sakula | 15bd9db794e940a53f7974e86222882398eb6341b57f6b734ebab43ef424f2b6

General

Target

15bd9db794e940a53f7974e86222882398eb6341b57f6b734ebab43ef424f2b6.exe
Size

92KB
MD5

8c462ae510f799b1f7addce90c1d4fb8
SHA1

590d8644258967d3a182a466c4554becb9597635
SHA256

15bd9db794e940a53f7974e86222882398eb6341b57f6b734ebab43ef424f2b6
SHA512

75fdbb9fc4019dbf3a61cc662f07c3d500c4596b143f7f106776ef74b5233853acacda25638b0cae84d01391dbc6598a84e0731e519a11f287dc7256b5c10c5b

Score

10^/10

sakula persistence rat suricata trojan

Malware Config

Signatures

Sakula
Sakula is a remote access trojan with various capabilities.
trojan rat sakula

Sakula Payload 2 IoCs

Processes:

resource	yara_rule
\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe	family_sakula
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe	family_sakula

suricata: ET MALWARE SUSPICIOUS UA (iexplore)
suricata: ET MALWARE SUSPICIOUS UA (iexplore)
suricata
suricata: ET MALWARE Sakula/Mivast RAT CnC Beacon 1
suricata: ET MALWARE Sakula/Mivast RAT CnC Beacon 1
suricata
Executes dropped EXE 1 IoCs

Processes:

MediaCenter.exe

pid process

1204 MediaCenter.exe
Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

1408 cmd.exe
Loads dropped DLL 1 IoCs

Processes:

15bd9db794e940a53f7974e86222882398eb6341b57f6b734ebab43ef424f2b6.exe

pid process

1180 15bd9db794e940a53f7974e86222882398eb6341b57f6b734ebab43ef424f2b6.exe

pid	process
1204	MediaCenter.exe

pid	process
1408	cmd.exe

pid	process
1180	15bd9db794e940a53f7974e86222882398eb6341b57f6b734ebab43ef424f2b6.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

15bd9db794e940a53f7974e86222882398eb6341b57f6b734ebab43ef424f2b6.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe"	15bd9db794e940a53f7974e86222882398eb6341b57f6b734ebab43ef424f2b6.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

364 PING.EXE
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

15bd9db794e940a53f7974e86222882398eb6341b57f6b734ebab43ef424f2b6.exe

description pid process

Token: SeIncBasePriorityPrivilege 1180 15bd9db794e940a53f7974e86222882398eb6341b57f6b734ebab43ef424f2b6.exe

pid	process
364	PING.EXE

description	pid	process
Token: SeIncBasePriorityPrivilege	1180	15bd9db794e940a53f7974e86222882398eb6341b57f6b734ebab43ef424f2b6.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

15bd9db794e940a53f7974e86222882398eb6341b57f6b734ebab43ef424f2b6.execmd.exe

description	pid	process	target process
PID 1180 wrote to memory of 1204	1180	15bd9db794e940a53f7974e86222882398eb6341b57f6b734ebab43ef424f2b6.exe	MediaCenter.exe
PID 1180 wrote to memory of 1204	1180	15bd9db794e940a53f7974e86222882398eb6341b57f6b734ebab43ef424f2b6.exe	MediaCenter.exe
PID 1180 wrote to memory of 1204	1180	15bd9db794e940a53f7974e86222882398eb6341b57f6b734ebab43ef424f2b6.exe	MediaCenter.exe
PID 1180 wrote to memory of 1204	1180	15bd9db794e940a53f7974e86222882398eb6341b57f6b734ebab43ef424f2b6.exe	MediaCenter.exe
PID 1180 wrote to memory of 1408	1180	15bd9db794e940a53f7974e86222882398eb6341b57f6b734ebab43ef424f2b6.exe	cmd.exe
PID 1180 wrote to memory of 1408	1180	15bd9db794e940a53f7974e86222882398eb6341b57f6b734ebab43ef424f2b6.exe	cmd.exe
PID 1180 wrote to memory of 1408	1180	15bd9db794e940a53f7974e86222882398eb6341b57f6b734ebab43ef424f2b6.exe	cmd.exe
PID 1180 wrote to memory of 1408	1180	15bd9db794e940a53f7974e86222882398eb6341b57f6b734ebab43ef424f2b6.exe	cmd.exe
PID 1408 wrote to memory of 364	1408	cmd.exe	PING.EXE
PID 1408 wrote to memory of 364	1408	cmd.exe	PING.EXE
PID 1408 wrote to memory of 364	1408	cmd.exe	PING.EXE
PID 1408 wrote to memory of 364	1408	cmd.exe	PING.EXE

C:\Users\Admin\AppData\Local\Temp\15bd9db794e940a53f7974e86222882398eb6341b57f6b734ebab43ef424f2b6.exe
"C:\Users\Admin\AppData\Local\Temp\15bd9db794e940a53f7974e86222882398eb6341b57f6b734ebab43ef424f2b6.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1180

C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
2⤵
- Executes dropped EXE
PID:1204

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\15bd9db794e940a53f7974e86222882398eb6341b57f6b734ebab43ef424f2b6.exe"
2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:1408

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1
3⤵
- Runs ping.exe
PID:364

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Remote System Discovery

1

T1018

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe

MD5
336b94ef904f6948cdf1f2fce5367e82

SHA1
7ff0bebcc3eb79f767d8462c38b82e1cc72588e5

SHA256
c6f6a5cb7e47c754fbefdee3a9f532f5f474b40647d3446f2a3023088a9913bd

SHA512
eae74fd778ec0909f9d360758faf2517baa485869d3f3a6b7f2908a76eeccd520fd3352eb6fd787ca66ccd28d2d53e186ecea268a0cd35e0b233cbc03fd2ac03

Download Submit
\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe

MD5
336b94ef904f6948cdf1f2fce5367e82

SHA1
7ff0bebcc3eb79f767d8462c38b82e1cc72588e5

SHA256
c6f6a5cb7e47c754fbefdee3a9f532f5f474b40647d3446f2a3023088a9913bd

SHA512
eae74fd778ec0909f9d360758faf2517baa485869d3f3a6b7f2908a76eeccd520fd3352eb6fd787ca66ccd28d2d53e186ecea268a0cd35e0b233cbc03fd2ac03

Download Submit
memory/1180-55-0x0000000075831000-0x0000000075833000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads