sakula | 11f679d46af893e5f77f97aeedbab6df13c7fcd916be3c0bf596067e6413141f

General

Target

11f679d46af893e5f77f97aeedbab6df13c7fcd916be3c0bf596067e6413141f.exe
Size

216KB
MD5

4fdb9db18adc89fe16c3443e6b8f08c1
SHA1

db0b3665888e38bc58a49774d19266b94f778f77
SHA256

11f679d46af893e5f77f97aeedbab6df13c7fcd916be3c0bf596067e6413141f
SHA512

d7075c15a5fb39b8e589f8f76508f1c3378361b5ab515871d3493091953de5275fe3266972615503cea03778102c224e77b4f96723689bfad600f282c2f83062

Score

10^/10

sakula persistence rat suricata trojan

Malware Config

Signatures

Sakula
Sakula is a remote access trojan with various capabilities.
trojan rat sakula

Sakula Payload 4 IoCs

Processes:

resource	yara_rule
\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe	family_sakula
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe	family_sakula
behavioral1/memory/1156-59-0x0000000000400000-0x0000000000420000-memory.dmp	family_sakula
behavioral1/memory/596-60-0x0000000000400000-0x0000000000420000-memory.dmp	family_sakula

suricata: ET MALWARE SUSPICIOUS UA (iexplore)
suricata: ET MALWARE SUSPICIOUS UA (iexplore)
suricata
suricata: ET MALWARE Sakula/Mivast RAT CnC Beacon 1
suricata: ET MALWARE Sakula/Mivast RAT CnC Beacon 1
suricata
Executes dropped EXE 1 IoCs

Processes:

MediaCenter.exe

pid process

596 MediaCenter.exe
Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

2020 cmd.exe
Loads dropped DLL 1 IoCs

Processes:

11f679d46af893e5f77f97aeedbab6df13c7fcd916be3c0bf596067e6413141f.exe

pid process

1156 11f679d46af893e5f77f97aeedbab6df13c7fcd916be3c0bf596067e6413141f.exe

pid	process
596	MediaCenter.exe

pid	process
2020	cmd.exe

pid	process
1156	11f679d46af893e5f77f97aeedbab6df13c7fcd916be3c0bf596067e6413141f.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

11f679d46af893e5f77f97aeedbab6df13c7fcd916be3c0bf596067e6413141f.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe"	11f679d46af893e5f77f97aeedbab6df13c7fcd916be3c0bf596067e6413141f.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

1916 PING.EXE
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

11f679d46af893e5f77f97aeedbab6df13c7fcd916be3c0bf596067e6413141f.exe

description pid process

Token: SeIncBasePriorityPrivilege 1156 11f679d46af893e5f77f97aeedbab6df13c7fcd916be3c0bf596067e6413141f.exe

pid	process
1916	PING.EXE

description	pid	process
Token: SeIncBasePriorityPrivilege	1156	11f679d46af893e5f77f97aeedbab6df13c7fcd916be3c0bf596067e6413141f.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

11f679d46af893e5f77f97aeedbab6df13c7fcd916be3c0bf596067e6413141f.execmd.exe

description	pid	process	target process
PID 1156 wrote to memory of 596	1156	11f679d46af893e5f77f97aeedbab6df13c7fcd916be3c0bf596067e6413141f.exe	MediaCenter.exe
PID 1156 wrote to memory of 596	1156	11f679d46af893e5f77f97aeedbab6df13c7fcd916be3c0bf596067e6413141f.exe	MediaCenter.exe
PID 1156 wrote to memory of 596	1156	11f679d46af893e5f77f97aeedbab6df13c7fcd916be3c0bf596067e6413141f.exe	MediaCenter.exe
PID 1156 wrote to memory of 596	1156	11f679d46af893e5f77f97aeedbab6df13c7fcd916be3c0bf596067e6413141f.exe	MediaCenter.exe
PID 1156 wrote to memory of 2020	1156	11f679d46af893e5f77f97aeedbab6df13c7fcd916be3c0bf596067e6413141f.exe	cmd.exe
PID 1156 wrote to memory of 2020	1156	11f679d46af893e5f77f97aeedbab6df13c7fcd916be3c0bf596067e6413141f.exe	cmd.exe
PID 1156 wrote to memory of 2020	1156	11f679d46af893e5f77f97aeedbab6df13c7fcd916be3c0bf596067e6413141f.exe	cmd.exe
PID 1156 wrote to memory of 2020	1156	11f679d46af893e5f77f97aeedbab6df13c7fcd916be3c0bf596067e6413141f.exe	cmd.exe
PID 2020 wrote to memory of 1916	2020	cmd.exe	PING.EXE
PID 2020 wrote to memory of 1916	2020	cmd.exe	PING.EXE
PID 2020 wrote to memory of 1916	2020	cmd.exe	PING.EXE
PID 2020 wrote to memory of 1916	2020	cmd.exe	PING.EXE

C:\Users\Admin\AppData\Local\Temp\11f679d46af893e5f77f97aeedbab6df13c7fcd916be3c0bf596067e6413141f.exe
"C:\Users\Admin\AppData\Local\Temp\11f679d46af893e5f77f97aeedbab6df13c7fcd916be3c0bf596067e6413141f.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1156

C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
2⤵
- Executes dropped EXE
PID:596

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\11f679d46af893e5f77f97aeedbab6df13c7fcd916be3c0bf596067e6413141f.exe"
2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:2020

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1
3⤵
- Runs ping.exe
PID:1916

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Remote System Discovery

1

T1018

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe

MD5
764a270fa36e44d86af5952b99be3a20

SHA1
dfd69dff9a3202df8d77c5d2c6cd53ee4657e571

SHA256
a000806a2bdb0c68bad2e4dbf32925e391ae48af5be9d8fa785c5531e50d79d7

SHA512
d12d894dc4e0c287fcaac9d162cffd1a397c757bdda147cdefe114f356df22107d3c5f64c72006b4ddd12c85dd90e3c9e53baa1f973a68e64a42a7b987520ec7

Download Submit
\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe

MD5
764a270fa36e44d86af5952b99be3a20

SHA1
dfd69dff9a3202df8d77c5d2c6cd53ee4657e571

SHA256
a000806a2bdb0c68bad2e4dbf32925e391ae48af5be9d8fa785c5531e50d79d7

SHA512
d12d894dc4e0c287fcaac9d162cffd1a397c757bdda147cdefe114f356df22107d3c5f64c72006b4ddd12c85dd90e3c9e53baa1f973a68e64a42a7b987520ec7

Download Submit
memory/596-60-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/1156-55-0x0000000076071000-0x0000000076073000-memory.dmp

Filesize
8KB

Download
memory/1156-59-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads