sakula | 124a7a3f40b93745c96e0d2c305404f782c4dd2f01976ab7b706b85d2e7e5bf5

General

Target

124a7a3f40b93745c96e0d2c305404f782c4dd2f01976ab7b706b85d2e7e5bf5.exe
Size

58KB
MD5

d376819fef49c1655282ae0bb9149038
SHA1

db953b827f759d146baf25c15a812b4f9e914c5e
SHA256

124a7a3f40b93745c96e0d2c305404f782c4dd2f01976ab7b706b85d2e7e5bf5
SHA512

4410f94d322be8ce0e142a46077a247c0beff37da9954f9396c90f5bd2c24e733915a317256fa6d516316a5a947023e8cd67e93ac1ccd8b9d18ce0dc0d65a4c8

Score

10^/10

sakula persistence rat trojan

Malware Config

Signatures

Sakula
Sakula is a remote access trojan with various capabilities.
trojan rat sakula
Executes dropped EXE 1 IoCs

Processes:

MediaCenter.exe

pid process

1316 MediaCenter.exe
Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

1084 cmd.exe

pid	process
1316	MediaCenter.exe

pid	process
1084	cmd.exe

Loads dropped DLL 2 IoCs

Processes:

124a7a3f40b93745c96e0d2c305404f782c4dd2f01976ab7b706b85d2e7e5bf5.exe

pid	process
1600	124a7a3f40b93745c96e0d2c305404f782c4dd2f01976ab7b706b85d2e7e5bf5.exe
1600	124a7a3f40b93745c96e0d2c305404f782c4dd2f01976ab7b706b85d2e7e5bf5.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

124a7a3f40b93745c96e0d2c305404f782c4dd2f01976ab7b706b85d2e7e5bf5.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe"	124a7a3f40b93745c96e0d2c305404f782c4dd2f01976ab7b706b85d2e7e5bf5.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

780 PING.EXE
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

124a7a3f40b93745c96e0d2c305404f782c4dd2f01976ab7b706b85d2e7e5bf5.exe

description pid process

Token: SeIncBasePriorityPrivilege 1600 124a7a3f40b93745c96e0d2c305404f782c4dd2f01976ab7b706b85d2e7e5bf5.exe

pid	process
780	PING.EXE

description	pid	process
Token: SeIncBasePriorityPrivilege	1600	124a7a3f40b93745c96e0d2c305404f782c4dd2f01976ab7b706b85d2e7e5bf5.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

124a7a3f40b93745c96e0d2c305404f782c4dd2f01976ab7b706b85d2e7e5bf5.execmd.exe

description	pid	process	target process
PID 1600 wrote to memory of 1316	1600	124a7a3f40b93745c96e0d2c305404f782c4dd2f01976ab7b706b85d2e7e5bf5.exe	MediaCenter.exe
PID 1600 wrote to memory of 1316	1600	124a7a3f40b93745c96e0d2c305404f782c4dd2f01976ab7b706b85d2e7e5bf5.exe	MediaCenter.exe
PID 1600 wrote to memory of 1316	1600	124a7a3f40b93745c96e0d2c305404f782c4dd2f01976ab7b706b85d2e7e5bf5.exe	MediaCenter.exe
PID 1600 wrote to memory of 1316	1600	124a7a3f40b93745c96e0d2c305404f782c4dd2f01976ab7b706b85d2e7e5bf5.exe	MediaCenter.exe
PID 1600 wrote to memory of 1084	1600	124a7a3f40b93745c96e0d2c305404f782c4dd2f01976ab7b706b85d2e7e5bf5.exe	cmd.exe
PID 1600 wrote to memory of 1084	1600	124a7a3f40b93745c96e0d2c305404f782c4dd2f01976ab7b706b85d2e7e5bf5.exe	cmd.exe
PID 1600 wrote to memory of 1084	1600	124a7a3f40b93745c96e0d2c305404f782c4dd2f01976ab7b706b85d2e7e5bf5.exe	cmd.exe
PID 1600 wrote to memory of 1084	1600	124a7a3f40b93745c96e0d2c305404f782c4dd2f01976ab7b706b85d2e7e5bf5.exe	cmd.exe
PID 1084 wrote to memory of 780	1084	cmd.exe	PING.EXE
PID 1084 wrote to memory of 780	1084	cmd.exe	PING.EXE
PID 1084 wrote to memory of 780	1084	cmd.exe	PING.EXE
PID 1084 wrote to memory of 780	1084	cmd.exe	PING.EXE

C:\Users\Admin\AppData\Local\Temp\124a7a3f40b93745c96e0d2c305404f782c4dd2f01976ab7b706b85d2e7e5bf5.exe
"C:\Users\Admin\AppData\Local\Temp\124a7a3f40b93745c96e0d2c305404f782c4dd2f01976ab7b706b85d2e7e5bf5.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1600

C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
2⤵
- Executes dropped EXE
PID:1316

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\124a7a3f40b93745c96e0d2c305404f782c4dd2f01976ab7b706b85d2e7e5bf5.exe"
2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:1084

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1
3⤵
- Runs ping.exe
PID:780

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Remote System Discovery

1

T1018

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe

MD5
14d7587b6e60dd2793ecd6cdc02c451b

SHA1
56dd02d7c147411c817a0e763b5d822a047304d0

SHA256
df7bf226d2ca32df5c8376c0379ebf1321d2a7e667616064a0b781ab0abc01fb

SHA512
417e3e402ba9855803f6d0aa3e87105ce22e4a8703049ed87bb87f9db27bc77a6f0c8725c335bcd7c5449be8739388d9ae7682e1dae2de1bb556d7934a3f5421

Download Submit
\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe

MD5
14d7587b6e60dd2793ecd6cdc02c451b

SHA1
56dd02d7c147411c817a0e763b5d822a047304d0

SHA256
df7bf226d2ca32df5c8376c0379ebf1321d2a7e667616064a0b781ab0abc01fb

SHA512
417e3e402ba9855803f6d0aa3e87105ce22e4a8703049ed87bb87f9db27bc77a6f0c8725c335bcd7c5449be8739388d9ae7682e1dae2de1bb556d7934a3f5421

Download Submit
\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe

MD5
14d7587b6e60dd2793ecd6cdc02c451b

SHA1
56dd02d7c147411c817a0e763b5d822a047304d0

SHA256
df7bf226d2ca32df5c8376c0379ebf1321d2a7e667616064a0b781ab0abc01fb

SHA512
417e3e402ba9855803f6d0aa3e87105ce22e4a8703049ed87bb87f9db27bc77a6f0c8725c335bcd7c5449be8739388d9ae7682e1dae2de1bb556d7934a3f5421

Download Submit
memory/1600-55-0x0000000075801000-0x0000000075803000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads