sakula | 1047e59228897a45d0adde81b3fa60394083d99bf107e491d82bcf12d7928778

General

Target

1047e59228897a45d0adde81b3fa60394083d99bf107e491d82bcf12d7928778.exe
Size

191KB
MD5

c7e9d53c230b8bcfdb800533bdee2856
SHA1

b9663d5dd65f09a37cb58cd70d2f4d86270af5de
SHA256

1047e59228897a45d0adde81b3fa60394083d99bf107e491d82bcf12d7928778
SHA512

69556faa413ee9ac38881ce07ca44b85764fcd91947c172bb5a50584d0f889ee4fc37fa850416d429591dce232b9707068fb6bcaf7596d82e85ba412d2b44b1f

Score

10^/10

sakula persistence rat trojan

Malware Config

Signatures

Sakula
Sakula is a remote access trojan with various capabilities.
trojan rat sakula

Sakula Payload 2 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe	family_sakula
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe	family_sakula

Executes dropped EXE 1 IoCs

Processes:

MediaCenter.exe

pid process

532 MediaCenter.exe

pid	process
532	MediaCenter.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

1047e59228897a45d0adde81b3fa60394083d99bf107e491d82bcf12d7928778.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation	1047e59228897a45d0adde81b3fa60394083d99bf107e491d82bcf12d7928778.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

1047e59228897a45d0adde81b3fa60394083d99bf107e491d82bcf12d7928778.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe"	1047e59228897a45d0adde81b3fa60394083d99bf107e491d82bcf12d7928778.exe

Drops file in Windows directory 8 IoCs

Processes:

TiWorker.exesvchost.exe

description	ioc	process
File opened for modification	C:\Windows\WinSxS\pending.xml	TiWorker.exe
File opened for modification	C:\Windows\WindowsUpdate.log	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\DataStore\Logs\edb.chk	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\DataStore\Logs\edb.log	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\DataStore\DataStore.edb	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\DataStore\DataStore.jfm	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\ReportingEvents.log	svchost.exe
File opened for modification	C:\Windows\Logs\CBS\CBS.log	TiWorker.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

4248 PING.EXE

pid	process
4248	PING.EXE

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

svchost.exe1047e59228897a45d0adde81b3fa60394083d99bf107e491d82bcf12d7928778.exeTiWorker.exe

description	pid	process
Token: SeShutdownPrivilege	112	svchost.exe
Token: SeCreatePagefilePrivilege	112	svchost.exe
Token: SeShutdownPrivilege	112	svchost.exe
Token: SeCreatePagefilePrivilege	112	svchost.exe
Token: SeShutdownPrivilege	112	svchost.exe
Token: SeCreatePagefilePrivilege	112	svchost.exe
Token: SeIncBasePriorityPrivilege	4532	1047e59228897a45d0adde81b3fa60394083d99bf107e491d82bcf12d7928778.exe
Token: SeSecurityPrivilege	688	TiWorker.exe
Token: SeRestorePrivilege	688	TiWorker.exe
Token: SeBackupPrivilege	688	TiWorker.exe
Token: SeBackupPrivilege	688	TiWorker.exe
Token: SeRestorePrivilege	688	TiWorker.exe
Token: SeSecurityPrivilege	688	TiWorker.exe
Token: SeBackupPrivilege	688	TiWorker.exe
Token: SeRestorePrivilege	688	TiWorker.exe
Token: SeSecurityPrivilege	688	TiWorker.exe
Token: SeBackupPrivilege	688	TiWorker.exe
Token: SeRestorePrivilege	688	TiWorker.exe
Token: SeSecurityPrivilege	688	TiWorker.exe
Token: SeBackupPrivilege	688	TiWorker.exe
Token: SeRestorePrivilege	688	TiWorker.exe
Token: SeSecurityPrivilege	688	TiWorker.exe
Token: SeBackupPrivilege	688	TiWorker.exe
Token: SeRestorePrivilege	688	TiWorker.exe
Token: SeSecurityPrivilege	688	TiWorker.exe
Token: SeBackupPrivilege	688	TiWorker.exe
Token: SeRestorePrivilege	688	TiWorker.exe
Token: SeSecurityPrivilege	688	TiWorker.exe
Token: SeBackupPrivilege	688	TiWorker.exe
Token: SeRestorePrivilege	688	TiWorker.exe
Token: SeSecurityPrivilege	688	TiWorker.exe
Token: SeBackupPrivilege	688	TiWorker.exe
Token: SeRestorePrivilege	688	TiWorker.exe
Token: SeSecurityPrivilege	688	TiWorker.exe
Token: SeBackupPrivilege	688	TiWorker.exe
Token: SeRestorePrivilege	688	TiWorker.exe
Token: SeSecurityPrivilege	688	TiWorker.exe
Token: SeBackupPrivilege	688	TiWorker.exe
Token: SeRestorePrivilege	688	TiWorker.exe
Token: SeSecurityPrivilege	688	TiWorker.exe
Token: SeBackupPrivilege	688	TiWorker.exe
Token: SeRestorePrivilege	688	TiWorker.exe
Token: SeSecurityPrivilege	688	TiWorker.exe
Token: SeBackupPrivilege	688	TiWorker.exe
Token: SeRestorePrivilege	688	TiWorker.exe
Token: SeSecurityPrivilege	688	TiWorker.exe
Token: SeBackupPrivilege	688	TiWorker.exe
Token: SeRestorePrivilege	688	TiWorker.exe
Token: SeSecurityPrivilege	688	TiWorker.exe
Token: SeBackupPrivilege	688	TiWorker.exe
Token: SeRestorePrivilege	688	TiWorker.exe
Token: SeSecurityPrivilege	688	TiWorker.exe
Token: SeBackupPrivilege	688	TiWorker.exe
Token: SeRestorePrivilege	688	TiWorker.exe
Token: SeSecurityPrivilege	688	TiWorker.exe
Token: SeBackupPrivilege	688	TiWorker.exe
Token: SeRestorePrivilege	688	TiWorker.exe
Token: SeSecurityPrivilege	688	TiWorker.exe
Token: SeBackupPrivilege	688	TiWorker.exe
Token: SeRestorePrivilege	688	TiWorker.exe
Token: SeSecurityPrivilege	688	TiWorker.exe
Token: SeBackupPrivilege	688	TiWorker.exe
Token: SeRestorePrivilege	688	TiWorker.exe
Token: SeSecurityPrivilege	688	TiWorker.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

1047e59228897a45d0adde81b3fa60394083d99bf107e491d82bcf12d7928778.execmd.exe

description	pid	process	target process
PID 4532 wrote to memory of 532	4532	1047e59228897a45d0adde81b3fa60394083d99bf107e491d82bcf12d7928778.exe	MediaCenter.exe
PID 4532 wrote to memory of 532	4532	1047e59228897a45d0adde81b3fa60394083d99bf107e491d82bcf12d7928778.exe	MediaCenter.exe
PID 4532 wrote to memory of 532	4532	1047e59228897a45d0adde81b3fa60394083d99bf107e491d82bcf12d7928778.exe	MediaCenter.exe
PID 4532 wrote to memory of 1404	4532	1047e59228897a45d0adde81b3fa60394083d99bf107e491d82bcf12d7928778.exe	cmd.exe
PID 4532 wrote to memory of 1404	4532	1047e59228897a45d0adde81b3fa60394083d99bf107e491d82bcf12d7928778.exe	cmd.exe
PID 4532 wrote to memory of 1404	4532	1047e59228897a45d0adde81b3fa60394083d99bf107e491d82bcf12d7928778.exe	cmd.exe
PID 1404 wrote to memory of 4248	1404	cmd.exe	PING.EXE
PID 1404 wrote to memory of 4248	1404	cmd.exe	PING.EXE
PID 1404 wrote to memory of 4248	1404	cmd.exe	PING.EXE

C:\Users\Admin\AppData\Local\Temp\1047e59228897a45d0adde81b3fa60394083d99bf107e491d82bcf12d7928778.exe
"C:\Users\Admin\AppData\Local\Temp\1047e59228897a45d0adde81b3fa60394083d99bf107e491d82bcf12d7928778.exe"
1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4532

C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
2⤵
- Executes dropped EXE
PID:532

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\1047e59228897a45d0adde81b3fa60394083d99bf107e491d82bcf12d7928778.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:1404

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1
3⤵
- Runs ping.exe
PID:4248

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:112

C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:688

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

Remote System Discovery

1

T1018

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe

MD5
d98b37ba63b2e471ec011b839feccef5

SHA1
ac2f8803def36efe08efaa5d2a94763e6e72fc0d

SHA256
eedbe039a69dafa002344863d2307680bdcc6c66e1171b6ac218d232baa9da4e

SHA512
a5ecd137cd3aa858e477c10dafce88f3a272f37f8b8039f6d5641284929794d4d87e388025379bd51ffc78db6d8fa752401461b4eb3001fb5d19ee0a2ac5aba8

Download Submit
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe

MD5
d98b37ba63b2e471ec011b839feccef5

SHA1
ac2f8803def36efe08efaa5d2a94763e6e72fc0d

SHA256
eedbe039a69dafa002344863d2307680bdcc6c66e1171b6ac218d232baa9da4e

SHA512
a5ecd137cd3aa858e477c10dafce88f3a272f37f8b8039f6d5641284929794d4d87e388025379bd51ffc78db6d8fa752401461b4eb3001fb5d19ee0a2ac5aba8

Download Submit
memory/112-132-0x000002415AB30000-0x000002415AB40000-memory.dmp

Filesize
64KB

Download
memory/112-133-0x000002415AB90000-0x000002415ABA0000-memory.dmp

Filesize
64KB

Download
memory/112-134-0x000002415D880000-0x000002415D884000-memory.dmp

Filesize
16KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads