sakula | 1429546d83360903b393ab83be565d416d95c12b9be089bc2217c02cd82c319b

General

Target

1429546d83360903b393ab83be565d416d95c12b9be089bc2217c02cd82c319b.exe
Size

60KB
MD5

a87dd3b6f1ab2be3d8a6d9efdffb384d
SHA1

43d5e8fb96620b0c5a0c3cb02309f882938ef1f3
SHA256

1429546d83360903b393ab83be565d416d95c12b9be089bc2217c02cd82c319b
SHA512

263869bd707da3c4da81f8387027b0edf3627109f59dca14b97f912afb478a6226112c9afffcde39c13d1c59beb8cc0bcd381de602898474e9abad213caabb5d

Score

10^/10

sakula persistence rat trojan

Malware Config

Signatures

Sakula
Sakula is a remote access trojan with various capabilities.
trojan rat sakula
Executes dropped EXE 1 IoCs

Processes:

MediaCenter.exe

pid process

572 MediaCenter.exe
Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

836 cmd.exe

pid	process
572	MediaCenter.exe

pid	process
836	cmd.exe

Loads dropped DLL 2 IoCs

Processes:

1429546d83360903b393ab83be565d416d95c12b9be089bc2217c02cd82c319b.exe

pid	process
1100	1429546d83360903b393ab83be565d416d95c12b9be089bc2217c02cd82c319b.exe
1100	1429546d83360903b393ab83be565d416d95c12b9be089bc2217c02cd82c319b.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

1429546d83360903b393ab83be565d416d95c12b9be089bc2217c02cd82c319b.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe"	1429546d83360903b393ab83be565d416d95c12b9be089bc2217c02cd82c319b.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

896 PING.EXE
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

1429546d83360903b393ab83be565d416d95c12b9be089bc2217c02cd82c319b.exe

description pid process

Token: SeIncBasePriorityPrivilege 1100 1429546d83360903b393ab83be565d416d95c12b9be089bc2217c02cd82c319b.exe

pid	process
896	PING.EXE

description	pid	process
Token: SeIncBasePriorityPrivilege	1100	1429546d83360903b393ab83be565d416d95c12b9be089bc2217c02cd82c319b.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

1429546d83360903b393ab83be565d416d95c12b9be089bc2217c02cd82c319b.execmd.exe

description	pid	process	target process
PID 1100 wrote to memory of 572	1100	1429546d83360903b393ab83be565d416d95c12b9be089bc2217c02cd82c319b.exe	MediaCenter.exe
PID 1100 wrote to memory of 572	1100	1429546d83360903b393ab83be565d416d95c12b9be089bc2217c02cd82c319b.exe	MediaCenter.exe
PID 1100 wrote to memory of 572	1100	1429546d83360903b393ab83be565d416d95c12b9be089bc2217c02cd82c319b.exe	MediaCenter.exe
PID 1100 wrote to memory of 572	1100	1429546d83360903b393ab83be565d416d95c12b9be089bc2217c02cd82c319b.exe	MediaCenter.exe
PID 1100 wrote to memory of 836	1100	1429546d83360903b393ab83be565d416d95c12b9be089bc2217c02cd82c319b.exe	cmd.exe
PID 1100 wrote to memory of 836	1100	1429546d83360903b393ab83be565d416d95c12b9be089bc2217c02cd82c319b.exe	cmd.exe
PID 1100 wrote to memory of 836	1100	1429546d83360903b393ab83be565d416d95c12b9be089bc2217c02cd82c319b.exe	cmd.exe
PID 1100 wrote to memory of 836	1100	1429546d83360903b393ab83be565d416d95c12b9be089bc2217c02cd82c319b.exe	cmd.exe
PID 836 wrote to memory of 896	836	cmd.exe	PING.EXE
PID 836 wrote to memory of 896	836	cmd.exe	PING.EXE
PID 836 wrote to memory of 896	836	cmd.exe	PING.EXE
PID 836 wrote to memory of 896	836	cmd.exe	PING.EXE

C:\Users\Admin\AppData\Local\Temp\1429546d83360903b393ab83be565d416d95c12b9be089bc2217c02cd82c319b.exe
"C:\Users\Admin\AppData\Local\Temp\1429546d83360903b393ab83be565d416d95c12b9be089bc2217c02cd82c319b.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1100

C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
2⤵
- Executes dropped EXE
PID:572

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\1429546d83360903b393ab83be565d416d95c12b9be089bc2217c02cd82c319b.exe"
2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:836

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1
3⤵
- Runs ping.exe
PID:896

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Remote System Discovery

1

T1018

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe

MD5
bf0e1402fee7bdc5cab4f6ee3dbde71d

SHA1
c943234a691835100a440979fadec07a1b1c2c90

SHA256
2a307b8c49a1d464b075339b9be044b81f1398450af03f94893122f8dbc230b3

SHA512
fe14281b347cab2e1b0e38d4c22155e3c9adf4b1b40a5f92bbafd96a4a5f82d75a28bb06f0f8d9c90a653e76983402e8e650ce3f6677d27f2902dbbc9f5f7e9c

Download Submit
\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe

MD5
bf0e1402fee7bdc5cab4f6ee3dbde71d

SHA1
c943234a691835100a440979fadec07a1b1c2c90

SHA256
2a307b8c49a1d464b075339b9be044b81f1398450af03f94893122f8dbc230b3

SHA512
fe14281b347cab2e1b0e38d4c22155e3c9adf4b1b40a5f92bbafd96a4a5f82d75a28bb06f0f8d9c90a653e76983402e8e650ce3f6677d27f2902dbbc9f5f7e9c

Download Submit
\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe

MD5
bf0e1402fee7bdc5cab4f6ee3dbde71d

SHA1
c943234a691835100a440979fadec07a1b1c2c90

SHA256
2a307b8c49a1d464b075339b9be044b81f1398450af03f94893122f8dbc230b3

SHA512
fe14281b347cab2e1b0e38d4c22155e3c9adf4b1b40a5f92bbafd96a4a5f82d75a28bb06f0f8d9c90a653e76983402e8e650ce3f6677d27f2902dbbc9f5f7e9c

Download Submit
memory/1100-55-0x00000000760F1000-0x00000000760F3000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads