sakula | 16b5f31a57b09921d05c56f4c69ddda2eaf5b83c50e5bdf7ffc65bb043368d88

General

Target

16b5f31a57b09921d05c56f4c69ddda2eaf5b83c50e5bdf7ffc65bb043368d88.exe
Size

99KB
MD5

5b6ea751a75567561c335096266bca32
SHA1

513ecbe9d01061b48f4fc13ce96ed6f116cf433a
SHA256

16b5f31a57b09921d05c56f4c69ddda2eaf5b83c50e5bdf7ffc65bb043368d88
SHA512

04cde9fcc8f4a760d995b2d8a98586a27986110dc6e8cc3a0e5c522c30b39f1f84c3819d59843564d7bea552d8e71a03ef7970c8da543b86fc04b55c4400d2bd

Score

10^/10

sakula persistence rat trojan

Malware Config

Signatures

Sakula
Sakula is a remote access trojan with various capabilities.
trojan rat sakula

Sakula Payload 3 IoCs

Processes:

resource	yara_rule
\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe	family_sakula
\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe	family_sakula
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe	family_sakula

Executes dropped EXE 1 IoCs

Processes:

MediaCenter.exe

pid process

1744 MediaCenter.exe
Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

1440 cmd.exe

pid	process
1744	MediaCenter.exe

pid	process
1440	cmd.exe

Loads dropped DLL 2 IoCs

Processes:

16b5f31a57b09921d05c56f4c69ddda2eaf5b83c50e5bdf7ffc65bb043368d88.exe

pid	process
1452	16b5f31a57b09921d05c56f4c69ddda2eaf5b83c50e5bdf7ffc65bb043368d88.exe
1452	16b5f31a57b09921d05c56f4c69ddda2eaf5b83c50e5bdf7ffc65bb043368d88.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

16b5f31a57b09921d05c56f4c69ddda2eaf5b83c50e5bdf7ffc65bb043368d88.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe"	16b5f31a57b09921d05c56f4c69ddda2eaf5b83c50e5bdf7ffc65bb043368d88.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

1512 PING.EXE
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

16b5f31a57b09921d05c56f4c69ddda2eaf5b83c50e5bdf7ffc65bb043368d88.exe

description pid process

Token: SeIncBasePriorityPrivilege 1452 16b5f31a57b09921d05c56f4c69ddda2eaf5b83c50e5bdf7ffc65bb043368d88.exe

pid	process
1512	PING.EXE

description	pid	process
Token: SeIncBasePriorityPrivilege	1452	16b5f31a57b09921d05c56f4c69ddda2eaf5b83c50e5bdf7ffc65bb043368d88.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

16b5f31a57b09921d05c56f4c69ddda2eaf5b83c50e5bdf7ffc65bb043368d88.execmd.exe

description	pid	process	target process
PID 1452 wrote to memory of 1744	1452	16b5f31a57b09921d05c56f4c69ddda2eaf5b83c50e5bdf7ffc65bb043368d88.exe	MediaCenter.exe
PID 1452 wrote to memory of 1744	1452	16b5f31a57b09921d05c56f4c69ddda2eaf5b83c50e5bdf7ffc65bb043368d88.exe	MediaCenter.exe
PID 1452 wrote to memory of 1744	1452	16b5f31a57b09921d05c56f4c69ddda2eaf5b83c50e5bdf7ffc65bb043368d88.exe	MediaCenter.exe
PID 1452 wrote to memory of 1744	1452	16b5f31a57b09921d05c56f4c69ddda2eaf5b83c50e5bdf7ffc65bb043368d88.exe	MediaCenter.exe
PID 1452 wrote to memory of 1440	1452	16b5f31a57b09921d05c56f4c69ddda2eaf5b83c50e5bdf7ffc65bb043368d88.exe	cmd.exe
PID 1452 wrote to memory of 1440	1452	16b5f31a57b09921d05c56f4c69ddda2eaf5b83c50e5bdf7ffc65bb043368d88.exe	cmd.exe
PID 1452 wrote to memory of 1440	1452	16b5f31a57b09921d05c56f4c69ddda2eaf5b83c50e5bdf7ffc65bb043368d88.exe	cmd.exe
PID 1452 wrote to memory of 1440	1452	16b5f31a57b09921d05c56f4c69ddda2eaf5b83c50e5bdf7ffc65bb043368d88.exe	cmd.exe
PID 1440 wrote to memory of 1512	1440	cmd.exe	PING.EXE
PID 1440 wrote to memory of 1512	1440	cmd.exe	PING.EXE
PID 1440 wrote to memory of 1512	1440	cmd.exe	PING.EXE
PID 1440 wrote to memory of 1512	1440	cmd.exe	PING.EXE

C:\Users\Admin\AppData\Local\Temp\16b5f31a57b09921d05c56f4c69ddda2eaf5b83c50e5bdf7ffc65bb043368d88.exe
"C:\Users\Admin\AppData\Local\Temp\16b5f31a57b09921d05c56f4c69ddda2eaf5b83c50e5bdf7ffc65bb043368d88.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1452

C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
2⤵
- Executes dropped EXE
PID:1744

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\16b5f31a57b09921d05c56f4c69ddda2eaf5b83c50e5bdf7ffc65bb043368d88.exe"
2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:1440

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1
3⤵
- Runs ping.exe
PID:1512

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Remote System Discovery

1

T1018

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe

MD5
63be2e1ff1ca9ea680d659cec4f8185c

SHA1
84b3c23c55e97f5451811b98914c91b3d14d7fac

SHA256
c665eee723f7691bcc24a910f269e5153d5d53d2a46e227144480bde65186878

SHA512
18ed7fb856c30c65888352eb8a458020488c7a1916f2c2a15e56ccf176f1408e1f4b39411108409e19d8051596b5b799604340512410944fd8b4be14d2982aa8

Download Submit
\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe

MD5
63be2e1ff1ca9ea680d659cec4f8185c

SHA1
84b3c23c55e97f5451811b98914c91b3d14d7fac

SHA256
c665eee723f7691bcc24a910f269e5153d5d53d2a46e227144480bde65186878

SHA512
18ed7fb856c30c65888352eb8a458020488c7a1916f2c2a15e56ccf176f1408e1f4b39411108409e19d8051596b5b799604340512410944fd8b4be14d2982aa8

Download Submit
\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe

MD5
63be2e1ff1ca9ea680d659cec4f8185c

SHA1
84b3c23c55e97f5451811b98914c91b3d14d7fac

SHA256
c665eee723f7691bcc24a910f269e5153d5d53d2a46e227144480bde65186878

SHA512
18ed7fb856c30c65888352eb8a458020488c7a1916f2c2a15e56ccf176f1408e1f4b39411108409e19d8051596b5b799604340512410944fd8b4be14d2982aa8

Download Submit
memory/1452-54-0x0000000075AE1000-0x0000000075AE3000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads