sakula | 14c55e4f0ee30912cfafb70aacb574ef33a5c0f5b58df8dae20b84a408fe4227

General

Target

14c55e4f0ee30912cfafb70aacb574ef33a5c0f5b58df8dae20b84a408fe4227.exe
Size

80KB
MD5

bfc0247ec59849ae2298997f9fc2a220
SHA1

4c9191907ddd1179a7859da419bce0974463803a
SHA256

14c55e4f0ee30912cfafb70aacb574ef33a5c0f5b58df8dae20b84a408fe4227
SHA512

1e790580eb7a22593bb25ccb79133d0b4a71edbdd3d288fedef83126cc95d823d6180f9e5a39ccaff0edee53e29996b23a6b3c6f9fb4943fdeea11e39c5ba857

Score

10^/10

sakula persistence rat trojan

Malware Config

Signatures

Sakula
Sakula is a remote access trojan with various capabilities.
trojan rat sakula

Sakula Payload 3 IoCs

Processes:

resource	yara_rule
\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe	family_sakula
\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe	family_sakula
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe	family_sakula

Executes dropped EXE 1 IoCs

Processes:

MediaCenter.exe

pid process

892 MediaCenter.exe
Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

396 cmd.exe

pid	process
892	MediaCenter.exe

pid	process
396	cmd.exe

Loads dropped DLL 2 IoCs

Processes:

14c55e4f0ee30912cfafb70aacb574ef33a5c0f5b58df8dae20b84a408fe4227.exe

pid	process
1504	14c55e4f0ee30912cfafb70aacb574ef33a5c0f5b58df8dae20b84a408fe4227.exe
1504	14c55e4f0ee30912cfafb70aacb574ef33a5c0f5b58df8dae20b84a408fe4227.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

14c55e4f0ee30912cfafb70aacb574ef33a5c0f5b58df8dae20b84a408fe4227.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe"	14c55e4f0ee30912cfafb70aacb574ef33a5c0f5b58df8dae20b84a408fe4227.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

1672 PING.EXE
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

14c55e4f0ee30912cfafb70aacb574ef33a5c0f5b58df8dae20b84a408fe4227.exe

description pid process

Token: SeIncBasePriorityPrivilege 1504 14c55e4f0ee30912cfafb70aacb574ef33a5c0f5b58df8dae20b84a408fe4227.exe

pid	process
1672	PING.EXE

description	pid	process
Token: SeIncBasePriorityPrivilege	1504	14c55e4f0ee30912cfafb70aacb574ef33a5c0f5b58df8dae20b84a408fe4227.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

14c55e4f0ee30912cfafb70aacb574ef33a5c0f5b58df8dae20b84a408fe4227.execmd.exe

description	pid	process	target process
PID 1504 wrote to memory of 892	1504	14c55e4f0ee30912cfafb70aacb574ef33a5c0f5b58df8dae20b84a408fe4227.exe	MediaCenter.exe
PID 1504 wrote to memory of 892	1504	14c55e4f0ee30912cfafb70aacb574ef33a5c0f5b58df8dae20b84a408fe4227.exe	MediaCenter.exe
PID 1504 wrote to memory of 892	1504	14c55e4f0ee30912cfafb70aacb574ef33a5c0f5b58df8dae20b84a408fe4227.exe	MediaCenter.exe
PID 1504 wrote to memory of 892	1504	14c55e4f0ee30912cfafb70aacb574ef33a5c0f5b58df8dae20b84a408fe4227.exe	MediaCenter.exe
PID 1504 wrote to memory of 396	1504	14c55e4f0ee30912cfafb70aacb574ef33a5c0f5b58df8dae20b84a408fe4227.exe	cmd.exe
PID 1504 wrote to memory of 396	1504	14c55e4f0ee30912cfafb70aacb574ef33a5c0f5b58df8dae20b84a408fe4227.exe	cmd.exe
PID 1504 wrote to memory of 396	1504	14c55e4f0ee30912cfafb70aacb574ef33a5c0f5b58df8dae20b84a408fe4227.exe	cmd.exe
PID 1504 wrote to memory of 396	1504	14c55e4f0ee30912cfafb70aacb574ef33a5c0f5b58df8dae20b84a408fe4227.exe	cmd.exe
PID 396 wrote to memory of 1672	396	cmd.exe	PING.EXE
PID 396 wrote to memory of 1672	396	cmd.exe	PING.EXE
PID 396 wrote to memory of 1672	396	cmd.exe	PING.EXE
PID 396 wrote to memory of 1672	396	cmd.exe	PING.EXE

C:\Users\Admin\AppData\Local\Temp\14c55e4f0ee30912cfafb70aacb574ef33a5c0f5b58df8dae20b84a408fe4227.exe
"C:\Users\Admin\AppData\Local\Temp\14c55e4f0ee30912cfafb70aacb574ef33a5c0f5b58df8dae20b84a408fe4227.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1504

C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
2⤵
- Executes dropped EXE
PID:892

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\14c55e4f0ee30912cfafb70aacb574ef33a5c0f5b58df8dae20b84a408fe4227.exe"
2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:396

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1
3⤵
- Runs ping.exe
PID:1672

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Remote System Discovery

1

T1018

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe

MD5
31165f932965794e2a15d081b8b41fc6

SHA1
373095e95e3d7b6944d0fc5c36b713f08e2f78a1

SHA256
c78454dd1b219ac04779243746d1adc053cc11dc7c81af46f103b665a8a09b0b

SHA512
390fd4f4a090e0ee430a6eb00d071fcd591a7df319c5eb1870d611350e2a789dfd9b27a023dd7cc43ea462db89c8e01781a5cbeee18aa05a307b7531d32a03b3

Download Submit
\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe

MD5
31165f932965794e2a15d081b8b41fc6

SHA1
373095e95e3d7b6944d0fc5c36b713f08e2f78a1

SHA256
c78454dd1b219ac04779243746d1adc053cc11dc7c81af46f103b665a8a09b0b

SHA512
390fd4f4a090e0ee430a6eb00d071fcd591a7df319c5eb1870d611350e2a789dfd9b27a023dd7cc43ea462db89c8e01781a5cbeee18aa05a307b7531d32a03b3

Download Submit
\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe

MD5
31165f932965794e2a15d081b8b41fc6

SHA1
373095e95e3d7b6944d0fc5c36b713f08e2f78a1

SHA256
c78454dd1b219ac04779243746d1adc053cc11dc7c81af46f103b665a8a09b0b

SHA512
390fd4f4a090e0ee430a6eb00d071fcd591a7df319c5eb1870d611350e2a789dfd9b27a023dd7cc43ea462db89c8e01781a5cbeee18aa05a307b7531d32a03b3

Download Submit
memory/1504-54-0x0000000076451000-0x0000000076453000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads