7ef8a80ba2e60393a495f7f0

SHA512
4f93de824026468bac1ec2aee31229f69ec9631a268407734fd1427c8ff2f6d20ee3d3437d62f7b4d664a1c4affab17ca0c1790bd1a9212aeff6dd1866353a64

Download Submit
\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe

MD5
b9e8f97340637641526b2643c3570ff5

SHA1
90abd8009d2af251d9babf7dc06700b54d64215a

SHA256
36ad2640182e6932ce3d3cd5036f0c745e91b4ce7ef8a80ba2e60393a495f7f0

SHA512
4f93de824026468bac1ec2aee31229f69ec9631a268407734fd1427c8ff2f6d20ee3d3437d62f7b4d664a1c4affab17ca0c1790bd1a9212aeff6dd1866353a64

Download Submit
memory/1600-55-0x0000000075801000-0x0000000075803000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads