sakula | 179b0f78c55488f9d942d61b4273ed949fa0fce7479e4a281732c92a77e30b71

General

Target

179b0f78c55488f9d942d61b4273ed949fa0fce7479e4a281732c92a77e30b71.exe
Size

216KB
MD5

f0e9e8c0758a3685216e0444064c4221
SHA1

569c77c2697041f0a8264308890b050d4e53ec04
SHA256

179b0f78c55488f9d942d61b4273ed949fa0fce7479e4a281732c92a77e30b71
SHA512

18f76f7841dd47e8af4e08952e2ed8b8564b1235c01b44fd7ada1530e193e634de7261bb4744ad69c5539be9017466305d7aa28ca8d73a47ff9117bfefc612b5

Score

10^/10

sakula persistence rat trojan

Malware Config

Signatures

Sakula
Sakula is a remote access trojan with various capabilities.
trojan rat sakula

Sakula Payload 4 IoCs

Processes:

resource	yara_rule
\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe	family_sakula
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe	family_sakula
behavioral1/memory/1532-59-0x0000000000400000-0x0000000000420000-memory.dmp	family_sakula
behavioral1/memory/904-60-0x0000000000400000-0x0000000000420000-memory.dmp	family_sakula

Executes dropped EXE 1 IoCs

Processes:

MediaCenter.exe

pid process

904 MediaCenter.exe
Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

1196 cmd.exe
Loads dropped DLL 1 IoCs

Processes:

179b0f78c55488f9d942d61b4273ed949fa0fce7479e4a281732c92a77e30b71.exe

pid process

1532 179b0f78c55488f9d942d61b4273ed949fa0fce7479e4a281732c92a77e30b71.exe

pid	process
904	MediaCenter.exe

pid	process
1196	cmd.exe

pid	process
1532	179b0f78c55488f9d942d61b4273ed949fa0fce7479e4a281732c92a77e30b71.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

179b0f78c55488f9d942d61b4273ed949fa0fce7479e4a281732c92a77e30b71.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe"	179b0f78c55488f9d942d61b4273ed949fa0fce7479e4a281732c92a77e30b71.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

1560 PING.EXE
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

179b0f78c55488f9d942d61b4273ed949fa0fce7479e4a281732c92a77e30b71.exe

description pid process

Token: SeIncBasePriorityPrivilege 1532 179b0f78c55488f9d942d61b4273ed949fa0fce7479e4a281732c92a77e30b71.exe

pid	process
1560	PING.EXE

description	pid	process
Token: SeIncBasePriorityPrivilege	1532	179b0f78c55488f9d942d61b4273ed949fa0fce7479e4a281732c92a77e30b71.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

179b0f78c55488f9d942d61b4273ed949fa0fce7479e4a281732c92a77e30b71.execmd.exe

description	pid	process	target process
PID 1532 wrote to memory of 904	1532	179b0f78c55488f9d942d61b4273ed949fa0fce7479e4a281732c92a77e30b71.exe	MediaCenter.exe
PID 1532 wrote to memory of 904	1532	179b0f78c55488f9d942d61b4273ed949fa0fce7479e4a281732c92a77e30b71.exe	MediaCenter.exe
PID 1532 wrote to memory of 904	1532	179b0f78c55488f9d942d61b4273ed949fa0fce7479e4a281732c92a77e30b71.exe	MediaCenter.exe
PID 1532 wrote to memory of 904	1532	179b0f78c55488f9d942d61b4273ed949fa0fce7479e4a281732c92a77e30b71.exe	MediaCenter.exe
PID 1532 wrote to memory of 1196	1532	179b0f78c55488f9d942d61b4273ed949fa0fce7479e4a281732c92a77e30b71.exe	cmd.exe
PID 1532 wrote to memory of 1196	1532	179b0f78c55488f9d942d61b4273ed949fa0fce7479e4a281732c92a77e30b71.exe	cmd.exe
PID 1532 wrote to memory of 1196	1532	179b0f78c55488f9d942d61b4273ed949fa0fce7479e4a281732c92a77e30b71.exe	cmd.exe
PID 1532 wrote to memory of 1196	1532	179b0f78c55488f9d942d61b4273ed949fa0fce7479e4a281732c92a77e30b71.exe	cmd.exe
PID 1196 wrote to memory of 1560	1196	cmd.exe	PING.EXE
PID 1196 wrote to memory of 1560	1196	cmd.exe	PING.EXE
PID 1196 wrote to memory of 1560	1196	cmd.exe	PING.EXE
PID 1196 wrote to memory of 1560	1196	cmd.exe	PING.EXE

C:\Users\Admin\AppData\Local\Temp\179b0f78c55488f9d942d61b4273ed949fa0fce7479e4a281732c92a77e30b71.exe
"C:\Users\Admin\AppData\Local\Temp\179b0f78c55488f9d942d61b4273ed949fa0fce7479e4a281732c92a77e30b71.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1532

C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
2⤵
- Executes dropped EXE
PID:904

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\179b0f78c55488f9d942d61b4273ed949fa0fce7479e4a281732c92a77e30b71.exe"
2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:1196

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1
3⤵
- Runs ping.exe
PID:1560

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Remote System Discovery

1

T1018

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe

MD5
dc16cb4ec1e74d80d24b0e416712fc1c

SHA1
16f334bd55a9fd83e57dfd66131b43fac90ce3e8

SHA256
14878afd45b2593e1f9f4fd8fa1041db7f2fc4432578b47c9bbdf1c639c98a0a

SHA512
b89f43e692a4e9c140efa5e05b9d8f9e0efd1f8212940f74b4447a3c7e4ac4f22a3b71cc29941081fc7218a1de0067b09e1fbd680e0e94acf78d61b628588e88

Download Submit
\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe

MD5
dc16cb4ec1e74d80d24b0e416712fc1c

SHA1
16f334bd55a9fd83e57dfd66131b43fac90ce3e8

SHA256
14878afd45b2593e1f9f4fd8fa1041db7f2fc4432578b47c9bbdf1c639c98a0a

SHA512
b89f43e692a4e9c140efa5e05b9d8f9e0efd1f8212940f74b4447a3c7e4ac4f22a3b71cc29941081fc7218a1de0067b09e1fbd680e0e94acf78d61b628588e88

Download Submit
memory/904-60-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/1532-55-0x0000000075B11000-0x0000000075B13000-memory.dmp

Filesize
8KB

Download
memory/1532-59-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads