sakula | 11bb74ad4596bef20d4294f106964c2541913aa3c80030e7076cb2c8b464f2b6

General

Target

11bb74ad4596bef20d4294f106964c2541913aa3c80030e7076cb2c8b464f2b6.exe
Size

58KB
MD5

5d46c664cec4df80e5eb76a615de2ca8
SHA1

6bc5301505705c4b37e05db1ed7e2fc97dfa419b
SHA256

11bb74ad4596bef20d4294f106964c2541913aa3c80030e7076cb2c8b464f2b6
SHA512

7e54d73964d2e40ec585a4c090da2ac5a784e38be44967cbb92bede9cedd3d3d92bb11e8793d00599f6447922f1787c278c5f5af9bccda1c39e45aedb2364bd6

Score

10^/10

sakula persistence rat trojan

Malware Config

Signatures

Sakula
Sakula is a remote access trojan with various capabilities.
trojan rat sakula
Executes dropped EXE 1 IoCs

Processes:

MediaCenter.exe

pid process

528 MediaCenter.exe
Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

1064 cmd.exe

pid	process
528	MediaCenter.exe

pid	process
1064	cmd.exe

Loads dropped DLL 2 IoCs

Processes:

11bb74ad4596bef20d4294f106964c2541913aa3c80030e7076cb2c8b464f2b6.exe

pid	process
972	11bb74ad4596bef20d4294f106964c2541913aa3c80030e7076cb2c8b464f2b6.exe
972	11bb74ad4596bef20d4294f106964c2541913aa3c80030e7076cb2c8b464f2b6.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

11bb74ad4596bef20d4294f106964c2541913aa3c80030e7076cb2c8b464f2b6.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe"	11bb74ad4596bef20d4294f106964c2541913aa3c80030e7076cb2c8b464f2b6.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

2020 PING.EXE
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

11bb74ad4596bef20d4294f106964c2541913aa3c80030e7076cb2c8b464f2b6.exe

description pid process

Token: SeIncBasePriorityPrivilege 972 11bb74ad4596bef20d4294f106964c2541913aa3c80030e7076cb2c8b464f2b6.exe

pid	process
2020	PING.EXE

description	pid	process
Token: SeIncBasePriorityPrivilege	972	11bb74ad4596bef20d4294f106964c2541913aa3c80030e7076cb2c8b464f2b6.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

11bb74ad4596bef20d4294f106964c2541913aa3c80030e7076cb2c8b464f2b6.execmd.exe

description	pid	process	target process
PID 972 wrote to memory of 528	972	11bb74ad4596bef20d4294f106964c2541913aa3c80030e7076cb2c8b464f2b6.exe	MediaCenter.exe
PID 972 wrote to memory of 528	972	11bb74ad4596bef20d4294f106964c2541913aa3c80030e7076cb2c8b464f2b6.exe	MediaCenter.exe
PID 972 wrote to memory of 528	972	11bb74ad4596bef20d4294f106964c2541913aa3c80030e7076cb2c8b464f2b6.exe	MediaCenter.exe
PID 972 wrote to memory of 528	972	11bb74ad4596bef20d4294f106964c2541913aa3c80030e7076cb2c8b464f2b6.exe	MediaCenter.exe
PID 972 wrote to memory of 1064	972	11bb74ad4596bef20d4294f106964c2541913aa3c80030e7076cb2c8b464f2b6.exe	cmd.exe
PID 972 wrote to memory of 1064	972	11bb74ad4596bef20d4294f106964c2541913aa3c80030e7076cb2c8b464f2b6.exe	cmd.exe
PID 972 wrote to memory of 1064	972	11bb74ad4596bef20d4294f106964c2541913aa3c80030e7076cb2c8b464f2b6.exe	cmd.exe
PID 972 wrote to memory of 1064	972	11bb74ad4596bef20d4294f106964c2541913aa3c80030e7076cb2c8b464f2b6.exe	cmd.exe
PID 1064 wrote to memory of 2020	1064	cmd.exe	PING.EXE
PID 1064 wrote to memory of 2020	1064	cmd.exe	PING.EXE
PID 1064 wrote to memory of 2020	1064	cmd.exe	PING.EXE
PID 1064 wrote to memory of 2020	1064	cmd.exe	PING.EXE

C:\Users\Admin\AppData\Local\Temp\11bb74ad4596bef20d4294f106964c2541913aa3c80030e7076cb2c8b464f2b6.exe
"C:\Users\Admin\AppData\Local\Temp\11bb74ad4596bef20d4294f106964c2541913aa3c80030e7076cb2c8b464f2b6.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:972

C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
2⤵
- Executes dropped EXE
PID:528

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\11bb74ad4596bef20d4294f106964c2541913aa3c80030e7076cb2c8b464f2b6.exe"
2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:1064

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1
3⤵
- Runs ping.exe
PID:2020

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Remote System Discovery

1

T1018

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe

MD5
cce02fae8d2902401a64f8bea1e1c015

SHA1
0e441a4147228b41df96965b683a531a2d13ce8d

SHA256
c572716b85e11ac0d201fecc1f8291cfe7437226e2647e96616ff3bc6087ebbc

SHA512
79a395cb3c833f143bdbc20de74548f578c156dfa6c7787d90805718dbcbcc060e3d82feece121c1e5989d18dada2ba782eb5d3f81be97992fb258c16d64fa7f

Download Submit
\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe

MD5
cce02fae8d2902401a64f8bea1e1c015

SHA1
0e441a4147228b41df96965b683a531a2d13ce8d

SHA256
c572716b85e11ac0d201fecc1f8291cfe7437226e2647e96616ff3bc6087ebbc

SHA512
79a395cb3c833f143bdbc20de74548f578c156dfa6c7787d90805718dbcbcc060e3d82feece121c1e5989d18dada2ba782eb5d3f81be97992fb258c16d64fa7f

Download Submit
\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe

MD5
cce02fae8d2902401a64f8bea1e1c015

SHA1
0e441a4147228b41df96965b683a531a2d13ce8d

SHA256
c572716b85e11ac0d201fecc1f8291cfe7437226e2647e96616ff3bc6087ebbc

SHA512
79a395cb3c833f143bdbc20de74548f578c156dfa6c7787d90805718dbcbcc060e3d82feece121c1e5989d18dada2ba782eb5d3f81be97992fb258c16d64fa7f

Download Submit
memory/972-55-0x0000000076071000-0x0000000076073000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads