sakula | 11bd9e8eebbce27b7ca587324e9b2b11b61430d6a86e7e7b9c0372b6e1da7a17

General

Target

11bd9e8eebbce27b7ca587324e9b2b11b61430d6a86e7e7b9c0372b6e1da7a17.exe
Size

92KB
MD5

d1f9a99034d918a89fa3b7d91549ea74
SHA1

4e1ead37e59617c24aa14c41735b373e5ba58038
SHA256

11bd9e8eebbce27b7ca587324e9b2b11b61430d6a86e7e7b9c0372b6e1da7a17
SHA512

429e75bf4aceea5edcb29b2cbc21cc11df0dd5e0de47adf04227f161934b9d4df3af525fe373bce1f99d720e78b1af6d553339fab29f75d1d23d15161225b5c9

Score

10^/10

sakula persistence rat trojan

Malware Config

Signatures

Sakula
Sakula is a remote access trojan with various capabilities.
trojan rat sakula

Sakula Payload 2 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe	family_sakula
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe	family_sakula

Executes dropped EXE 1 IoCs

Processes:

MediaCenter.exe

pid process

4080 MediaCenter.exe

pid	process
4080	MediaCenter.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

11bd9e8eebbce27b7ca587324e9b2b11b61430d6a86e7e7b9c0372b6e1da7a17.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation	11bd9e8eebbce27b7ca587324e9b2b11b61430d6a86e7e7b9c0372b6e1da7a17.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

11bd9e8eebbce27b7ca587324e9b2b11b61430d6a86e7e7b9c0372b6e1da7a17.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe"	11bd9e8eebbce27b7ca587324e9b2b11b61430d6a86e7e7b9c0372b6e1da7a17.exe

Drops file in Windows directory 8 IoCs

Processes:

svchost.exeTiWorker.exe

description	ioc	process
File opened for modification	C:\Windows\SoftwareDistribution\DataStore\Logs\edb.chk	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\DataStore\Logs\edb.log	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\DataStore\DataStore.edb	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\DataStore\DataStore.jfm	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\ReportingEvents.log	svchost.exe
File opened for modification	C:\Windows\Logs\CBS\CBS.log	TiWorker.exe
File opened for modification	C:\Windows\WinSxS\pending.xml	TiWorker.exe
File opened for modification	C:\Windows\WindowsUpdate.log	svchost.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

2896 PING.EXE

pid	process
2896	PING.EXE

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

svchost.exe11bd9e8eebbce27b7ca587324e9b2b11b61430d6a86e7e7b9c0372b6e1da7a17.exeTiWorker.exe

description	pid	process
Token: SeShutdownPrivilege	3740	svchost.exe
Token: SeCreatePagefilePrivilege	3740	svchost.exe
Token: SeShutdownPrivilege	3740	svchost.exe
Token: SeCreatePagefilePrivilege	3740	svchost.exe
Token: SeShutdownPrivilege	3740	svchost.exe
Token: SeCreatePagefilePrivilege	3740	svchost.exe
Token: SeIncBasePriorityPrivilege	4336	11bd9e8eebbce27b7ca587324e9b2b11b61430d6a86e7e7b9c0372b6e1da7a17.exe
Token: SeSecurityPrivilege	5028	TiWorker.exe
Token: SeRestorePrivilege	5028	TiWorker.exe
Token: SeBackupPrivilege	5028	TiWorker.exe
Token: SeBackupPrivilege	5028	TiWorker.exe
Token: SeRestorePrivilege	5028	TiWorker.exe
Token: SeSecurityPrivilege	5028	TiWorker.exe
Token: SeBackupPrivilege	5028	TiWorker.exe
Token: SeRestorePrivilege	5028	TiWorker.exe
Token: SeSecurityPrivilege	5028	TiWorker.exe
Token: SeBackupPrivilege	5028	TiWorker.exe
Token: SeRestorePrivilege	5028	TiWorker.exe
Token: SeSecurityPrivilege	5028	TiWorker.exe
Token: SeBackupPrivilege	5028	TiWorker.exe
Token: SeRestorePrivilege	5028	TiWorker.exe
Token: SeSecurityPrivilege	5028	TiWorker.exe
Token: SeBackupPrivilege	5028	TiWorker.exe
Token: SeRestorePrivilege	5028	TiWorker.exe
Token: SeSecurityPrivilege	5028	TiWorker.exe
Token: SeBackupPrivilege	5028	TiWorker.exe
Token: SeRestorePrivilege	5028	TiWorker.exe
Token: SeSecurityPrivilege	5028	TiWorker.exe
Token: SeBackupPrivilege	5028	TiWorker.exe
Token: SeRestorePrivilege	5028	TiWorker.exe
Token: SeSecurityPrivilege	5028	TiWorker.exe
Token: SeBackupPrivilege	5028	TiWorker.exe
Token: SeRestorePrivilege	5028	TiWorker.exe
Token: SeSecurityPrivilege	5028	TiWorker.exe
Token: SeBackupPrivilege	5028	TiWorker.exe
Token: SeRestorePrivilege	5028	TiWorker.exe
Token: SeSecurityPrivilege	5028	TiWorker.exe
Token: SeBackupPrivilege	5028	TiWorker.exe
Token: SeRestorePrivilege	5028	TiWorker.exe
Token: SeSecurityPrivilege	5028	TiWorker.exe
Token: SeBackupPrivilege	5028	TiWorker.exe
Token: SeRestorePrivilege	5028	TiWorker.exe
Token: SeSecurityPrivilege	5028	TiWorker.exe
Token: SeBackupPrivilege	5028	TiWorker.exe
Token: SeRestorePrivilege	5028	TiWorker.exe
Token: SeSecurityPrivilege	5028	TiWorker.exe
Token: SeBackupPrivilege	5028	TiWorker.exe
Token: SeRestorePrivilege	5028	TiWorker.exe
Token: SeSecurityPrivilege	5028	TiWorker.exe
Token: SeBackupPrivilege	5028	TiWorker.exe
Token: SeRestorePrivilege	5028	TiWorker.exe
Token: SeSecurityPrivilege	5028	TiWorker.exe
Token: SeBackupPrivilege	5028	TiWorker.exe
Token: SeRestorePrivilege	5028	TiWorker.exe
Token: SeSecurityPrivilege	5028	TiWorker.exe
Token: SeBackupPrivilege	5028	TiWorker.exe
Token: SeRestorePrivilege	5028	TiWorker.exe
Token: SeSecurityPrivilege	5028	TiWorker.exe
Token: SeBackupPrivilege	5028	TiWorker.exe
Token: SeRestorePrivilege	5028	TiWorker.exe
Token: SeSecurityPrivilege	5028	TiWorker.exe
Token: SeBackupPrivilege	5028	TiWorker.exe
Token: SeRestorePrivilege	5028	TiWorker.exe
Token: SeSecurityPrivilege	5028	TiWorker.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

11bd9e8eebbce27b7ca587324e9b2b11b61430d6a86e7e7b9c0372b6e1da7a17.execmd.exe

description	pid	process	target process
PID 4336 wrote to memory of 4080	4336	11bd9e8eebbce27b7ca587324e9b2b11b61430d6a86e7e7b9c0372b6e1da7a17.exe	MediaCenter.exe
PID 4336 wrote to memory of 4080	4336	11bd9e8eebbce27b7ca587324e9b2b11b61430d6a86e7e7b9c0372b6e1da7a17.exe	MediaCenter.exe
PID 4336 wrote to memory of 4080	4336	11bd9e8eebbce27b7ca587324e9b2b11b61430d6a86e7e7b9c0372b6e1da7a17.exe	MediaCenter.exe
PID 4336 wrote to memory of 3832	4336	11bd9e8eebbce27b7ca587324e9b2b11b61430d6a86e7e7b9c0372b6e1da7a17.exe	cmd.exe
PID 4336 wrote to memory of 3832	4336	11bd9e8eebbce27b7ca587324e9b2b11b61430d6a86e7e7b9c0372b6e1da7a17.exe	cmd.exe
PID 4336 wrote to memory of 3832	4336	11bd9e8eebbce27b7ca587324e9b2b11b61430d6a86e7e7b9c0372b6e1da7a17.exe	cmd.exe
PID 3832 wrote to memory of 2896	3832	cmd.exe	PING.EXE
PID 3832 wrote to memory of 2896	3832	cmd.exe	PING.EXE
PID 3832 wrote to memory of 2896	3832	cmd.exe	PING.EXE

C:\Users\Admin\AppData\Local\Temp\11bd9e8eebbce27b7ca587324e9b2b11b61430d6a86e7e7b9c0372b6e1da7a17.exe
"C:\Users\Admin\AppData\Local\Temp\11bd9e8eebbce27b7ca587324e9b2b11b61430d6a86e7e7b9c0372b6e1da7a17.exe"
1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4336

C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
2⤵
- Executes dropped EXE
PID:4080

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\11bd9e8eebbce27b7ca587324e9b2b11b61430d6a86e7e7b9c0372b6e1da7a17.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:3832

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1
3⤵
- Runs ping.exe
PID:2896

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:3740

C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:5028

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

Remote System Discovery

1

T1018

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe

MD5
3f0a9de18c0a700caea54bfee3556365

SHA1
5ffbc67f4cc531cef57f299fb050afed4b2a9441

SHA256
0ac84a4a62a88614c9c0a928a0531d1af0a41d6cf429787f969b51c73a79d0ac

SHA512
8f1cf98697383fccd52ff9dced9b0ba97c5c60a555b2a5d5c63fafa2503d35ffd6e495b6cb3d29268bf257429cac96cdaa03814a1bc0131fadfedaf734a7e061

Download Submit
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe

MD5
3f0a9de18c0a700caea54bfee3556365

SHA1
5ffbc67f4cc531cef57f299fb050afed4b2a9441

SHA256
0ac84a4a62a88614c9c0a928a0531d1af0a41d6cf429787f969b51c73a79d0ac

SHA512
8f1cf98697383fccd52ff9dced9b0ba97c5c60a555b2a5d5c63fafa2503d35ffd6e495b6cb3d29268bf257429cac96cdaa03814a1bc0131fadfedaf734a7e061

Download Submit
memory/3740-132-0x000001F79A7A0000-0x000001F79A7B0000-memory.dmp

Filesize
64KB

Download
memory/3740-133-0x000001F79AF60000-0x000001F79AF70000-memory.dmp

Filesize
64KB

Download
memory/3740-134-0x000001F79DB80000-0x000001F79DB84000-memory.dmp

Filesize
16KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads