sakula | 146ab306fe577504861a515a8b0dee70bb12b82015d6fddac0baf94afc042605

General

Target

146ab306fe577504861a515a8b0dee70bb12b82015d6fddac0baf94afc042605.exe
Size

99KB
MD5

6d4cf0aa2053d5538b29e38474c68a9c
SHA1

ffe0ef039f8a4f6d2d05a1ccaf27add1aba86264
SHA256

146ab306fe577504861a515a8b0dee70bb12b82015d6fddac0baf94afc042605
SHA512

0de0c515110c8e13f4650af6500be606ecdfe20577f6c4fef9422e40658c7e6fbea2a9baea5d3ac1b6ba8c0e9f0e3011bc0dec91bb349314420fd5d9995bf82e

Score

10^/10

sakula persistence rat trojan

Malware Config

Signatures

Sakula
Sakula is a remote access trojan with various capabilities.
trojan rat sakula

Sakula Payload 2 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe	family_sakula
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe	family_sakula

Executes dropped EXE 1 IoCs

Processes:

MediaCenter.exe

pid process

3212 MediaCenter.exe

pid	process
3212	MediaCenter.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

146ab306fe577504861a515a8b0dee70bb12b82015d6fddac0baf94afc042605.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Control Panel\International\Geo\Nation	146ab306fe577504861a515a8b0dee70bb12b82015d6fddac0baf94afc042605.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

146ab306fe577504861a515a8b0dee70bb12b82015d6fddac0baf94afc042605.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe"	146ab306fe577504861a515a8b0dee70bb12b82015d6fddac0baf94afc042605.exe

Drops file in Windows directory 3 IoCs

Processes:

TiWorker.exesvchost.exe

description	ioc	process
File opened for modification	C:\Windows\WinSxS\pending.xml	TiWorker.exe
File opened for modification	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\DeliveryOptimization\State\keyValueLKG.dat	svchost.exe
File opened for modification	C:\Windows\Logs\CBS\CBS.log	TiWorker.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

MusNotifyIcon.exe

description	ioc	process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	MusNotifyIcon.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	MusNotifyIcon.exe

Modifies data under HKEY_USERS 51 IoCs

Processes:

svchost.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\DownloadMode_BackCompat = "1"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UploadMonthlyInternetBytes = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateBkCnt = "4"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\PeerInfoCount = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\NormalDownloadCount = "0"	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CPUpct = "3.370660"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\DODownloadMode = "1"	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\GeoVersion_EndpointFullUri = "https://geover.prod.do.dsp.mp.microsoft.com/geoversion"	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyCacheHostBytes = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateBkBps = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateBkCnt = "0"	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Settings	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UploadMonthlyLanBytes = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\LANConnectionCount = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UplinkBps = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MemoryUsageKB = "4092"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UploadCount = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\PriorityDownloadCount = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyCdnBytes = "90228624"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateFrCnt = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\InternetConnectionCount = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownlinkUsageBps = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\FrDownloadRatePct = "90"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MonthlyUploadRestriction = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MemoryUsageKB = "4336"	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CPUpct = "0.040177"	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyLanBytes = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyGroupBytes = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CacheSizeBytes = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CDNConnectionCount = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\NormalDownloadPendingCount = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateBkBps = "1157726"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\LinkLocalConnectionCount = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\GroupConnectionCount = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UplinkUsageBps = "0"	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\Geo_EndpointFullUri = "https://geo.prod.do.dsp.mp.microsoft.com/geo"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateFrBps = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\SwarmCount = "1"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\PriorityDownloadPendingCount = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyCdnBytes = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UploadRatePct = "100"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MonthID = "2"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\KVFileExpirationTime = "132892914022313131"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyInternetBytes = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyLinkLocalBytes = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MonthID = "1"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownlinkBps = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\BkDownloadRatePct = "45"	svchost.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

3232 PING.EXE

pid	process
3232	PING.EXE

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

146ab306fe577504861a515a8b0dee70bb12b82015d6fddac0baf94afc042605.exeTiWorker.exe

description	pid	process
Token: SeIncBasePriorityPrivilege	1188	146ab306fe577504861a515a8b0dee70bb12b82015d6fddac0baf94afc042605.exe
Token: SeSecurityPrivilege	2224	TiWorker.exe
Token: SeRestorePrivilege	2224	TiWorker.exe
Token: SeBackupPrivilege	2224	TiWorker.exe
Token: SeBackupPrivilege	2224	TiWorker.exe
Token: SeRestorePrivilege	2224	TiWorker.exe
Token: SeSecurityPrivilege	2224	TiWorker.exe
Token: SeBackupPrivilege	2224	TiWorker.exe
Token: SeRestorePrivilege	2224	TiWorker.exe
Token: SeSecurityPrivilege	2224	TiWorker.exe
Token: SeBackupPrivilege	2224	TiWorker.exe
Token: SeRestorePrivilege	2224	TiWorker.exe
Token: SeSecurityPrivilege	2224	TiWorker.exe
Token: SeBackupPrivilege	2224	TiWorker.exe
Token: SeRestorePrivilege	2224	TiWorker.exe
Token: SeSecurityPrivilege	2224	TiWorker.exe
Token: SeBackupPrivilege	2224	TiWorker.exe
Token: SeRestorePrivilege	2224	TiWorker.exe
Token: SeSecurityPrivilege	2224	TiWorker.exe
Token: SeBackupPrivilege	2224	TiWorker.exe
Token: SeRestorePrivilege	2224	TiWorker.exe
Token: SeSecurityPrivilege	2224	TiWorker.exe
Token: SeBackupPrivilege	2224	TiWorker.exe
Token: SeRestorePrivilege	2224	TiWorker.exe
Token: SeSecurityPrivilege	2224	TiWorker.exe
Token: SeBackupPrivilege	2224	TiWorker.exe
Token: SeRestorePrivilege	2224	TiWorker.exe
Token: SeSecurityPrivilege	2224	TiWorker.exe
Token: SeBackupPrivilege	2224	TiWorker.exe
Token: SeRestorePrivilege	2224	TiWorker.exe
Token: SeSecurityPrivilege	2224	TiWorker.exe
Token: SeBackupPrivilege	2224	TiWorker.exe
Token: SeRestorePrivilege	2224	TiWorker.exe
Token: SeSecurityPrivilege	2224	TiWorker.exe
Token: SeBackupPrivilege	2224	TiWorker.exe
Token: SeRestorePrivilege	2224	TiWorker.exe
Token: SeSecurityPrivilege	2224	TiWorker.exe
Token: SeBackupPrivilege	2224	TiWorker.exe
Token: SeRestorePrivilege	2224	TiWorker.exe
Token: SeSecurityPrivilege	2224	TiWorker.exe
Token: SeBackupPrivilege	2224	TiWorker.exe
Token: SeRestorePrivilege	2224	TiWorker.exe
Token: SeSecurityPrivilege	2224	TiWorker.exe
Token: SeBackupPrivilege	2224	TiWorker.exe
Token: SeRestorePrivilege	2224	TiWorker.exe
Token: SeSecurityPrivilege	2224	TiWorker.exe
Token: SeBackupPrivilege	2224	TiWorker.exe
Token: SeRestorePrivilege	2224	TiWorker.exe
Token: SeSecurityPrivilege	2224	TiWorker.exe
Token: SeBackupPrivilege	2224	TiWorker.exe
Token: SeRestorePrivilege	2224	TiWorker.exe
Token: SeSecurityPrivilege	2224	TiWorker.exe
Token: SeBackupPrivilege	2224	TiWorker.exe
Token: SeRestorePrivilege	2224	TiWorker.exe
Token: SeSecurityPrivilege	2224	TiWorker.exe
Token: SeBackupPrivilege	2224	TiWorker.exe
Token: SeRestorePrivilege	2224	TiWorker.exe
Token: SeSecurityPrivilege	2224	TiWorker.exe
Token: SeBackupPrivilege	2224	TiWorker.exe
Token: SeRestorePrivilege	2224	TiWorker.exe
Token: SeSecurityPrivilege	2224	TiWorker.exe
Token: SeBackupPrivilege	2224	TiWorker.exe
Token: SeRestorePrivilege	2224	TiWorker.exe
Token: SeSecurityPrivilege	2224	TiWorker.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

146ab306fe577504861a515a8b0dee70bb12b82015d6fddac0baf94afc042605.execmd.exe

description	pid	process	target process
PID 1188 wrote to memory of 3212	1188	146ab306fe577504861a515a8b0dee70bb12b82015d6fddac0baf94afc042605.exe	MediaCenter.exe
PID 1188 wrote to memory of 3212	1188	146ab306fe577504861a515a8b0dee70bb12b82015d6fddac0baf94afc042605.exe	MediaCenter.exe
PID 1188 wrote to memory of 3212	1188	146ab306fe577504861a515a8b0dee70bb12b82015d6fddac0baf94afc042605.exe	MediaCenter.exe
PID 1188 wrote to memory of 1344	1188	146ab306fe577504861a515a8b0dee70bb12b82015d6fddac0baf94afc042605.exe	cmd.exe
PID 1188 wrote to memory of 1344	1188	146ab306fe577504861a515a8b0dee70bb12b82015d6fddac0baf94afc042605.exe	cmd.exe
PID 1188 wrote to memory of 1344	1188	146ab306fe577504861a515a8b0dee70bb12b82015d6fddac0baf94afc042605.exe	cmd.exe
PID 1344 wrote to memory of 3232	1344	cmd.exe	PING.EXE
PID 1344 wrote to memory of 3232	1344	cmd.exe	PING.EXE
PID 1344 wrote to memory of 3232	1344	cmd.exe	PING.EXE

C:\Users\Admin\AppData\Local\Temp\146ab306fe577504861a515a8b0dee70bb12b82015d6fddac0baf94afc042605.exe
"C:\Users\Admin\AppData\Local\Temp\146ab306fe577504861a515a8b0dee70bb12b82015d6fddac0baf94afc042605.exe"
1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1188

C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
2⤵
- Executes dropped EXE
PID:3212

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\146ab306fe577504861a515a8b0dee70bb12b82015d6fddac0baf94afc042605.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:1344

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1
3⤵
- Runs ping.exe
PID:3232

C:\Windows\system32\MusNotifyIcon.exe
%systemroot%\system32\MusNotifyIcon.exe NotifyTrayIcon 13
1⤵
- Checks processor information in registry
PID:1396

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p
1⤵
- Drops file in Windows directory
- Modifies data under HKEY_USERS
PID:772

C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2224

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

2

T1012

Remote System Discovery

1

T1018

System Information Discovery

3

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe

MD5
9c55ab084490ebeb9a6c485b97efda9c

SHA1
6227fc4464f8ca519f57e07fb7bc40daa68b9d29

SHA256
c27bd02f158491efce125d8dabe401198ce21569495412fbbc3c83c44fefbf75

SHA512
c5608013c9c8a8653434d616a9b164eab33f1b4179d4757ba2215e9eeaec856fa8ce587b68a7847acd2d8f3cf4bc814107b4d0f479ac1ae9fbe4b6026dc52703

Download Submit
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe

MD5
9c55ab084490ebeb9a6c485b97efda9c

SHA1
6227fc4464f8ca519f57e07fb7bc40daa68b9d29

SHA256
c27bd02f158491efce125d8dabe401198ce21569495412fbbc3c83c44fefbf75

SHA512
c5608013c9c8a8653434d616a9b164eab33f1b4179d4757ba2215e9eeaec856fa8ce587b68a7847acd2d8f3cf4bc814107b4d0f479ac1ae9fbe4b6026dc52703

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads