sakula | 16665e841a10f46b7a47223cfca0eed95ca5c4183edcad1cf45865464a364f2a

General

Target

16665e841a10f46b7a47223cfca0eed95ca5c4183edcad1cf45865464a364f2a.exe
Size

152KB
MD5

40509d6c4cf888e31658ed6f836bc158
SHA1

93fe1cb612f9590ba60401956d6811dbe56099ef
SHA256

16665e841a10f46b7a47223cfca0eed95ca5c4183edcad1cf45865464a364f2a
SHA512

c140545bc75ed7ebeaa0642c72ba2614742f297fd7bd196896d0d05e06bbcae313532a8916fc1cdfcf5e9ba8a7725ecc25fff69631984c6a2465550b71a07caf

Score

10^/10

sakula persistence rat trojan

Malware Config

Signatures

Sakula
Sakula is a remote access trojan with various capabilities.
trojan rat sakula

Sakula Payload 2 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe	family_sakula
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe	family_sakula

Executes dropped EXE 1 IoCs

Processes:

MediaCenter.exe

pid process

4488 MediaCenter.exe

pid	process
4488	MediaCenter.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

16665e841a10f46b7a47223cfca0eed95ca5c4183edcad1cf45865464a364f2a.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation	16665e841a10f46b7a47223cfca0eed95ca5c4183edcad1cf45865464a364f2a.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

16665e841a10f46b7a47223cfca0eed95ca5c4183edcad1cf45865464a364f2a.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe"	16665e841a10f46b7a47223cfca0eed95ca5c4183edcad1cf45865464a364f2a.exe

Drops file in Windows directory 8 IoCs

Processes:

svchost.exeTiWorker.exe

description	ioc	process
File opened for modification	C:\Windows\SoftwareDistribution\DataStore\DataStore.jfm	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\ReportingEvents.log	svchost.exe
File opened for modification	C:\Windows\Logs\CBS\CBS.log	TiWorker.exe
File opened for modification	C:\Windows\WinSxS\pending.xml	TiWorker.exe
File opened for modification	C:\Windows\WindowsUpdate.log	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\DataStore\Logs\edb.chk	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\DataStore\Logs\edb.log	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\DataStore\DataStore.edb	svchost.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

3332 PING.EXE

pid	process
3332	PING.EXE

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

svchost.exe16665e841a10f46b7a47223cfca0eed95ca5c4183edcad1cf45865464a364f2a.exeTiWorker.exe

description	pid	process
Token: SeShutdownPrivilege	4860	svchost.exe
Token: SeCreatePagefilePrivilege	4860	svchost.exe
Token: SeShutdownPrivilege	4860	svchost.exe
Token: SeCreatePagefilePrivilege	4860	svchost.exe
Token: SeShutdownPrivilege	4860	svchost.exe
Token: SeCreatePagefilePrivilege	4860	svchost.exe
Token: SeIncBasePriorityPrivilege	1408	16665e841a10f46b7a47223cfca0eed95ca5c4183edcad1cf45865464a364f2a.exe
Token: SeSecurityPrivilege	4808	TiWorker.exe
Token: SeRestorePrivilege	4808	TiWorker.exe
Token: SeBackupPrivilege	4808	TiWorker.exe
Token: SeBackupPrivilege	4808	TiWorker.exe
Token: SeRestorePrivilege	4808	TiWorker.exe
Token: SeSecurityPrivilege	4808	TiWorker.exe
Token: SeBackupPrivilege	4808	TiWorker.exe
Token: SeRestorePrivilege	4808	TiWorker.exe
Token: SeSecurityPrivilege	4808	TiWorker.exe
Token: SeBackupPrivilege	4808	TiWorker.exe
Token: SeRestorePrivilege	4808	TiWorker.exe
Token: SeSecurityPrivilege	4808	TiWorker.exe
Token: SeBackupPrivilege	4808	TiWorker.exe
Token: SeRestorePrivilege	4808	TiWorker.exe
Token: SeSecurityPrivilege	4808	TiWorker.exe
Token: SeBackupPrivilege	4808	TiWorker.exe
Token: SeRestorePrivilege	4808	TiWorker.exe
Token: SeSecurityPrivilege	4808	TiWorker.exe
Token: SeBackupPrivilege	4808	TiWorker.exe
Token: SeRestorePrivilege	4808	TiWorker.exe
Token: SeSecurityPrivilege	4808	TiWorker.exe
Token: SeBackupPrivilege	4808	TiWorker.exe
Token: SeRestorePrivilege	4808	TiWorker.exe
Token: SeSecurityPrivilege	4808	TiWorker.exe
Token: SeBackupPrivilege	4808	TiWorker.exe
Token: SeRestorePrivilege	4808	TiWorker.exe
Token: SeSecurityPrivilege	4808	TiWorker.exe
Token: SeBackupPrivilege	4808	TiWorker.exe
Token: SeRestorePrivilege	4808	TiWorker.exe
Token: SeSecurityPrivilege	4808	TiWorker.exe
Token: SeBackupPrivilege	4808	TiWorker.exe
Token: SeRestorePrivilege	4808	TiWorker.exe
Token: SeSecurityPrivilege	4808	TiWorker.exe
Token: SeBackupPrivilege	4808	TiWorker.exe
Token: SeRestorePrivilege	4808	TiWorker.exe
Token: SeSecurityPrivilege	4808	TiWorker.exe
Token: SeBackupPrivilege	4808	TiWorker.exe
Token: SeRestorePrivilege	4808	TiWorker.exe
Token: SeSecurityPrivilege	4808	TiWorker.exe
Token: SeBackupPrivilege	4808	TiWorker.exe
Token: SeRestorePrivilege	4808	TiWorker.exe
Token: SeSecurityPrivilege	4808	TiWorker.exe
Token: SeBackupPrivilege	4808	TiWorker.exe
Token: SeRestorePrivilege	4808	TiWorker.exe
Token: SeSecurityPrivilege	4808	TiWorker.exe
Token: SeBackupPrivilege	4808	TiWorker.exe
Token: SeRestorePrivilege	4808	TiWorker.exe
Token: SeSecurityPrivilege	4808	TiWorker.exe
Token: SeBackupPrivilege	4808	TiWorker.exe
Token: SeRestorePrivilege	4808	TiWorker.exe
Token: SeSecurityPrivilege	4808	TiWorker.exe
Token: SeBackupPrivilege	4808	TiWorker.exe
Token: SeRestorePrivilege	4808	TiWorker.exe
Token: SeSecurityPrivilege	4808	TiWorker.exe
Token: SeBackupPrivilege	4808	TiWorker.exe
Token: SeRestorePrivilege	4808	TiWorker.exe
Token: SeSecurityPrivilege	4808	TiWorker.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

16665e841a10f46b7a47223cfca0eed95ca5c4183edcad1cf45865464a364f2a.execmd.exe

description	pid	process	target process
PID 1408 wrote to memory of 4488	1408	16665e841a10f46b7a47223cfca0eed95ca5c4183edcad1cf45865464a364f2a.exe	MediaCenter.exe
PID 1408 wrote to memory of 4488	1408	16665e841a10f46b7a47223cfca0eed95ca5c4183edcad1cf45865464a364f2a.exe	MediaCenter.exe
PID 1408 wrote to memory of 4488	1408	16665e841a10f46b7a47223cfca0eed95ca5c4183edcad1cf45865464a364f2a.exe	MediaCenter.exe
PID 1408 wrote to memory of 2212	1408	16665e841a10f46b7a47223cfca0eed95ca5c4183edcad1cf45865464a364f2a.exe	cmd.exe
PID 1408 wrote to memory of 2212	1408	16665e841a10f46b7a47223cfca0eed95ca5c4183edcad1cf45865464a364f2a.exe	cmd.exe
PID 1408 wrote to memory of 2212	1408	16665e841a10f46b7a47223cfca0eed95ca5c4183edcad1cf45865464a364f2a.exe	cmd.exe
PID 2212 wrote to memory of 3332	2212	cmd.exe	PING.EXE
PID 2212 wrote to memory of 3332	2212	cmd.exe	PING.EXE
PID 2212 wrote to memory of 3332	2212	cmd.exe	PING.EXE

C:\Users\Admin\AppData\Local\Temp\16665e841a10f46b7a47223cfca0eed95ca5c4183edcad1cf45865464a364f2a.exe
"C:\Users\Admin\AppData\Local\Temp\16665e841a10f46b7a47223cfca0eed95ca5c4183edcad1cf45865464a364f2a.exe"
1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1408

C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
2⤵
- Executes dropped EXE
PID:4488

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\16665e841a10f46b7a47223cfca0eed95ca5c4183edcad1cf45865464a364f2a.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:2212

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1
3⤵
- Runs ping.exe
PID:3332

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:4860

C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:4808

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

Remote System Discovery

1

T1018

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe

MD5
d2c23a8b3451cf74455ed3a7139f7e46

SHA1
676eedaa06b3819e60f2dfdd5d908a2094e080f8

SHA256
3b810d13a7d33d1b5290863b56ee70b2798b5e8098b971dd91ea1cfdfdac0d35

SHA512
9594cf203d91f8fda61bd124316fdc0312856f30c8acc3fe58e2b373805fc70cd6dede9f4c1f16d4a10d0aa649d7508c56b2d96a2de84dc1647031d69086f3e4

Download Submit
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe

MD5
d2c23a8b3451cf74455ed3a7139f7e46

SHA1
676eedaa06b3819e60f2dfdd5d908a2094e080f8

SHA256
3b810d13a7d33d1b5290863b56ee70b2798b5e8098b971dd91ea1cfdfdac0d35

SHA512
9594cf203d91f8fda61bd124316fdc0312856f30c8acc3fe58e2b373805fc70cd6dede9f4c1f16d4a10d0aa649d7508c56b2d96a2de84dc1647031d69086f3e4

Download Submit
memory/4860-132-0x0000014429560000-0x0000014429570000-memory.dmp

Filesize
64KB

Download
memory/4860-133-0x0000014429B20000-0x0000014429B30000-memory.dmp

Filesize
64KB

Download
memory/4860-134-0x000001442C1A0000-0x000001442C1A4000-memory.dmp

Filesize
16KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads