sakula | 12ac35e35ff247d89a35afffe065639ec0c61862d15e79df2361ca61a872aaff

General

Target

12ac35e35ff247d89a35afffe065639ec0c61862d15e79df2361ca61a872aaff.exe
Size

79KB
MD5

52996ba6234d7f7c743a021ef84d6c1e
SHA1

4b4d1f4eed3494d279c9145926da8f97e48024cd
SHA256

12ac35e35ff247d89a35afffe065639ec0c61862d15e79df2361ca61a872aaff
SHA512

ae1cda21d416e1adc0d20b637e647719a199bba868500d62edc8557fa3c2144a314ace01933d735cf5eb2a4ea9f0b79a89df8d4cf6abe810af6de6d74c330c3b

Score

10^/10

sakula persistence rat trojan

Malware Config

Signatures

Sakula
Sakula is a remote access trojan with various capabilities.
trojan rat sakula

Sakula Payload 3 IoCs

Processes:

resource	yara_rule
\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe	family_sakula
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe	family_sakula
\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe	family_sakula

Executes dropped EXE 1 IoCs

Processes:

MediaCenter.exe

pid process

1032 MediaCenter.exe
Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

1816 cmd.exe

pid	process
1032	MediaCenter.exe

pid	process
1816	cmd.exe

Loads dropped DLL 2 IoCs

Processes:

12ac35e35ff247d89a35afffe065639ec0c61862d15e79df2361ca61a872aaff.exe

pid	process
1592	12ac35e35ff247d89a35afffe065639ec0c61862d15e79df2361ca61a872aaff.exe
1592	12ac35e35ff247d89a35afffe065639ec0c61862d15e79df2361ca61a872aaff.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

12ac35e35ff247d89a35afffe065639ec0c61862d15e79df2361ca61a872aaff.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe"	12ac35e35ff247d89a35afffe065639ec0c61862d15e79df2361ca61a872aaff.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

1812 PING.EXE
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

12ac35e35ff247d89a35afffe065639ec0c61862d15e79df2361ca61a872aaff.exe

description pid process

Token: SeIncBasePriorityPrivilege 1592 12ac35e35ff247d89a35afffe065639ec0c61862d15e79df2361ca61a872aaff.exe

pid	process
1812	PING.EXE

description	pid	process
Token: SeIncBasePriorityPrivilege	1592	12ac35e35ff247d89a35afffe065639ec0c61862d15e79df2361ca61a872aaff.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

12ac35e35ff247d89a35afffe065639ec0c61862d15e79df2361ca61a872aaff.execmd.exe

description	pid	process	target process
PID 1592 wrote to memory of 1032	1592	12ac35e35ff247d89a35afffe065639ec0c61862d15e79df2361ca61a872aaff.exe	MediaCenter.exe
PID 1592 wrote to memory of 1032	1592	12ac35e35ff247d89a35afffe065639ec0c61862d15e79df2361ca61a872aaff.exe	MediaCenter.exe
PID 1592 wrote to memory of 1032	1592	12ac35e35ff247d89a35afffe065639ec0c61862d15e79df2361ca61a872aaff.exe	MediaCenter.exe
PID 1592 wrote to memory of 1032	1592	12ac35e35ff247d89a35afffe065639ec0c61862d15e79df2361ca61a872aaff.exe	MediaCenter.exe
PID 1592 wrote to memory of 1816	1592	12ac35e35ff247d89a35afffe065639ec0c61862d15e79df2361ca61a872aaff.exe	cmd.exe
PID 1592 wrote to memory of 1816	1592	12ac35e35ff247d89a35afffe065639ec0c61862d15e79df2361ca61a872aaff.exe	cmd.exe
PID 1592 wrote to memory of 1816	1592	12ac35e35ff247d89a35afffe065639ec0c61862d15e79df2361ca61a872aaff.exe	cmd.exe
PID 1592 wrote to memory of 1816	1592	12ac35e35ff247d89a35afffe065639ec0c61862d15e79df2361ca61a872aaff.exe	cmd.exe
PID 1816 wrote to memory of 1812	1816	cmd.exe	PING.EXE
PID 1816 wrote to memory of 1812	1816	cmd.exe	PING.EXE
PID 1816 wrote to memory of 1812	1816	cmd.exe	PING.EXE
PID 1816 wrote to memory of 1812	1816	cmd.exe	PING.EXE

C:\Users\Admin\AppData\Local\Temp\12ac35e35ff247d89a35afffe065639ec0c61862d15e79df2361ca61a872aaff.exe
"C:\Users\Admin\AppData\Local\Temp\12ac35e35ff247d89a35afffe065639ec0c61862d15e79df2361ca61a872aaff.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1592

C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
2⤵
- Executes dropped EXE
PID:1032

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\12ac35e35ff247d89a35afffe065639ec0c61862d15e79df2361ca61a872aaff.exe"
2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:1816

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1
3⤵
- Runs ping.exe
PID:1812

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Remote System Discovery

1

T1018

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe

MD5
20edd5378e637985fd1a53efaee11152

SHA1
4234bb28bc4d69f68fa863b8e5675105a74e9c6d

SHA256
5ddaa1c29a4a09b6cc1ada2f556f3906f36c080314cf3f562ebbac8133be2552

SHA512
ea5f210ae807f4ccd35518d06f899e785aba31dbf84601a086ac72bc4fb348538aadf12ae834fc8e4130bbb62852998c264ce49c71f4d1829c72c62a2df07fd8

Download Submit
\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe

MD5
20edd5378e637985fd1a53efaee11152

SHA1
4234bb28bc4d69f68fa863b8e5675105a74e9c6d

SHA256
5ddaa1c29a4a09b6cc1ada2f556f3906f36c080314cf3f562ebbac8133be2552

SHA512
ea5f210ae807f4ccd35518d06f899e785aba31dbf84601a086ac72bc4fb348538aadf12ae834fc8e4130bbb62852998c264ce49c71f4d1829c72c62a2df07fd8

Download Submit
\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe

MD5
20edd5378e637985fd1a53efaee11152

SHA1
4234bb28bc4d69f68fa863b8e5675105a74e9c6d

SHA256
5ddaa1c29a4a09b6cc1ada2f556f3906f36c080314cf3f562ebbac8133be2552

SHA512
ea5f210ae807f4ccd35518d06f899e785aba31dbf84601a086ac72bc4fb348538aadf12ae834fc8e4130bbb62852998c264ce49c71f4d1829c72c62a2df07fd8

Download Submit
memory/1592-54-0x0000000076151000-0x0000000076153000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads