sakula | 13ea2810c98e659df9171a0def702a526142a52fa56978b51302465058ba35dc

General

Target

13ea2810c98e659df9171a0def702a526142a52fa56978b51302465058ba35dc.exe
Size

80KB
MD5

37008d031819c2e26d3b180fe8bf7796
SHA1

5d3036e42ae8a29efd99730ccacfe2c8ab848af2
SHA256

13ea2810c98e659df9171a0def702a526142a52fa56978b51302465058ba35dc
SHA512

990330972a1b225d80294feebb1a526a7382c4bbe27075c824756b9d365a1d74d27d1d7a28f73809dba24a7d39923c639dc42828dbf78a44e092daa740037443

Score

10^/10

sakula persistence rat trojan

Malware Config

Signatures

Sakula
Sakula is a remote access trojan with various capabilities.
trojan rat sakula

Sakula Payload 2 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe	family_sakula
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe	family_sakula

Executes dropped EXE 1 IoCs

Processes:

MediaCenter.exe

pid process

3444 MediaCenter.exe

pid	process
3444	MediaCenter.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

13ea2810c98e659df9171a0def702a526142a52fa56978b51302465058ba35dc.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation	13ea2810c98e659df9171a0def702a526142a52fa56978b51302465058ba35dc.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

13ea2810c98e659df9171a0def702a526142a52fa56978b51302465058ba35dc.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe"	13ea2810c98e659df9171a0def702a526142a52fa56978b51302465058ba35dc.exe

Drops file in Windows directory 8 IoCs

Processes:

svchost.exeTiWorker.exe

description	ioc	process
File opened for modification	C:\Windows\WindowsUpdate.log	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\DataStore\Logs\edb.chk	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\DataStore\Logs\edb.log	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\DataStore\DataStore.edb	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\DataStore\DataStore.jfm	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\ReportingEvents.log	svchost.exe
File opened for modification	C:\Windows\Logs\CBS\CBS.log	TiWorker.exe
File opened for modification	C:\Windows\WinSxS\pending.xml	TiWorker.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

3948 PING.EXE

pid	process
3948	PING.EXE

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

svchost.exe13ea2810c98e659df9171a0def702a526142a52fa56978b51302465058ba35dc.exeTiWorker.exe

description	pid	process
Token: SeShutdownPrivilege	4028	svchost.exe
Token: SeCreatePagefilePrivilege	4028	svchost.exe
Token: SeShutdownPrivilege	4028	svchost.exe
Token: SeCreatePagefilePrivilege	4028	svchost.exe
Token: SeShutdownPrivilege	4028	svchost.exe
Token: SeCreatePagefilePrivilege	4028	svchost.exe
Token: SeIncBasePriorityPrivilege	1324	13ea2810c98e659df9171a0def702a526142a52fa56978b51302465058ba35dc.exe
Token: SeSecurityPrivilege	4260	TiWorker.exe
Token: SeRestorePrivilege	4260	TiWorker.exe
Token: SeBackupPrivilege	4260	TiWorker.exe
Token: SeBackupPrivilege	4260	TiWorker.exe
Token: SeRestorePrivilege	4260	TiWorker.exe
Token: SeSecurityPrivilege	4260	TiWorker.exe
Token: SeBackupPrivilege	4260	TiWorker.exe
Token: SeRestorePrivilege	4260	TiWorker.exe
Token: SeSecurityPrivilege	4260	TiWorker.exe
Token: SeBackupPrivilege	4260	TiWorker.exe
Token: SeRestorePrivilege	4260	TiWorker.exe
Token: SeSecurityPrivilege	4260	TiWorker.exe
Token: SeBackupPrivilege	4260	TiWorker.exe
Token: SeRestorePrivilege	4260	TiWorker.exe
Token: SeSecurityPrivilege	4260	TiWorker.exe
Token: SeBackupPrivilege	4260	TiWorker.exe
Token: SeRestorePrivilege	4260	TiWorker.exe
Token: SeSecurityPrivilege	4260	TiWorker.exe
Token: SeBackupPrivilege	4260	TiWorker.exe
Token: SeRestorePrivilege	4260	TiWorker.exe
Token: SeSecurityPrivilege	4260	TiWorker.exe
Token: SeBackupPrivilege	4260	TiWorker.exe
Token: SeRestorePrivilege	4260	TiWorker.exe
Token: SeSecurityPrivilege	4260	TiWorker.exe
Token: SeBackupPrivilege	4260	TiWorker.exe
Token: SeRestorePrivilege	4260	TiWorker.exe
Token: SeSecurityPrivilege	4260	TiWorker.exe
Token: SeBackupPrivilege	4260	TiWorker.exe
Token: SeRestorePrivilege	4260	TiWorker.exe
Token: SeSecurityPrivilege	4260	TiWorker.exe
Token: SeBackupPrivilege	4260	TiWorker.exe
Token: SeRestorePrivilege	4260	TiWorker.exe
Token: SeSecurityPrivilege	4260	TiWorker.exe
Token: SeBackupPrivilege	4260	TiWorker.exe
Token: SeRestorePrivilege	4260	TiWorker.exe
Token: SeSecurityPrivilege	4260	TiWorker.exe
Token: SeBackupPrivilege	4260	TiWorker.exe
Token: SeRestorePrivilege	4260	TiWorker.exe
Token: SeSecurityPrivilege	4260	TiWorker.exe
Token: SeBackupPrivilege	4260	TiWorker.exe
Token: SeRestorePrivilege	4260	TiWorker.exe
Token: SeSecurityPrivilege	4260	TiWorker.exe
Token: SeBackupPrivilege	4260	TiWorker.exe
Token: SeRestorePrivilege	4260	TiWorker.exe
Token: SeSecurityPrivilege	4260	TiWorker.exe
Token: SeBackupPrivilege	4260	TiWorker.exe
Token: SeRestorePrivilege	4260	TiWorker.exe
Token: SeSecurityPrivilege	4260	TiWorker.exe
Token: SeBackupPrivilege	4260	TiWorker.exe
Token: SeRestorePrivilege	4260	TiWorker.exe
Token: SeSecurityPrivilege	4260	TiWorker.exe
Token: SeBackupPrivilege	4260	TiWorker.exe
Token: SeRestorePrivilege	4260	TiWorker.exe
Token: SeSecurityPrivilege	4260	TiWorker.exe
Token: SeBackupPrivilege	4260	TiWorker.exe
Token: SeRestorePrivilege	4260	TiWorker.exe
Token: SeSecurityPrivilege	4260	TiWorker.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

13ea2810c98e659df9171a0def702a526142a52fa56978b51302465058ba35dc.execmd.exe

description	pid	process	target process
PID 1324 wrote to memory of 3444	1324	13ea2810c98e659df9171a0def702a526142a52fa56978b51302465058ba35dc.exe	MediaCenter.exe
PID 1324 wrote to memory of 3444	1324	13ea2810c98e659df9171a0def702a526142a52fa56978b51302465058ba35dc.exe	MediaCenter.exe
PID 1324 wrote to memory of 3444	1324	13ea2810c98e659df9171a0def702a526142a52fa56978b51302465058ba35dc.exe	MediaCenter.exe
PID 1324 wrote to memory of 2080	1324	13ea2810c98e659df9171a0def702a526142a52fa56978b51302465058ba35dc.exe	cmd.exe
PID 1324 wrote to memory of 2080	1324	13ea2810c98e659df9171a0def702a526142a52fa56978b51302465058ba35dc.exe	cmd.exe
PID 1324 wrote to memory of 2080	1324	13ea2810c98e659df9171a0def702a526142a52fa56978b51302465058ba35dc.exe	cmd.exe
PID 2080 wrote to memory of 3948	2080	cmd.exe	PING.EXE
PID 2080 wrote to memory of 3948	2080	cmd.exe	PING.EXE
PID 2080 wrote to memory of 3948	2080	cmd.exe	PING.EXE

C:\Users\Admin\AppData\Local\Temp\13ea2810c98e659df9171a0def702a526142a52fa56978b51302465058ba35dc.exe
"C:\Users\Admin\AppData\Local\Temp\13ea2810c98e659df9171a0def702a526142a52fa56978b51302465058ba35dc.exe"
1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1324

C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
2⤵
- Executes dropped EXE
PID:3444

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\13ea2810c98e659df9171a0def702a526142a52fa56978b51302465058ba35dc.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:2080

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1
3⤵
- Runs ping.exe
PID:3948

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:4028

C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:4260

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

Remote System Discovery

1

T1018

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe

MD5
de4f22d3e8eece40c72ee53191d3bfbc

SHA1
3b8a61486900a9ff996b3a476fd9e6f2dff92838

SHA256
d850ab31ffc6be989b2b677c90dbae3215b24015b7cf37bfef8a4bd57f33c28d

SHA512
bed4840c06109bc55e9e362c8f0af97f06b192fe510b85237a4f5d3803d5d9631e7881cac7c18f3bd0593308207ff2f06e25449ef1d05f96e81c2d1bab7143fd

Download Submit
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe

MD5
de4f22d3e8eece40c72ee53191d3bfbc

SHA1
3b8a61486900a9ff996b3a476fd9e6f2dff92838

SHA256
d850ab31ffc6be989b2b677c90dbae3215b24015b7cf37bfef8a4bd57f33c28d

SHA512
bed4840c06109bc55e9e362c8f0af97f06b192fe510b85237a4f5d3803d5d9631e7881cac7c18f3bd0593308207ff2f06e25449ef1d05f96e81c2d1bab7143fd

Download Submit
memory/4028-132-0x0000017F8B360000-0x0000017F8B370000-memory.dmp

Filesize
64KB

Download
memory/4028-133-0x0000017F8B920000-0x0000017F8B930000-memory.dmp

Filesize
64KB

Download
memory/4028-134-0x0000017F8DFB0000-0x0000017F8DFB4000-memory.dmp

Filesize
16KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads