sakula | 1281d7f5c56a4bdb974f6151972603afd55d07ecb3fc5306cc3945158f4936f3

General

Target

1281d7f5c56a4bdb974f6151972603afd55d07ecb3fc5306cc3945158f4936f3.exe
Size

80KB
MD5

4b4c129f9cce90f19f303b5d0c52452b
SHA1

60925ab268d4cef64806cc1962258b524b448a46
SHA256

1281d7f5c56a4bdb974f6151972603afd55d07ecb3fc5306cc3945158f4936f3
SHA512

366e24f43037d1607a04b0cd6e87f6aa587e2457980569f58d4ef6e77e3aebf4b3a93b493d5b4a3b8e886b6a262b6ae972d49057f3910e9b29a4f91a1a283517

Score

10^/10

sakula persistence rat trojan

Malware Config

Signatures

Sakula
Sakula is a remote access trojan with various capabilities.
trojan rat sakula

Sakula Payload 3 IoCs

Processes:

resource	yara_rule
\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe	family_sakula
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe	family_sakula
\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe	family_sakula

Executes dropped EXE 1 IoCs

Processes:

MediaCenter.exe

pid process

1528 MediaCenter.exe
Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

1832 cmd.exe

pid	process
1528	MediaCenter.exe

pid	process
1832	cmd.exe

Loads dropped DLL 2 IoCs

Processes:

1281d7f5c56a4bdb974f6151972603afd55d07ecb3fc5306cc3945158f4936f3.exe

pid	process
1520	1281d7f5c56a4bdb974f6151972603afd55d07ecb3fc5306cc3945158f4936f3.exe
1520	1281d7f5c56a4bdb974f6151972603afd55d07ecb3fc5306cc3945158f4936f3.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

1281d7f5c56a4bdb974f6151972603afd55d07ecb3fc5306cc3945158f4936f3.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe"	1281d7f5c56a4bdb974f6151972603afd55d07ecb3fc5306cc3945158f4936f3.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

1144 PING.EXE
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

1281d7f5c56a4bdb974f6151972603afd55d07ecb3fc5306cc3945158f4936f3.exe

description pid process

Token: SeIncBasePriorityPrivilege 1520 1281d7f5c56a4bdb974f6151972603afd55d07ecb3fc5306cc3945158f4936f3.exe

pid	process
1144	PING.EXE

description	pid	process
Token: SeIncBasePriorityPrivilege	1520	1281d7f5c56a4bdb974f6151972603afd55d07ecb3fc5306cc3945158f4936f3.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

1281d7f5c56a4bdb974f6151972603afd55d07ecb3fc5306cc3945158f4936f3.execmd.exe

description	pid	process	target process
PID 1520 wrote to memory of 1528	1520	1281d7f5c56a4bdb974f6151972603afd55d07ecb3fc5306cc3945158f4936f3.exe	MediaCenter.exe
PID 1520 wrote to memory of 1528	1520	1281d7f5c56a4bdb974f6151972603afd55d07ecb3fc5306cc3945158f4936f3.exe	MediaCenter.exe
PID 1520 wrote to memory of 1528	1520	1281d7f5c56a4bdb974f6151972603afd55d07ecb3fc5306cc3945158f4936f3.exe	MediaCenter.exe
PID 1520 wrote to memory of 1528	1520	1281d7f5c56a4bdb974f6151972603afd55d07ecb3fc5306cc3945158f4936f3.exe	MediaCenter.exe
PID 1520 wrote to memory of 1832	1520	1281d7f5c56a4bdb974f6151972603afd55d07ecb3fc5306cc3945158f4936f3.exe	cmd.exe
PID 1520 wrote to memory of 1832	1520	1281d7f5c56a4bdb974f6151972603afd55d07ecb3fc5306cc3945158f4936f3.exe	cmd.exe
PID 1520 wrote to memory of 1832	1520	1281d7f5c56a4bdb974f6151972603afd55d07ecb3fc5306cc3945158f4936f3.exe	cmd.exe
PID 1520 wrote to memory of 1832	1520	1281d7f5c56a4bdb974f6151972603afd55d07ecb3fc5306cc3945158f4936f3.exe	cmd.exe
PID 1832 wrote to memory of 1144	1832	cmd.exe	PING.EXE
PID 1832 wrote to memory of 1144	1832	cmd.exe	PING.EXE
PID 1832 wrote to memory of 1144	1832	cmd.exe	PING.EXE
PID 1832 wrote to memory of 1144	1832	cmd.exe	PING.EXE

C:\Users\Admin\AppData\Local\Temp\1281d7f5c56a4bdb974f6151972603afd55d07ecb3fc5306cc3945158f4936f3.exe
"C:\Users\Admin\AppData\Local\Temp\1281d7f5c56a4bdb974f6151972603afd55d07ecb3fc5306cc3945158f4936f3.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1520

C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
2⤵
- Executes dropped EXE
PID:1528

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\1281d7f5c56a4bdb974f6151972603afd55d07ecb3fc5306cc3945158f4936f3.exe"
2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:1832

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1
3⤵
- Runs ping.exe
PID:1144

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Remote System Discovery

1

T1018

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe

MD5
9735a6ab88a7c7ba539e60ba01396067

SHA1
d8893065abc6d2571e3d53ae1a03fc40738c9a91

SHA256
510bb7e8a0c09bc03e05cdd9badda30cc0032ba3669a40db6c93071aad0198cf

SHA512
33ec7b6d50ba154269eeeeaa7914e91fa8b43776decc8c65ddf84ac167dd699b465f1e51313243e46e2ead3b03b7cd4bf9fdddb6e1f834d01d6df7124a093981

Download Submit
\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe

MD5
9735a6ab88a7c7ba539e60ba01396067

SHA1
d8893065abc6d2571e3d53ae1a03fc40738c9a91

SHA256
510bb7e8a0c09bc03e05cdd9badda30cc0032ba3669a40db6c93071aad0198cf

SHA512
33ec7b6d50ba154269eeeeaa7914e91fa8b43776decc8c65ddf84ac167dd699b465f1e51313243e46e2ead3b03b7cd4bf9fdddb6e1f834d01d6df7124a093981

Download Submit
\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe

MD5
9735a6ab88a7c7ba539e60ba01396067

SHA1
d8893065abc6d2571e3d53ae1a03fc40738c9a91

SHA256
510bb7e8a0c09bc03e05cdd9badda30cc0032ba3669a40db6c93071aad0198cf

SHA512
33ec7b6d50ba154269eeeeaa7914e91fa8b43776decc8c65ddf84ac167dd699b465f1e51313243e46e2ead3b03b7cd4bf9fdddb6e1f834d01d6df7124a093981

Download Submit
memory/1520-55-0x0000000076371000-0x0000000076373000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads