sakula | 17b73a2dd7ff623f1ec1c537958423b75d57a5debde43ca61920df4e42c0ee6d

General

Target

17b73a2dd7ff623f1ec1c537958423b75d57a5debde43ca61920df4e42c0ee6d.exe
Size

36KB
MD5

4549dbda12eef5539ed4ab19888e0b46
SHA1

7e9a2bf7ba4861416b4f498b8f08398832b1970f
SHA256

17b73a2dd7ff623f1ec1c537958423b75d57a5debde43ca61920df4e42c0ee6d
SHA512

c4fb5385c2d4395a0b586d15b874224262a3aef45b96a8a3cfc32a1b61800b490224b3917b1b23bd45e4f41a8b8bd4beb76c34479ad01feb2123ff300358ac12

Score

10^/10

sakula persistence rat trojan

Malware Config

Signatures

Sakula
Sakula is a remote access trojan with various capabilities.
trojan rat sakula
Executes dropped EXE 1 IoCs

Processes:

MediaCenter.exe

pid process

792 MediaCenter.exe
Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

612 cmd.exe

pid	process
792	MediaCenter.exe

pid	process
612	cmd.exe

Loads dropped DLL 2 IoCs

Processes:

17b73a2dd7ff623f1ec1c537958423b75d57a5debde43ca61920df4e42c0ee6d.exe

pid	process
952	17b73a2dd7ff623f1ec1c537958423b75d57a5debde43ca61920df4e42c0ee6d.exe
952	17b73a2dd7ff623f1ec1c537958423b75d57a5debde43ca61920df4e42c0ee6d.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

17b73a2dd7ff623f1ec1c537958423b75d57a5debde43ca61920df4e42c0ee6d.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe"	17b73a2dd7ff623f1ec1c537958423b75d57a5debde43ca61920df4e42c0ee6d.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

1612 PING.EXE
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

17b73a2dd7ff623f1ec1c537958423b75d57a5debde43ca61920df4e42c0ee6d.exe

description pid process

Token: SeIncBasePriorityPrivilege 952 17b73a2dd7ff623f1ec1c537958423b75d57a5debde43ca61920df4e42c0ee6d.exe

pid	process
1612	PING.EXE

description	pid	process
Token: SeIncBasePriorityPrivilege	952	17b73a2dd7ff623f1ec1c537958423b75d57a5debde43ca61920df4e42c0ee6d.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

17b73a2dd7ff623f1ec1c537958423b75d57a5debde43ca61920df4e42c0ee6d.execmd.exe

description	pid	process	target process
PID 952 wrote to memory of 792	952	17b73a2dd7ff623f1ec1c537958423b75d57a5debde43ca61920df4e42c0ee6d.exe	MediaCenter.exe
PID 952 wrote to memory of 792	952	17b73a2dd7ff623f1ec1c537958423b75d57a5debde43ca61920df4e42c0ee6d.exe	MediaCenter.exe
PID 952 wrote to memory of 792	952	17b73a2dd7ff623f1ec1c537958423b75d57a5debde43ca61920df4e42c0ee6d.exe	MediaCenter.exe
PID 952 wrote to memory of 792	952	17b73a2dd7ff623f1ec1c537958423b75d57a5debde43ca61920df4e42c0ee6d.exe	MediaCenter.exe
PID 952 wrote to memory of 612	952	17b73a2dd7ff623f1ec1c537958423b75d57a5debde43ca61920df4e42c0ee6d.exe	cmd.exe
PID 952 wrote to memory of 612	952	17b73a2dd7ff623f1ec1c537958423b75d57a5debde43ca61920df4e42c0ee6d.exe	cmd.exe
PID 952 wrote to memory of 612	952	17b73a2dd7ff623f1ec1c537958423b75d57a5debde43ca61920df4e42c0ee6d.exe	cmd.exe
PID 952 wrote to memory of 612	952	17b73a2dd7ff623f1ec1c537958423b75d57a5debde43ca61920df4e42c0ee6d.exe	cmd.exe
PID 612 wrote to memory of 1612	612	cmd.exe	PING.EXE
PID 612 wrote to memory of 1612	612	cmd.exe	PING.EXE
PID 612 wrote to memory of 1612	612	cmd.exe	PING.EXE
PID 612 wrote to memory of 1612	612	cmd.exe	PING.EXE

C:\Users\Admin\AppData\Local\Temp\17b73a2dd7ff623f1ec1c537958423b75d57a5debde43ca61920df4e42c0ee6d.exe
"C:\Users\Admin\AppData\Local\Temp\17b73a2dd7ff623f1ec1c537958423b75d57a5debde43ca61920df4e42c0ee6d.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:952

C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
2⤵
- Executes dropped EXE
PID:792

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\17b73a2dd7ff623f1ec1c537958423b75d57a5debde43ca61920df4e42c0ee6d.exe"
2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:612

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1
3⤵
- Runs ping.exe
PID:1612

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Remote System Discovery

1

T1018

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe

MD5
61a82e3021dc7bea71f1b7c8a08ee931

SHA1
a13347c2a4b7311e3cf0d24500982e7fcf7338e4

SHA256
5b4cb23983a41a8ec020cc7fdcfc225eee9b696a503f1655f0db8c58e39d2c20

SHA512
dc3e48f29d0900ea39a18807c47bda44e4a8149271f772d331c195400c687f263dd8e3a9dac114db8d09ae5de973a49e37e94159b806159e20bb3a9b48a38963

Download Submit
\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe

MD5
61a82e3021dc7bea71f1b7c8a08ee931

SHA1
a13347c2a4b7311e3cf0d24500982e7fcf7338e4

SHA256
5b4cb23983a41a8ec020cc7fdcfc225eee9b696a503f1655f0db8c58e39d2c20

SHA512
dc3e48f29d0900ea39a18807c47bda44e4a8149271f772d331c195400c687f263dd8e3a9dac114db8d09ae5de973a49e37e94159b806159e20bb3a9b48a38963

Download Submit
\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe

MD5
61a82e3021dc7bea71f1b7c8a08ee931

SHA1
a13347c2a4b7311e3cf0d24500982e7fcf7338e4

SHA256
5b4cb23983a41a8ec020cc7fdcfc225eee9b696a503f1655f0db8c58e39d2c20

SHA512
dc3e48f29d0900ea39a18807c47bda44e4a8149271f772d331c195400c687f263dd8e3a9dac114db8d09ae5de973a49e37e94159b806159e20bb3a9b48a38963

Download Submit
memory/952-55-0x0000000075321000-0x0000000075323000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads