sakula | 125e69bf738fd37c47f004e7b8609785dfa01ac241e6527023628d55eacd0e5c

General

Target

125e69bf738fd37c47f004e7b8609785dfa01ac241e6527023628d55eacd0e5c.exe
Size

35KB
MD5

0c1eb61d71487c65a019b983c432c7cc
SHA1

05377f2f0015817a69608a18bb1ba1b994bceb8a
SHA256

125e69bf738fd37c47f004e7b8609785dfa01ac241e6527023628d55eacd0e5c
SHA512

fad99f54c820a524b78b4f8e4da4abd03608b1bf9a4910423b30523710831d5646bbd0b1778d119867ec908c9f83384dcc2e44de32f4d4653c66caa9ed311546

Score

10^/10

sakula persistence rat trojan

Malware Config

Signatures

Sakula
Sakula is a remote access trojan with various capabilities.
trojan rat sakula
Executes dropped EXE 1 IoCs

Processes:

MediaCenter.exe

pid process

1836 MediaCenter.exe

pid	process
1836	MediaCenter.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

125e69bf738fd37c47f004e7b8609785dfa01ac241e6527023628d55eacd0e5c.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation	125e69bf738fd37c47f004e7b8609785dfa01ac241e6527023628d55eacd0e5c.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

125e69bf738fd37c47f004e7b8609785dfa01ac241e6527023628d55eacd0e5c.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe"	125e69bf738fd37c47f004e7b8609785dfa01ac241e6527023628d55eacd0e5c.exe

Drops file in Windows directory 8 IoCs

Processes:

TiWorker.exesvchost.exe

description	ioc	process
File opened for modification	C:\Windows\WinSxS\pending.xml	TiWorker.exe
File opened for modification	C:\Windows\WindowsUpdate.log	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\DataStore\Logs\edb.chk	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\DataStore\Logs\edb.log	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\DataStore\DataStore.edb	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\DataStore\DataStore.jfm	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\ReportingEvents.log	svchost.exe
File opened for modification	C:\Windows\Logs\CBS\CBS.log	TiWorker.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

812 PING.EXE

pid	process
812	PING.EXE

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

125e69bf738fd37c47f004e7b8609785dfa01ac241e6527023628d55eacd0e5c.exesvchost.exeTiWorker.exe

description	pid	process
Token: SeIncBasePriorityPrivilege	408	125e69bf738fd37c47f004e7b8609785dfa01ac241e6527023628d55eacd0e5c.exe
Token: SeShutdownPrivilege	624	svchost.exe
Token: SeCreatePagefilePrivilege	624	svchost.exe
Token: SeShutdownPrivilege	624	svchost.exe
Token: SeCreatePagefilePrivilege	624	svchost.exe
Token: SeShutdownPrivilege	624	svchost.exe
Token: SeCreatePagefilePrivilege	624	svchost.exe
Token: SeSecurityPrivilege	456	TiWorker.exe
Token: SeRestorePrivilege	456	TiWorker.exe
Token: SeBackupPrivilege	456	TiWorker.exe
Token: SeBackupPrivilege	456	TiWorker.exe
Token: SeRestorePrivilege	456	TiWorker.exe
Token: SeSecurityPrivilege	456	TiWorker.exe
Token: SeBackupPrivilege	456	TiWorker.exe
Token: SeRestorePrivilege	456	TiWorker.exe
Token: SeSecurityPrivilege	456	TiWorker.exe
Token: SeBackupPrivilege	456	TiWorker.exe
Token: SeRestorePrivilege	456	TiWorker.exe
Token: SeSecurityPrivilege	456	TiWorker.exe
Token: SeBackupPrivilege	456	TiWorker.exe
Token: SeRestorePrivilege	456	TiWorker.exe
Token: SeSecurityPrivilege	456	TiWorker.exe
Token: SeBackupPrivilege	456	TiWorker.exe
Token: SeRestorePrivilege	456	TiWorker.exe
Token: SeSecurityPrivilege	456	TiWorker.exe
Token: SeBackupPrivilege	456	TiWorker.exe
Token: SeRestorePrivilege	456	TiWorker.exe
Token: SeSecurityPrivilege	456	TiWorker.exe
Token: SeBackupPrivilege	456	TiWorker.exe
Token: SeRestorePrivilege	456	TiWorker.exe
Token: SeSecurityPrivilege	456	TiWorker.exe
Token: SeBackupPrivilege	456	TiWorker.exe
Token: SeRestorePrivilege	456	TiWorker.exe
Token: SeSecurityPrivilege	456	TiWorker.exe
Token: SeBackupPrivilege	456	TiWorker.exe
Token: SeRestorePrivilege	456	TiWorker.exe
Token: SeSecurityPrivilege	456	TiWorker.exe
Token: SeBackupPrivilege	456	TiWorker.exe
Token: SeRestorePrivilege	456	TiWorker.exe
Token: SeSecurityPrivilege	456	TiWorker.exe
Token: SeBackupPrivilege	456	TiWorker.exe
Token: SeRestorePrivilege	456	TiWorker.exe
Token: SeSecurityPrivilege	456	TiWorker.exe
Token: SeBackupPrivilege	456	TiWorker.exe
Token: SeRestorePrivilege	456	TiWorker.exe
Token: SeSecurityPrivilege	456	TiWorker.exe
Token: SeBackupPrivilege	456	TiWorker.exe
Token: SeRestorePrivilege	456	TiWorker.exe
Token: SeSecurityPrivilege	456	TiWorker.exe
Token: SeBackupPrivilege	456	TiWorker.exe
Token: SeRestorePrivilege	456	TiWorker.exe
Token: SeSecurityPrivilege	456	TiWorker.exe
Token: SeBackupPrivilege	456	TiWorker.exe
Token: SeRestorePrivilege	456	TiWorker.exe
Token: SeSecurityPrivilege	456	TiWorker.exe
Token: SeBackupPrivilege	456	TiWorker.exe
Token: SeRestorePrivilege	456	TiWorker.exe
Token: SeSecurityPrivilege	456	TiWorker.exe
Token: SeBackupPrivilege	456	TiWorker.exe
Token: SeRestorePrivilege	456	TiWorker.exe
Token: SeSecurityPrivilege	456	TiWorker.exe
Token: SeBackupPrivilege	456	TiWorker.exe
Token: SeRestorePrivilege	456	TiWorker.exe
Token: SeSecurityPrivilege	456	TiWorker.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

125e69bf738fd37c47f004e7b8609785dfa01ac241e6527023628d55eacd0e5c.execmd.exe

description	pid	process	target process
PID 408 wrote to memory of 1836	408	125e69bf738fd37c47f004e7b8609785dfa01ac241e6527023628d55eacd0e5c.exe	MediaCenter.exe
PID 408 wrote to memory of 1836	408	125e69bf738fd37c47f004e7b8609785dfa01ac241e6527023628d55eacd0e5c.exe	MediaCenter.exe
PID 408 wrote to memory of 1836	408	125e69bf738fd37c47f004e7b8609785dfa01ac241e6527023628d55eacd0e5c.exe	MediaCenter.exe
PID 408 wrote to memory of 1492	408	125e69bf738fd37c47f004e7b8609785dfa01ac241e6527023628d55eacd0e5c.exe	cmd.exe
PID 408 wrote to memory of 1492	408	125e69bf738fd37c47f004e7b8609785dfa01ac241e6527023628d55eacd0e5c.exe	cmd.exe
PID 408 wrote to memory of 1492	408	125e69bf738fd37c47f004e7b8609785dfa01ac241e6527023628d55eacd0e5c.exe	cmd.exe
PID 1492 wrote to memory of 812	1492	cmd.exe	PING.EXE
PID 1492 wrote to memory of 812	1492	cmd.exe	PING.EXE
PID 1492 wrote to memory of 812	1492	cmd.exe	PING.EXE

C:\Users\Admin\AppData\Local\Temp\125e69bf738fd37c47f004e7b8609785dfa01ac241e6527023628d55eacd0e5c.exe
"C:\Users\Admin\AppData\Local\Temp\125e69bf738fd37c47f004e7b8609785dfa01ac241e6527023628d55eacd0e5c.exe"
1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:408

C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
2⤵
- Executes dropped EXE
PID:1836

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\125e69bf738fd37c47f004e7b8609785dfa01ac241e6527023628d55eacd0e5c.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:1492

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1
3⤵
- Runs ping.exe
PID:812

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:624

C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:456

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

Remote System Discovery

1

T1018

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe

MD5
2d987c41f907c9ff20469b7904594225

SHA1
4d47976b8dd9758031bc9b7c12b9c17634186caf

SHA256
4a52dd6779cf15288147b6aefa25b6ab52af2bee78d531f04c3d0fd3ed1fc55a

SHA512
383cf0298335fed564d43d75e4aa35aef68ebc4a76296740308359d874afc90d275d0d023fad780347535c150ae5eb03ade354bb4825754a6f827d1c14da3280

Download Submit
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe

MD5
2d987c41f907c9ff20469b7904594225

SHA1
4d47976b8dd9758031bc9b7c12b9c17634186caf

SHA256
4a52dd6779cf15288147b6aefa25b6ab52af2bee78d531f04c3d0fd3ed1fc55a

SHA512
383cf0298335fed564d43d75e4aa35aef68ebc4a76296740308359d874afc90d275d0d023fad780347535c150ae5eb03ade354bb4825754a6f827d1c14da3280

Download Submit
memory/624-135-0x000002569CD80000-0x000002569CD90000-memory.dmp

Filesize
64KB

Download
memory/624-136-0x000002569D560000-0x000002569D570000-memory.dmp

Filesize
64KB

Download
memory/624-137-0x00000256A0160000-0x00000256A0164000-memory.dmp

Filesize
16KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads