sakula | 14a6d8576deb4de1bf5342924c6fed7f3335b6a4db2e628fc82ae10e19ebd260

General

Target

14a6d8576deb4de1bf5342924c6fed7f3335b6a4db2e628fc82ae10e19ebd260.exe
Size

92KB
MD5

527224b36cbb1542d0ab5756cd8fa40e
SHA1

7d8a18f0c8c19ab2d940a7f54a2896b9797b1a7f
SHA256

14a6d8576deb4de1bf5342924c6fed7f3335b6a4db2e628fc82ae10e19ebd260
SHA512

bab730c8db3b05eab1e30c1424bcf1fd7a9e5281ddaac0e8fa181c2a2900c771c0ad23c00f1d926c694e304e44c720065a812a81389877a33fb909265c6811a4

Score

10^/10

sakula persistence rat suricata trojan

Malware Config

Signatures

Sakula
Sakula is a remote access trojan with various capabilities.
trojan rat sakula

Sakula Payload 2 IoCs

Processes:

resource	yara_rule
\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe	family_sakula
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe	family_sakula

suricata: ET MALWARE SUSPICIOUS UA (iexplore)
suricata: ET MALWARE SUSPICIOUS UA (iexplore)
suricata
suricata: ET MALWARE Sakula/Mivast RAT CnC Beacon 1
suricata: ET MALWARE Sakula/Mivast RAT CnC Beacon 1
suricata
Executes dropped EXE 1 IoCs

Processes:

MediaCenter.exe

pid process

1212 MediaCenter.exe
Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

624 cmd.exe
Loads dropped DLL 1 IoCs

Processes:

14a6d8576deb4de1bf5342924c6fed7f3335b6a4db2e628fc82ae10e19ebd260.exe

pid process

856 14a6d8576deb4de1bf5342924c6fed7f3335b6a4db2e628fc82ae10e19ebd260.exe

pid	process
1212	MediaCenter.exe

pid	process
624	cmd.exe

pid	process
856	14a6d8576deb4de1bf5342924c6fed7f3335b6a4db2e628fc82ae10e19ebd260.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

14a6d8576deb4de1bf5342924c6fed7f3335b6a4db2e628fc82ae10e19ebd260.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe"	14a6d8576deb4de1bf5342924c6fed7f3335b6a4db2e628fc82ae10e19ebd260.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

2016 PING.EXE
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

14a6d8576deb4de1bf5342924c6fed7f3335b6a4db2e628fc82ae10e19ebd260.exe

description pid process

Token: SeIncBasePriorityPrivilege 856 14a6d8576deb4de1bf5342924c6fed7f3335b6a4db2e628fc82ae10e19ebd260.exe

pid	process
2016	PING.EXE

description	pid	process
Token: SeIncBasePriorityPrivilege	856	14a6d8576deb4de1bf5342924c6fed7f3335b6a4db2e628fc82ae10e19ebd260.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

14a6d8576deb4de1bf5342924c6fed7f3335b6a4db2e628fc82ae10e19ebd260.execmd.exe

description	pid	process	target process
PID 856 wrote to memory of 1212	856	14a6d8576deb4de1bf5342924c6fed7f3335b6a4db2e628fc82ae10e19ebd260.exe	MediaCenter.exe
PID 856 wrote to memory of 1212	856	14a6d8576deb4de1bf5342924c6fed7f3335b6a4db2e628fc82ae10e19ebd260.exe	MediaCenter.exe
PID 856 wrote to memory of 1212	856	14a6d8576deb4de1bf5342924c6fed7f3335b6a4db2e628fc82ae10e19ebd260.exe	MediaCenter.exe
PID 856 wrote to memory of 1212	856	14a6d8576deb4de1bf5342924c6fed7f3335b6a4db2e628fc82ae10e19ebd260.exe	MediaCenter.exe
PID 856 wrote to memory of 624	856	14a6d8576deb4de1bf5342924c6fed7f3335b6a4db2e628fc82ae10e19ebd260.exe	cmd.exe
PID 856 wrote to memory of 624	856	14a6d8576deb4de1bf5342924c6fed7f3335b6a4db2e628fc82ae10e19ebd260.exe	cmd.exe
PID 856 wrote to memory of 624	856	14a6d8576deb4de1bf5342924c6fed7f3335b6a4db2e628fc82ae10e19ebd260.exe	cmd.exe
PID 856 wrote to memory of 624	856	14a6d8576deb4de1bf5342924c6fed7f3335b6a4db2e628fc82ae10e19ebd260.exe	cmd.exe
PID 624 wrote to memory of 2016	624	cmd.exe	PING.EXE
PID 624 wrote to memory of 2016	624	cmd.exe	PING.EXE
PID 624 wrote to memory of 2016	624	cmd.exe	PING.EXE
PID 624 wrote to memory of 2016	624	cmd.exe	PING.EXE

C:\Users\Admin\AppData\Local\Temp\14a6d8576deb4de1bf5342924c6fed7f3335b6a4db2e628fc82ae10e19ebd260.exe
"C:\Users\Admin\AppData\Local\Temp\14a6d8576deb4de1bf5342924c6fed7f3335b6a4db2e628fc82ae10e19ebd260.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:856

C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
2⤵
- Executes dropped EXE
PID:1212

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\14a6d8576deb4de1bf5342924c6fed7f3335b6a4db2e628fc82ae10e19ebd260.exe"
2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:624

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1
3⤵
- Runs ping.exe
PID:2016

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Remote System Discovery

1

T1018

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe

MD5
30ca5bd17993043213b23ab70f4db2c0

SHA1
88bd02844f4ccc43ebf053fe0c4476aa246a479b

SHA256
825188a1e12efc18689bbe43da605a3692b9dca9203d53f9505b7b7047453469

SHA512
ddd97fc44f3697b161b4afde4bdb57c7a21cdcd6c74a35cc54946c0d3dbb3d6539db6e64b8c48642223a887bf7c8705763f6af830b274588dbc19e9f9fa93280

Download Submit
\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe

MD5
30ca5bd17993043213b23ab70f4db2c0

SHA1
88bd02844f4ccc43ebf053fe0c4476aa246a479b

SHA256
825188a1e12efc18689bbe43da605a3692b9dca9203d53f9505b7b7047453469

SHA512
ddd97fc44f3697b161b4afde4bdb57c7a21cdcd6c74a35cc54946c0d3dbb3d6539db6e64b8c48642223a887bf7c8705763f6af830b274588dbc19e9f9fa93280

Download Submit
memory/856-54-0x0000000075891000-0x0000000075893000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads