sakula | 14e24de9a3ccde5efe7020d1622a74c8deadf83464c09e9148ad7819686d5601

General

Target

14e24de9a3ccde5efe7020d1622a74c8deadf83464c09e9148ad7819686d5601.exe
Size

168KB
MD5

b7e8f41e681092c884506d73ab6f0648
SHA1

3795dd2a7bc8635018a0e65394641ebf6005d1d1
SHA256

14e24de9a3ccde5efe7020d1622a74c8deadf83464c09e9148ad7819686d5601
SHA512

309c30ccc92c33da1b4bd728a544db173fea0c61ef660de8d66ca96ec6e3ac5de50c56b135d3f9bd821c3416879e30f36b8259a6cd97f5ee6ab3178b0daf8aba

Score

10^/10

sakula persistence rat suricata trojan

Malware Config

Signatures

Sakula
Sakula is a remote access trojan with various capabilities.
trojan rat sakula

Sakula Payload 4 IoCs

Processes:

resource	yara_rule
\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe	family_sakula
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe	family_sakula
behavioral1/memory/1608-58-0x0000000000400000-0x0000000000420000-memory.dmp	family_sakula
behavioral1/memory/1588-59-0x0000000000400000-0x0000000000420000-memory.dmp	family_sakula

suricata: ET MALWARE SUSPICIOUS UA (iexplore)
suricata: ET MALWARE SUSPICIOUS UA (iexplore)
suricata
suricata: ET MALWARE Sakula/Mivast RAT CnC Beacon 1
suricata: ET MALWARE Sakula/Mivast RAT CnC Beacon 1
suricata
Executes dropped EXE 1 IoCs

Processes:

MediaCenter.exe

pid process

1588 MediaCenter.exe
Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

812 cmd.exe
Loads dropped DLL 1 IoCs

Processes:

14e24de9a3ccde5efe7020d1622a74c8deadf83464c09e9148ad7819686d5601.exe

pid process

1608 14e24de9a3ccde5efe7020d1622a74c8deadf83464c09e9148ad7819686d5601.exe

pid	process
1588	MediaCenter.exe

pid	process
812	cmd.exe

pid	process
1608	14e24de9a3ccde5efe7020d1622a74c8deadf83464c09e9148ad7819686d5601.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

14e24de9a3ccde5efe7020d1622a74c8deadf83464c09e9148ad7819686d5601.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe"	14e24de9a3ccde5efe7020d1622a74c8deadf83464c09e9148ad7819686d5601.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

1356 PING.EXE
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

14e24de9a3ccde5efe7020d1622a74c8deadf83464c09e9148ad7819686d5601.exe

description pid process

Token: SeIncBasePriorityPrivilege 1608 14e24de9a3ccde5efe7020d1622a74c8deadf83464c09e9148ad7819686d5601.exe

pid	process
1356	PING.EXE

description	pid	process
Token: SeIncBasePriorityPrivilege	1608	14e24de9a3ccde5efe7020d1622a74c8deadf83464c09e9148ad7819686d5601.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

14e24de9a3ccde5efe7020d1622a74c8deadf83464c09e9148ad7819686d5601.execmd.exe

description	pid	process	target process
PID 1608 wrote to memory of 1588	1608	14e24de9a3ccde5efe7020d1622a74c8deadf83464c09e9148ad7819686d5601.exe	MediaCenter.exe
PID 1608 wrote to memory of 1588	1608	14e24de9a3ccde5efe7020d1622a74c8deadf83464c09e9148ad7819686d5601.exe	MediaCenter.exe
PID 1608 wrote to memory of 1588	1608	14e24de9a3ccde5efe7020d1622a74c8deadf83464c09e9148ad7819686d5601.exe	MediaCenter.exe
PID 1608 wrote to memory of 1588	1608	14e24de9a3ccde5efe7020d1622a74c8deadf83464c09e9148ad7819686d5601.exe	MediaCenter.exe
PID 1608 wrote to memory of 812	1608	14e24de9a3ccde5efe7020d1622a74c8deadf83464c09e9148ad7819686d5601.exe	cmd.exe
PID 1608 wrote to memory of 812	1608	14e24de9a3ccde5efe7020d1622a74c8deadf83464c09e9148ad7819686d5601.exe	cmd.exe
PID 1608 wrote to memory of 812	1608	14e24de9a3ccde5efe7020d1622a74c8deadf83464c09e9148ad7819686d5601.exe	cmd.exe
PID 1608 wrote to memory of 812	1608	14e24de9a3ccde5efe7020d1622a74c8deadf83464c09e9148ad7819686d5601.exe	cmd.exe
PID 812 wrote to memory of 1356	812	cmd.exe	PING.EXE
PID 812 wrote to memory of 1356	812	cmd.exe	PING.EXE
PID 812 wrote to memory of 1356	812	cmd.exe	PING.EXE
PID 812 wrote to memory of 1356	812	cmd.exe	PING.EXE

C:\Users\Admin\AppData\Local\Temp\14e24de9a3ccde5efe7020d1622a74c8deadf83464c09e9148ad7819686d5601.exe
"C:\Users\Admin\AppData\Local\Temp\14e24de9a3ccde5efe7020d1622a74c8deadf83464c09e9148ad7819686d5601.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1608

C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
2⤵
- Executes dropped EXE
PID:1588

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\14e24de9a3ccde5efe7020d1622a74c8deadf83464c09e9148ad7819686d5601.exe"
2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:812

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1
3⤵
- Runs ping.exe
PID:1356

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Remote System Discovery

1

T1018

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe

MD5
9bd29b8f641399cec7540039e5e7dafc

SHA1
91e61d6aa2366dad0e255290b512efc1afc8deb1

SHA256
2fe20d69ed4c56a21caf3fec417c74e3c3b34294a792ee11f4425af7908c8516

SHA512
bc2c21b397e44d9914be2e28c4f19b37ea8382bb9d9eeafc3e104e93dc915b3cbb89f1810c6b133f1d98bd5149ce5e01c48d285c334628191b10ae9f8b50367e

Download Submit
\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe

MD5
9bd29b8f641399cec7540039e5e7dafc

SHA1
91e61d6aa2366dad0e255290b512efc1afc8deb1

SHA256
2fe20d69ed4c56a21caf3fec417c74e3c3b34294a792ee11f4425af7908c8516

SHA512
bc2c21b397e44d9914be2e28c4f19b37ea8382bb9d9eeafc3e104e93dc915b3cbb89f1810c6b133f1d98bd5149ce5e01c48d285c334628191b10ae9f8b50367e

Download Submit
memory/1588-59-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/1608-54-0x0000000075D61000-0x0000000075D63000-memory.dmp

Filesize
8KB

Download
memory/1608-58-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads