sakula | 160d94f00f6fadffc95d29b42f9c52e5c2b2ca660ec2179109e0377240861836

General

Target

160d94f00f6fadffc95d29b42f9c52e5c2b2ca660ec2179109e0377240861836.exe
Size

184KB
MD5

ac57a33099ed8d5c57bd46e96b7c9313
SHA1

1e3f5e5c31bcb9d1d7630d2ac4b0270b0688c660
SHA256

160d94f00f6fadffc95d29b42f9c52e5c2b2ca660ec2179109e0377240861836
SHA512

5018338463bad52c8b8c383af92dac52e1e5a8cd30adf62978c6e020ebddf8f2377892285996bdb03984ea6293b0baf0392777aa0dac2396b15c4aec1b83714a

Score

10^/10

sakula persistence rat trojan

Malware Config

Signatures

Sakula
Sakula is a remote access trojan with various capabilities.
trojan rat sakula

Sakula Payload 4 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe	family_sakula
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe	family_sakula
behavioral2/memory/4928-135-0x0000000000400000-0x0000000000420000-memory.dmp	family_sakula
behavioral2/memory/4528-136-0x0000000000400000-0x0000000000420000-memory.dmp	family_sakula

Executes dropped EXE 1 IoCs

Processes:

MediaCenter.exe

pid process

4528 MediaCenter.exe

pid	process
4528	MediaCenter.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

160d94f00f6fadffc95d29b42f9c52e5c2b2ca660ec2179109e0377240861836.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation	160d94f00f6fadffc95d29b42f9c52e5c2b2ca660ec2179109e0377240861836.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

160d94f00f6fadffc95d29b42f9c52e5c2b2ca660ec2179109e0377240861836.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe"	160d94f00f6fadffc95d29b42f9c52e5c2b2ca660ec2179109e0377240861836.exe

Drops file in Windows directory 8 IoCs

Processes:

svchost.exeTiWorker.exe

description	ioc	process
File opened for modification	C:\Windows\SoftwareDistribution\DataStore\Logs\edb.log	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\DataStore\DataStore.edb	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\DataStore\DataStore.jfm	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\ReportingEvents.log	svchost.exe
File opened for modification	C:\Windows\Logs\CBS\CBS.log	TiWorker.exe
File opened for modification	C:\Windows\WinSxS\pending.xml	TiWorker.exe
File opened for modification	C:\Windows\WindowsUpdate.log	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\DataStore\Logs\edb.chk	svchost.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

676 PING.EXE

pid	process
676	PING.EXE

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

svchost.exe160d94f00f6fadffc95d29b42f9c52e5c2b2ca660ec2179109e0377240861836.exeTiWorker.exe

description	pid	process
Token: SeShutdownPrivilege	208	svchost.exe
Token: SeCreatePagefilePrivilege	208	svchost.exe
Token: SeShutdownPrivilege	208	svchost.exe
Token: SeCreatePagefilePrivilege	208	svchost.exe
Token: SeShutdownPrivilege	208	svchost.exe
Token: SeCreatePagefilePrivilege	208	svchost.exe
Token: SeIncBasePriorityPrivilege	4928	160d94f00f6fadffc95d29b42f9c52e5c2b2ca660ec2179109e0377240861836.exe
Token: SeSecurityPrivilege	4344	TiWorker.exe
Token: SeRestorePrivilege	4344	TiWorker.exe
Token: SeBackupPrivilege	4344	TiWorker.exe
Token: SeBackupPrivilege	4344	TiWorker.exe
Token: SeRestorePrivilege	4344	TiWorker.exe
Token: SeSecurityPrivilege	4344	TiWorker.exe
Token: SeBackupPrivilege	4344	TiWorker.exe
Token: SeRestorePrivilege	4344	TiWorker.exe
Token: SeSecurityPrivilege	4344	TiWorker.exe
Token: SeBackupPrivilege	4344	TiWorker.exe
Token: SeRestorePrivilege	4344	TiWorker.exe
Token: SeSecurityPrivilege	4344	TiWorker.exe
Token: SeBackupPrivilege	4344	TiWorker.exe
Token: SeRestorePrivilege	4344	TiWorker.exe
Token: SeSecurityPrivilege	4344	TiWorker.exe
Token: SeBackupPrivilege	4344	TiWorker.exe
Token: SeRestorePrivilege	4344	TiWorker.exe
Token: SeSecurityPrivilege	4344	TiWorker.exe
Token: SeBackupPrivilege	4344	TiWorker.exe
Token: SeRestorePrivilege	4344	TiWorker.exe
Token: SeSecurityPrivilege	4344	TiWorker.exe
Token: SeBackupPrivilege	4344	TiWorker.exe
Token: SeRestorePrivilege	4344	TiWorker.exe
Token: SeSecurityPrivilege	4344	TiWorker.exe
Token: SeBackupPrivilege	4344	TiWorker.exe
Token: SeRestorePrivilege	4344	TiWorker.exe
Token: SeSecurityPrivilege	4344	TiWorker.exe
Token: SeBackupPrivilege	4344	TiWorker.exe
Token: SeRestorePrivilege	4344	TiWorker.exe
Token: SeSecurityPrivilege	4344	TiWorker.exe
Token: SeBackupPrivilege	4344	TiWorker.exe
Token: SeRestorePrivilege	4344	TiWorker.exe
Token: SeSecurityPrivilege	4344	TiWorker.exe
Token: SeBackupPrivilege	4344	TiWorker.exe
Token: SeRestorePrivilege	4344	TiWorker.exe
Token: SeSecurityPrivilege	4344	TiWorker.exe
Token: SeBackupPrivilege	4344	TiWorker.exe
Token: SeRestorePrivilege	4344	TiWorker.exe
Token: SeSecurityPrivilege	4344	TiWorker.exe
Token: SeBackupPrivilege	4344	TiWorker.exe
Token: SeRestorePrivilege	4344	TiWorker.exe
Token: SeSecurityPrivilege	4344	TiWorker.exe
Token: SeBackupPrivilege	4344	TiWorker.exe
Token: SeRestorePrivilege	4344	TiWorker.exe
Token: SeSecurityPrivilege	4344	TiWorker.exe
Token: SeBackupPrivilege	4344	TiWorker.exe
Token: SeRestorePrivilege	4344	TiWorker.exe
Token: SeSecurityPrivilege	4344	TiWorker.exe
Token: SeBackupPrivilege	4344	TiWorker.exe
Token: SeRestorePrivilege	4344	TiWorker.exe
Token: SeSecurityPrivilege	4344	TiWorker.exe
Token: SeBackupPrivilege	4344	TiWorker.exe
Token: SeRestorePrivilege	4344	TiWorker.exe
Token: SeSecurityPrivilege	4344	TiWorker.exe
Token: SeBackupPrivilege	4344	TiWorker.exe
Token: SeRestorePrivilege	4344	TiWorker.exe
Token: SeSecurityPrivilege	4344	TiWorker.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

160d94f00f6fadffc95d29b42f9c52e5c2b2ca660ec2179109e0377240861836.execmd.exe

description	pid	process	target process
PID 4928 wrote to memory of 4528	4928	160d94f00f6fadffc95d29b42f9c52e5c2b2ca660ec2179109e0377240861836.exe	MediaCenter.exe
PID 4928 wrote to memory of 4528	4928	160d94f00f6fadffc95d29b42f9c52e5c2b2ca660ec2179109e0377240861836.exe	MediaCenter.exe
PID 4928 wrote to memory of 4528	4928	160d94f00f6fadffc95d29b42f9c52e5c2b2ca660ec2179109e0377240861836.exe	MediaCenter.exe
PID 4928 wrote to memory of 2556	4928	160d94f00f6fadffc95d29b42f9c52e5c2b2ca660ec2179109e0377240861836.exe	cmd.exe
PID 4928 wrote to memory of 2556	4928	160d94f00f6fadffc95d29b42f9c52e5c2b2ca660ec2179109e0377240861836.exe	cmd.exe
PID 4928 wrote to memory of 2556	4928	160d94f00f6fadffc95d29b42f9c52e5c2b2ca660ec2179109e0377240861836.exe	cmd.exe
PID 2556 wrote to memory of 676	2556	cmd.exe	PING.EXE
PID 2556 wrote to memory of 676	2556	cmd.exe	PING.EXE
PID 2556 wrote to memory of 676	2556	cmd.exe	PING.EXE

C:\Users\Admin\AppData\Local\Temp\160d94f00f6fadffc95d29b42f9c52e5c2b2ca660ec2179109e0377240861836.exe
"C:\Users\Admin\AppData\Local\Temp\160d94f00f6fadffc95d29b42f9c52e5c2b2ca660ec2179109e0377240861836.exe"
1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4928

C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
2⤵
- Executes dropped EXE
PID:4528

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\160d94f00f6fadffc95d29b42f9c52e5c2b2ca660ec2179109e0377240861836.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:2556

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1
3⤵
- Runs ping.exe
PID:676

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:208

C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:4344

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

Remote System Discovery

1

T1018

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe

MD5
55202aee46254792c393f0c1c10bc7d2

SHA1
ff89ec486ff9d10d411b6454921dc019f4a022f0

SHA256
515244f49110e44115bfde0da78702f0287ea797d5a2b9514289a885cf72d7c0

SHA512
8cefac1c46f8eda10f8d66b50579f06f9cfbf4dc0e55aaacd54555a68e1024e45b5293b0a0bf78e956b89eb54cfb38d30ba39a481c343516f0773cf26d4ab973

Download Submit
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe

MD5
55202aee46254792c393f0c1c10bc7d2

SHA1
ff89ec486ff9d10d411b6454921dc019f4a022f0

SHA256
515244f49110e44115bfde0da78702f0287ea797d5a2b9514289a885cf72d7c0

SHA512
8cefac1c46f8eda10f8d66b50579f06f9cfbf4dc0e55aaacd54555a68e1024e45b5293b0a0bf78e956b89eb54cfb38d30ba39a481c343516f0773cf26d4ab973

Download Submit
memory/208-132-0x0000022DE3B90000-0x0000022DE3BA0000-memory.dmp

Filesize
64KB

Download
memory/208-133-0x0000022DE4360000-0x0000022DE4370000-memory.dmp

Filesize
64KB

Download
memory/208-134-0x0000022DE6F70000-0x0000022DE6F74000-memory.dmp

Filesize
16KB

Download
memory/4528-136-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/4928-135-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads