sakula | 118ee3a16c6325b646f797049eba9233269e6fdce4ce8143a993c32d043e033e

General

Target

118ee3a16c6325b646f797049eba9233269e6fdce4ce8143a993c32d043e033e.exe
Size

58KB
MD5

3624087d07f1a94c250bf4bf3fdcc76c
SHA1

f477687c7fbc6727075c167fd0cf69c6178b4d89
SHA256

118ee3a16c6325b646f797049eba9233269e6fdce4ce8143a993c32d043e033e
SHA512

f0f33ae51aab57fc9a93c5972a31e2e5d4c0f6ad6e6e0b1c40b11880af649d3d3617b8f7a919a613f5cfe7cc66b1167de818d903503e583ba31dc102207276cd

Score

10^/10

sakula persistence rat trojan

Malware Config

Signatures

Sakula
Sakula is a remote access trojan with various capabilities.
trojan rat sakula
Executes dropped EXE 1 IoCs

Processes:

MediaCenter.exe

pid process

2692 MediaCenter.exe

pid	process
2692	MediaCenter.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

118ee3a16c6325b646f797049eba9233269e6fdce4ce8143a993c32d043e033e.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Control Panel\International\Geo\Nation	118ee3a16c6325b646f797049eba9233269e6fdce4ce8143a993c32d043e033e.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

118ee3a16c6325b646f797049eba9233269e6fdce4ce8143a993c32d043e033e.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe"	118ee3a16c6325b646f797049eba9233269e6fdce4ce8143a993c32d043e033e.exe

Drops file in Windows directory 3 IoCs

Processes:

svchost.exeTiWorker.exe

description	ioc	process
File opened for modification	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\DeliveryOptimization\State\keyValueLKG.dat	svchost.exe
File opened for modification	C:\Windows\Logs\CBS\CBS.log	TiWorker.exe
File opened for modification	C:\Windows\WinSxS\pending.xml	TiWorker.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

MusNotifyIcon.exe

description	ioc	process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	MusNotifyIcon.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	MusNotifyIcon.exe

Modifies data under HKEY_USERS 50 IoCs

Processes:

svchost.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyLanBytes = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyGroupBytes = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateBkBps = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\KVFileExpirationTime = "132892951223474062"	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CPUpct = "6.310504"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UploadMonthlyLanBytes = "0"	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\Geo_EndpointFullUri = "https://geo.prod.do.dsp.mp.microsoft.com/geo"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CDNConnectionCount = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UploadCount = "0"	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CPUpct = "0.081631"	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CPUpct = "3.579022"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\NormalDownloadPendingCount = "0"	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyInternetBytes = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyLinkLocalBytes = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateFrCnt = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\LANConnectionCount = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownlinkUsageBps = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MemoryUsageKB = "4300"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MemoryUsageKB = "4304"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MonthlyUploadRestriction = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UploadRatePct = "100"	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\DODownloadMode = "1"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\GroupConnectionCount = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\InternetConnectionCount = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownlinkBps = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UplinkBps = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UplinkUsageBps = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\PriorityDownloadCount = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\NormalDownloadCount = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyCdnBytes = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateFrBps = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MonthID = "2"	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\GeoVersion_EndpointFullUri = "https://geover.prod.do.dsp.mp.microsoft.com/geoversion"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CacheSizeBytes = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\BkDownloadRatePct = "45"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\DownloadMode_BackCompat = "1"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyCacheHostBytes = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\FrDownloadRatePct = "90"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\PriorityDownloadPendingCount = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MemoryUsageKB = "4096"	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Settings	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UploadMonthlyInternetBytes = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateBkCnt = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\SwarmCount = "1"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\PeerInfoCount = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\LinkLocalConnectionCount = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\SwarmCount = "0"	svchost.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

2756 PING.EXE

pid	process
2756	PING.EXE

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

118ee3a16c6325b646f797049eba9233269e6fdce4ce8143a993c32d043e033e.exeTiWorker.exe

description	pid	process
Token: SeIncBasePriorityPrivilege	3880	118ee3a16c6325b646f797049eba9233269e6fdce4ce8143a993c32d043e033e.exe
Token: SeSecurityPrivilege	3488	TiWorker.exe
Token: SeRestorePrivilege	3488	TiWorker.exe
Token: SeBackupPrivilege	3488	TiWorker.exe
Token: SeBackupPrivilege	3488	TiWorker.exe
Token: SeRestorePrivilege	3488	TiWorker.exe
Token: SeSecurityPrivilege	3488	TiWorker.exe
Token: SeBackupPrivilege	3488	TiWorker.exe
Token: SeRestorePrivilege	3488	TiWorker.exe
Token: SeSecurityPrivilege	3488	TiWorker.exe
Token: SeBackupPrivilege	3488	TiWorker.exe
Token: SeRestorePrivilege	3488	TiWorker.exe
Token: SeSecurityPrivilege	3488	TiWorker.exe
Token: SeBackupPrivilege	3488	TiWorker.exe
Token: SeRestorePrivilege	3488	TiWorker.exe
Token: SeSecurityPrivilege	3488	TiWorker.exe
Token: SeBackupPrivilege	3488	TiWorker.exe
Token: SeRestorePrivilege	3488	TiWorker.exe
Token: SeSecurityPrivilege	3488	TiWorker.exe
Token: SeBackupPrivilege	3488	TiWorker.exe
Token: SeRestorePrivilege	3488	TiWorker.exe
Token: SeSecurityPrivilege	3488	TiWorker.exe
Token: SeBackupPrivilege	3488	TiWorker.exe
Token: SeRestorePrivilege	3488	TiWorker.exe
Token: SeSecurityPrivilege	3488	TiWorker.exe
Token: SeBackupPrivilege	3488	TiWorker.exe
Token: SeRestorePrivilege	3488	TiWorker.exe
Token: SeSecurityPrivilege	3488	TiWorker.exe
Token: SeBackupPrivilege	3488	TiWorker.exe
Token: SeRestorePrivilege	3488	TiWorker.exe
Token: SeSecurityPrivilege	3488	TiWorker.exe
Token: SeBackupPrivilege	3488	TiWorker.exe
Token: SeRestorePrivilege	3488	TiWorker.exe
Token: SeSecurityPrivilege	3488	TiWorker.exe
Token: SeBackupPrivilege	3488	TiWorker.exe
Token: SeRestorePrivilege	3488	TiWorker.exe
Token: SeSecurityPrivilege	3488	TiWorker.exe
Token: SeBackupPrivilege	3488	TiWorker.exe
Token: SeRestorePrivilege	3488	TiWorker.exe
Token: SeSecurityPrivilege	3488	TiWorker.exe
Token: SeBackupPrivilege	3488	TiWorker.exe
Token: SeRestorePrivilege	3488	TiWorker.exe
Token: SeSecurityPrivilege	3488	TiWorker.exe
Token: SeBackupPrivilege	3488	TiWorker.exe
Token: SeRestorePrivilege	3488	TiWorker.exe
Token: SeSecurityPrivilege	3488	TiWorker.exe
Token: SeBackupPrivilege	3488	TiWorker.exe
Token: SeRestorePrivilege	3488	TiWorker.exe
Token: SeSecurityPrivilege	3488	TiWorker.exe
Token: SeBackupPrivilege	3488	TiWorker.exe
Token: SeRestorePrivilege	3488	TiWorker.exe
Token: SeSecurityPrivilege	3488	TiWorker.exe
Token: SeBackupPrivilege	3488	TiWorker.exe
Token: SeRestorePrivilege	3488	TiWorker.exe
Token: SeSecurityPrivilege	3488	TiWorker.exe
Token: SeBackupPrivilege	3488	TiWorker.exe
Token: SeRestorePrivilege	3488	TiWorker.exe
Token: SeSecurityPrivilege	3488	TiWorker.exe
Token: SeBackupPrivilege	3488	TiWorker.exe
Token: SeRestorePrivilege	3488	TiWorker.exe
Token: SeSecurityPrivilege	3488	TiWorker.exe
Token: SeBackupPrivilege	3488	TiWorker.exe
Token: SeRestorePrivilege	3488	TiWorker.exe
Token: SeSecurityPrivilege	3488	TiWorker.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

118ee3a16c6325b646f797049eba9233269e6fdce4ce8143a993c32d043e033e.execmd.exe

description	pid	process	target process
PID 3880 wrote to memory of 2692	3880	118ee3a16c6325b646f797049eba9233269e6fdce4ce8143a993c32d043e033e.exe	MediaCenter.exe
PID 3880 wrote to memory of 2692	3880	118ee3a16c6325b646f797049eba9233269e6fdce4ce8143a993c32d043e033e.exe	MediaCenter.exe
PID 3880 wrote to memory of 2692	3880	118ee3a16c6325b646f797049eba9233269e6fdce4ce8143a993c32d043e033e.exe	MediaCenter.exe
PID 3880 wrote to memory of 3332	3880	118ee3a16c6325b646f797049eba9233269e6fdce4ce8143a993c32d043e033e.exe	cmd.exe
PID 3880 wrote to memory of 3332	3880	118ee3a16c6325b646f797049eba9233269e6fdce4ce8143a993c32d043e033e.exe	cmd.exe
PID 3880 wrote to memory of 3332	3880	118ee3a16c6325b646f797049eba9233269e6fdce4ce8143a993c32d043e033e.exe	cmd.exe
PID 3332 wrote to memory of 2756	3332	cmd.exe	PING.EXE
PID 3332 wrote to memory of 2756	3332	cmd.exe	PING.EXE
PID 3332 wrote to memory of 2756	3332	cmd.exe	PING.EXE

C:\Users\Admin\AppData\Local\Temp\118ee3a16c6325b646f797049eba9233269e6fdce4ce8143a993c32d043e033e.exe
"C:\Users\Admin\AppData\Local\Temp\118ee3a16c6325b646f797049eba9233269e6fdce4ce8143a993c32d043e033e.exe"
1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3880

C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
2⤵
- Executes dropped EXE
PID:2692

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\118ee3a16c6325b646f797049eba9233269e6fdce4ce8143a993c32d043e033e.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:3332

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1
3⤵
- Runs ping.exe
PID:2756

C:\Windows\system32\MusNotifyIcon.exe
%systemroot%\system32\MusNotifyIcon.exe NotifyTrayIcon 13
1⤵
- Checks processor information in registry
PID:624

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p
1⤵
- Drops file in Windows directory
- Modifies data under HKEY_USERS
PID:1800

C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:3488

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

2

T1012

Remote System Discovery

1

T1018

System Information Discovery

3

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe

MD5
6b763ec7a3477f235810d7619a446d48

SHA1
51826d821ca17abfcc0cd0b76a3995302679daab

SHA256
211f2fa03efb254b9318bb678ab5a5faca24da0c7ce9c395eb3ae547f564cc79

SHA512
94bd01f79a0629da9b739662827446c44687e175d5da97330aed4bad5734ebec3ad75bc6e042fc7268a24716fb1c061c1cdb2896e84b750eb27eb65f3da0288d

Download Submit
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe

MD5
6b763ec7a3477f235810d7619a446d48

SHA1
51826d821ca17abfcc0cd0b76a3995302679daab

SHA256
211f2fa03efb254b9318bb678ab5a5faca24da0c7ce9c395eb3ae547f564cc79

SHA512
94bd01f79a0629da9b739662827446c44687e175d5da97330aed4bad5734ebec3ad75bc6e042fc7268a24716fb1c061c1cdb2896e84b750eb27eb65f3da0288d

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads