sakula | 11c5851b8580a2f95b96631b31996dbea0ab8f5628d03e190ce33ebe38fe5073

General

Target

11c5851b8580a2f95b96631b31996dbea0ab8f5628d03e190ce33ebe38fe5073.exe
Size

36KB
MD5

c73aa935834c45208544470f708fc841
SHA1

9d03d558350dd09dd58b70851c258a7e5a18e88a
SHA256

11c5851b8580a2f95b96631b31996dbea0ab8f5628d03e190ce33ebe38fe5073
SHA512

89e66a893855ff7ec2b2f3a94d2b5aac78f91213333d63a3cc2125faecd8be423fc74476ff116eee777b82e636f99a26ebde7d7451f59818712b38bdd8054f9f

Score

10^/10

sakula persistence rat trojan

Malware Config

Signatures

Sakula
Sakula is a remote access trojan with various capabilities.
trojan rat sakula
Executes dropped EXE 1 IoCs

Processes:

MediaCenter.exe

pid process

1656 MediaCenter.exe
Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

1528 cmd.exe

pid	process
1656	MediaCenter.exe

pid	process
1528	cmd.exe

Loads dropped DLL 2 IoCs

Processes:

11c5851b8580a2f95b96631b31996dbea0ab8f5628d03e190ce33ebe38fe5073.exe

pid	process
1340	11c5851b8580a2f95b96631b31996dbea0ab8f5628d03e190ce33ebe38fe5073.exe
1340	11c5851b8580a2f95b96631b31996dbea0ab8f5628d03e190ce33ebe38fe5073.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

11c5851b8580a2f95b96631b31996dbea0ab8f5628d03e190ce33ebe38fe5073.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe"	11c5851b8580a2f95b96631b31996dbea0ab8f5628d03e190ce33ebe38fe5073.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

980 PING.EXE
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

11c5851b8580a2f95b96631b31996dbea0ab8f5628d03e190ce33ebe38fe5073.exe

description pid process

Token: SeIncBasePriorityPrivilege 1340 11c5851b8580a2f95b96631b31996dbea0ab8f5628d03e190ce33ebe38fe5073.exe

pid	process
980	PING.EXE

description	pid	process
Token: SeIncBasePriorityPrivilege	1340	11c5851b8580a2f95b96631b31996dbea0ab8f5628d03e190ce33ebe38fe5073.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

11c5851b8580a2f95b96631b31996dbea0ab8f5628d03e190ce33ebe38fe5073.execmd.exe

description	pid	process	target process
PID 1340 wrote to memory of 1656	1340	11c5851b8580a2f95b96631b31996dbea0ab8f5628d03e190ce33ebe38fe5073.exe	MediaCenter.exe
PID 1340 wrote to memory of 1656	1340	11c5851b8580a2f95b96631b31996dbea0ab8f5628d03e190ce33ebe38fe5073.exe	MediaCenter.exe
PID 1340 wrote to memory of 1656	1340	11c5851b8580a2f95b96631b31996dbea0ab8f5628d03e190ce33ebe38fe5073.exe	MediaCenter.exe
PID 1340 wrote to memory of 1656	1340	11c5851b8580a2f95b96631b31996dbea0ab8f5628d03e190ce33ebe38fe5073.exe	MediaCenter.exe
PID 1340 wrote to memory of 1528	1340	11c5851b8580a2f95b96631b31996dbea0ab8f5628d03e190ce33ebe38fe5073.exe	cmd.exe
PID 1340 wrote to memory of 1528	1340	11c5851b8580a2f95b96631b31996dbea0ab8f5628d03e190ce33ebe38fe5073.exe	cmd.exe
PID 1340 wrote to memory of 1528	1340	11c5851b8580a2f95b96631b31996dbea0ab8f5628d03e190ce33ebe38fe5073.exe	cmd.exe
PID 1340 wrote to memory of 1528	1340	11c5851b8580a2f95b96631b31996dbea0ab8f5628d03e190ce33ebe38fe5073.exe	cmd.exe
PID 1528 wrote to memory of 980	1528	cmd.exe	PING.EXE
PID 1528 wrote to memory of 980	1528	cmd.exe	PING.EXE
PID 1528 wrote to memory of 980	1528	cmd.exe	PING.EXE
PID 1528 wrote to memory of 980	1528	cmd.exe	PING.EXE

C:\Users\Admin\AppData\Local\Temp\11c5851b8580a2f95b96631b31996dbea0ab8f5628d03e190ce33ebe38fe5073.exe
"C:\Users\Admin\AppData\Local\Temp\11c5851b8580a2f95b96631b31996dbea0ab8f5628d03e190ce33ebe38fe5073.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1340

C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
2⤵
- Executes dropped EXE
PID:1656

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\11c5851b8580a2f95b96631b31996dbea0ab8f5628d03e190ce33ebe38fe5073.exe"
2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:1528

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1
3⤵
- Runs ping.exe
PID:980

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Remote System Discovery

1

T1018

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe

MD5
830e4c39cfb1ee7f4ee1771fcbc5374b

SHA1
1cefa8b2c8a69c7ad77b431cb9961c50fafb479e

SHA256
5b725aeb8738fa775181df0a3eca818c81f02598f699ba0d879891af54ca39d5

SHA512
0aa2d8989b2b55ce70a72e334ec469e8905cb932b10aac776ca7c617903adc472a54fea2facab600aa87aff46a60b002a21ff1f92d24ae038477f007fe03c78e

Download Submit
\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe

MD5
830e4c39cfb1ee7f4ee1771fcbc5374b

SHA1
1cefa8b2c8a69c7ad77b431cb9961c50fafb479e

SHA256
5b725aeb8738fa775181df0a3eca818c81f02598f699ba0d879891af54ca39d5

SHA512
0aa2d8989b2b55ce70a72e334ec469e8905cb932b10aac776ca7c617903adc472a54fea2facab600aa87aff46a60b002a21ff1f92d24ae038477f007fe03c78e

Download Submit
\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe

MD5
830e4c39cfb1ee7f4ee1771fcbc5374b

SHA1
1cefa8b2c8a69c7ad77b431cb9961c50fafb479e

SHA256
5b725aeb8738fa775181df0a3eca818c81f02598f699ba0d879891af54ca39d5

SHA512
0aa2d8989b2b55ce70a72e334ec469e8905cb932b10aac776ca7c617903adc472a54fea2facab600aa87aff46a60b002a21ff1f92d24ae038477f007fe03c78e

Download Submit
memory/1340-54-0x0000000075CE1000-0x0000000075CE3000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads