sakula | 17ff13cdd15aedb93f114c2aa00efb94672d2c96262cd685c21a5cc9d64a589f

General

Target

17ff13cdd15aedb93f114c2aa00efb94672d2c96262cd685c21a5cc9d64a589f.exe
Size

58KB
MD5

5c7231bd8c8a5afc8a038e5ecdb6feec
SHA1

765dca4d22a61355ab344f349ad0c46549896c0d
SHA256

17ff13cdd15aedb93f114c2aa00efb94672d2c96262cd685c21a5cc9d64a589f
SHA512

b11f5910fac5a32d1647e13ffabb6ba8e4ff0dfd383ec6fc2dbf49c8a3303d8e5ffaf5a8522cf2ca8daf96961a8a53f76e3071c27f1711f43ec6d7e8281e392c

Score

10^/10

sakula persistence rat trojan

Malware Config

Signatures

Sakula
Sakula is a remote access trojan with various capabilities.
trojan rat sakula
Executes dropped EXE 1 IoCs

Processes:

MediaCenter.exe

pid process

1924 MediaCenter.exe
Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

1620 cmd.exe

pid	process
1924	MediaCenter.exe

pid	process
1620	cmd.exe

Loads dropped DLL 2 IoCs

Processes:

17ff13cdd15aedb93f114c2aa00efb94672d2c96262cd685c21a5cc9d64a589f.exe

pid	process
1040	17ff13cdd15aedb93f114c2aa00efb94672d2c96262cd685c21a5cc9d64a589f.exe
1040	17ff13cdd15aedb93f114c2aa00efb94672d2c96262cd685c21a5cc9d64a589f.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

17ff13cdd15aedb93f114c2aa00efb94672d2c96262cd685c21a5cc9d64a589f.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe"	17ff13cdd15aedb93f114c2aa00efb94672d2c96262cd685c21a5cc9d64a589f.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

1872 PING.EXE
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

17ff13cdd15aedb93f114c2aa00efb94672d2c96262cd685c21a5cc9d64a589f.exe

description pid process

Token: SeIncBasePriorityPrivilege 1040 17ff13cdd15aedb93f114c2aa00efb94672d2c96262cd685c21a5cc9d64a589f.exe

pid	process
1872	PING.EXE

description	pid	process
Token: SeIncBasePriorityPrivilege	1040	17ff13cdd15aedb93f114c2aa00efb94672d2c96262cd685c21a5cc9d64a589f.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

17ff13cdd15aedb93f114c2aa00efb94672d2c96262cd685c21a5cc9d64a589f.execmd.exe

description	pid	process	target process
PID 1040 wrote to memory of 1924	1040	17ff13cdd15aedb93f114c2aa00efb94672d2c96262cd685c21a5cc9d64a589f.exe	MediaCenter.exe
PID 1040 wrote to memory of 1924	1040	17ff13cdd15aedb93f114c2aa00efb94672d2c96262cd685c21a5cc9d64a589f.exe	MediaCenter.exe
PID 1040 wrote to memory of 1924	1040	17ff13cdd15aedb93f114c2aa00efb94672d2c96262cd685c21a5cc9d64a589f.exe	MediaCenter.exe
PID 1040 wrote to memory of 1924	1040	17ff13cdd15aedb93f114c2aa00efb94672d2c96262cd685c21a5cc9d64a589f.exe	MediaCenter.exe
PID 1040 wrote to memory of 1620	1040	17ff13cdd15aedb93f114c2aa00efb94672d2c96262cd685c21a5cc9d64a589f.exe	cmd.exe
PID 1040 wrote to memory of 1620	1040	17ff13cdd15aedb93f114c2aa00efb94672d2c96262cd685c21a5cc9d64a589f.exe	cmd.exe
PID 1040 wrote to memory of 1620	1040	17ff13cdd15aedb93f114c2aa00efb94672d2c96262cd685c21a5cc9d64a589f.exe	cmd.exe
PID 1040 wrote to memory of 1620	1040	17ff13cdd15aedb93f114c2aa00efb94672d2c96262cd685c21a5cc9d64a589f.exe	cmd.exe
PID 1620 wrote to memory of 1872	1620	cmd.exe	PING.EXE
PID 1620 wrote to memory of 1872	1620	cmd.exe	PING.EXE
PID 1620 wrote to memory of 1872	1620	cmd.exe	PING.EXE
PID 1620 wrote to memory of 1872	1620	cmd.exe	PING.EXE

C:\Users\Admin\AppData\Local\Temp\17ff13cdd15aedb93f114c2aa00efb94672d2c96262cd685c21a5cc9d64a589f.exe
"C:\Users\Admin\AppData\Local\Temp\17ff13cdd15aedb93f114c2aa00efb94672d2c96262cd685c21a5cc9d64a589f.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1040

C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
2⤵
- Executes dropped EXE
PID:1924

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\17ff13cdd15aedb93f114c2aa00efb94672d2c96262cd685c21a5cc9d64a589f.exe"
2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:1620

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1
3⤵
- Runs ping.exe
PID:1872

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Remote System Discovery

1

T1018

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe

MD5
77d0f9568ee684f04c7389ffcfa8bb66

SHA1
33ca5d9a2121eb33624ee92397d171ac3882cee4

SHA256
693a4d24bad87a260fd17c01e53b869a15a0c11d429fcb27923e7076d83a842d

SHA512
9bae486c0e99f844ffc4cec1adfcac9e3721093a3503ed9cbc1cf4cf179e5d965ebe25fa3d1fb12e27da9b0b30c684fd3f83df112f47e75f73c41475d1d02bee

Download Submit
\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe

MD5
77d0f9568ee684f04c7389ffcfa8bb66

SHA1
33ca5d9a2121eb33624ee92397d171ac3882cee4

SHA256
693a4d24bad87a260fd17c01e53b869a15a0c11d429fcb27923e7076d83a842d

SHA512
9bae486c0e99f844ffc4cec1adfcac9e3721093a3503ed9cbc1cf4cf179e5d965ebe25fa3d1fb12e27da9b0b30c684fd3f83df112f47e75f73c41475d1d02bee

Download Submit
\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe

MD5
77d0f9568ee684f04c7389ffcfa8bb66

SHA1
33ca5d9a2121eb33624ee92397d171ac3882cee4

SHA256
693a4d24bad87a260fd17c01e53b869a15a0c11d429fcb27923e7076d83a842d

SHA512
9bae486c0e99f844ffc4cec1adfcac9e3721093a3503ed9cbc1cf4cf179e5d965ebe25fa3d1fb12e27da9b0b30c684fd3f83df112f47e75f73c41475d1d02bee

Download Submit
memory/1040-54-0x00000000754B1000-0x00000000754B3000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads