sakula | 0fd48d559e9a58d681dea3df5dbe55005d2864258c391d2514ac232042e5cc2e

General

Target

0fd48d559e9a58d681dea3df5dbe55005d2864258c391d2514ac232042e5cc2e.exe
Size

216KB
MD5

2443b30396b435cd5a356b1accead931
SHA1

2690cc86af2d62d96ef32e7efc8a132a5489c86e
SHA256

0fd48d559e9a58d681dea3df5dbe55005d2864258c391d2514ac232042e5cc2e
SHA512

d2ef09b6c7168fe8ceb1286aa4f103866845d7e0d701d4e9645018af72f72b078e5c91300411762280b5de89589201f95a2d5ff0f040867387c76219fb1abaa5

Score

10^/10

sakula persistence rat suricata trojan

Malware Config

Signatures

Sakula
Sakula is a remote access trojan with various capabilities.
trojan rat sakula

Sakula Payload 4 IoCs

Processes:

resource	yara_rule
\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe	family_sakula
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe	family_sakula
behavioral1/memory/1864-58-0x0000000000400000-0x0000000000420000-memory.dmp	family_sakula
behavioral1/memory/1816-60-0x0000000000400000-0x0000000000420000-memory.dmp	family_sakula

suricata: ET MALWARE SUSPICIOUS UA (iexplore)
suricata: ET MALWARE SUSPICIOUS UA (iexplore)
suricata
suricata: ET MALWARE Sakula/Mivast RAT CnC Beacon 1
suricata: ET MALWARE Sakula/Mivast RAT CnC Beacon 1
suricata
Executes dropped EXE 1 IoCs

Processes:

MediaCenter.exe

pid process

1816 MediaCenter.exe
Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

1988 cmd.exe
Loads dropped DLL 1 IoCs

Processes:

0fd48d559e9a58d681dea3df5dbe55005d2864258c391d2514ac232042e5cc2e.exe

pid process

1864 0fd48d559e9a58d681dea3df5dbe55005d2864258c391d2514ac232042e5cc2e.exe

pid	process
1816	MediaCenter.exe

pid	process
1988	cmd.exe

pid	process
1864	0fd48d559e9a58d681dea3df5dbe55005d2864258c391d2514ac232042e5cc2e.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

0fd48d559e9a58d681dea3df5dbe55005d2864258c391d2514ac232042e5cc2e.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe"	0fd48d559e9a58d681dea3df5dbe55005d2864258c391d2514ac232042e5cc2e.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

2000 PING.EXE
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

0fd48d559e9a58d681dea3df5dbe55005d2864258c391d2514ac232042e5cc2e.exe

description pid process

Token: SeIncBasePriorityPrivilege 1864 0fd48d559e9a58d681dea3df5dbe55005d2864258c391d2514ac232042e5cc2e.exe

pid	process
2000	PING.EXE

description	pid	process
Token: SeIncBasePriorityPrivilege	1864	0fd48d559e9a58d681dea3df5dbe55005d2864258c391d2514ac232042e5cc2e.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

0fd48d559e9a58d681dea3df5dbe55005d2864258c391d2514ac232042e5cc2e.execmd.exe

description	pid	process	target process
PID 1864 wrote to memory of 1816	1864	0fd48d559e9a58d681dea3df5dbe55005d2864258c391d2514ac232042e5cc2e.exe	MediaCenter.exe
PID 1864 wrote to memory of 1816	1864	0fd48d559e9a58d681dea3df5dbe55005d2864258c391d2514ac232042e5cc2e.exe	MediaCenter.exe
PID 1864 wrote to memory of 1816	1864	0fd48d559e9a58d681dea3df5dbe55005d2864258c391d2514ac232042e5cc2e.exe	MediaCenter.exe
PID 1864 wrote to memory of 1816	1864	0fd48d559e9a58d681dea3df5dbe55005d2864258c391d2514ac232042e5cc2e.exe	MediaCenter.exe
PID 1864 wrote to memory of 1988	1864	0fd48d559e9a58d681dea3df5dbe55005d2864258c391d2514ac232042e5cc2e.exe	cmd.exe
PID 1864 wrote to memory of 1988	1864	0fd48d559e9a58d681dea3df5dbe55005d2864258c391d2514ac232042e5cc2e.exe	cmd.exe
PID 1864 wrote to memory of 1988	1864	0fd48d559e9a58d681dea3df5dbe55005d2864258c391d2514ac232042e5cc2e.exe	cmd.exe
PID 1864 wrote to memory of 1988	1864	0fd48d559e9a58d681dea3df5dbe55005d2864258c391d2514ac232042e5cc2e.exe	cmd.exe
PID 1988 wrote to memory of 2000	1988	cmd.exe	PING.EXE
PID 1988 wrote to memory of 2000	1988	cmd.exe	PING.EXE
PID 1988 wrote to memory of 2000	1988	cmd.exe	PING.EXE
PID 1988 wrote to memory of 2000	1988	cmd.exe	PING.EXE

C:\Users\Admin\AppData\Local\Temp\0fd48d559e9a58d681dea3df5dbe55005d2864258c391d2514ac232042e5cc2e.exe
"C:\Users\Admin\AppData\Local\Temp\0fd48d559e9a58d681dea3df5dbe55005d2864258c391d2514ac232042e5cc2e.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1864

C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
2⤵
- Executes dropped EXE
PID:1816

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\0fd48d559e9a58d681dea3df5dbe55005d2864258c391d2514ac232042e5cc2e.exe"
2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:1988

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1
3⤵
- Runs ping.exe
PID:2000

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Remote System Discovery

1

T1018

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe

MD5
f51a9b306d4339543626e402b38e8863

SHA1
b3b38a0e66a71c87074f35f3c9c211b2057deff0

SHA256
6f7007a24a813c284c994cd1a795661699171570907068e6982983465cfc4bb9

SHA512
a26e80fadc28723996e134eee2d43a998f7e712c073a562a3ef9986292bef2e41c1750c48b1550bacfa44ca76e54dd9bee706ed8c4a55bda4d4344847cbf36af

Download Submit
\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe

MD5
f51a9b306d4339543626e402b38e8863

SHA1
b3b38a0e66a71c87074f35f3c9c211b2057deff0

SHA256
6f7007a24a813c284c994cd1a795661699171570907068e6982983465cfc4bb9

SHA512
a26e80fadc28723996e134eee2d43a998f7e712c073a562a3ef9986292bef2e41c1750c48b1550bacfa44ca76e54dd9bee706ed8c4a55bda4d4344847cbf36af

Download Submit
memory/1816-60-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/1864-54-0x0000000076041000-0x0000000076043000-memory.dmp

Filesize
8KB

Download
memory/1864-58-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/1864-59-0x0000000000240000-0x0000000000260000-memory.dmp

Filesize
128KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads