sakula | 1145adbd511e72871355d4810137744a16f63ee41a24d75ac9a57f34fba914c0

General

Target

1145adbd511e72871355d4810137744a16f63ee41a24d75ac9a57f34fba914c0.exe
Size

35KB
MD5

6c142ca02f802a041c8e154f33f13168
SHA1

ef11624f8126cb0524bc5c78a4d19141cbbadea6
SHA256

1145adbd511e72871355d4810137744a16f63ee41a24d75ac9a57f34fba914c0
SHA512

cb758c6549d323ecbbaa85eea88e1eb6473d832c5c83d39dec21bba21373f30e8ddf908b557bfc01cb7122bee6b18d96b04cee95ee9817381b31647b4bbfb487

Score

10^/10

sakula persistence rat trojan

Malware Config

Signatures

Sakula
Sakula is a remote access trojan with various capabilities.
trojan rat sakula
Executes dropped EXE 1 IoCs

Processes:

MediaCenter.exe

pid process

1700 MediaCenter.exe
Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

1368 cmd.exe

pid	process
1700	MediaCenter.exe

pid	process
1368	cmd.exe

Loads dropped DLL 2 IoCs

Processes:

1145adbd511e72871355d4810137744a16f63ee41a24d75ac9a57f34fba914c0.exe

pid	process
1780	1145adbd511e72871355d4810137744a16f63ee41a24d75ac9a57f34fba914c0.exe
1780	1145adbd511e72871355d4810137744a16f63ee41a24d75ac9a57f34fba914c0.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

1145adbd511e72871355d4810137744a16f63ee41a24d75ac9a57f34fba914c0.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe"	1145adbd511e72871355d4810137744a16f63ee41a24d75ac9a57f34fba914c0.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

428 PING.EXE
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

1145adbd511e72871355d4810137744a16f63ee41a24d75ac9a57f34fba914c0.exe

description pid process

Token: SeIncBasePriorityPrivilege 1780 1145adbd511e72871355d4810137744a16f63ee41a24d75ac9a57f34fba914c0.exe

pid	process
428	PING.EXE

description	pid	process
Token: SeIncBasePriorityPrivilege	1780	1145adbd511e72871355d4810137744a16f63ee41a24d75ac9a57f34fba914c0.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

1145adbd511e72871355d4810137744a16f63ee41a24d75ac9a57f34fba914c0.execmd.exe

description	pid	process	target process
PID 1780 wrote to memory of 1700	1780	1145adbd511e72871355d4810137744a16f63ee41a24d75ac9a57f34fba914c0.exe	MediaCenter.exe
PID 1780 wrote to memory of 1700	1780	1145adbd511e72871355d4810137744a16f63ee41a24d75ac9a57f34fba914c0.exe	MediaCenter.exe
PID 1780 wrote to memory of 1700	1780	1145adbd511e72871355d4810137744a16f63ee41a24d75ac9a57f34fba914c0.exe	MediaCenter.exe
PID 1780 wrote to memory of 1700	1780	1145adbd511e72871355d4810137744a16f63ee41a24d75ac9a57f34fba914c0.exe	MediaCenter.exe
PID 1780 wrote to memory of 1368	1780	1145adbd511e72871355d4810137744a16f63ee41a24d75ac9a57f34fba914c0.exe	cmd.exe
PID 1780 wrote to memory of 1368	1780	1145adbd511e72871355d4810137744a16f63ee41a24d75ac9a57f34fba914c0.exe	cmd.exe
PID 1780 wrote to memory of 1368	1780	1145adbd511e72871355d4810137744a16f63ee41a24d75ac9a57f34fba914c0.exe	cmd.exe
PID 1780 wrote to memory of 1368	1780	1145adbd511e72871355d4810137744a16f63ee41a24d75ac9a57f34fba914c0.exe	cmd.exe
PID 1368 wrote to memory of 428	1368	cmd.exe	PING.EXE
PID 1368 wrote to memory of 428	1368	cmd.exe	PING.EXE
PID 1368 wrote to memory of 428	1368	cmd.exe	PING.EXE
PID 1368 wrote to memory of 428	1368	cmd.exe	PING.EXE

C:\Users\Admin\AppData\Local\Temp\1145adbd511e72871355d4810137744a16f63ee41a24d75ac9a57f34fba914c0.exe
"C:\Users\Admin\AppData\Local\Temp\1145adbd511e72871355d4810137744a16f63ee41a24d75ac9a57f34fba914c0.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1780

C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
2⤵
- Executes dropped EXE
PID:1700

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\1145adbd511e72871355d4810137744a16f63ee41a24d75ac9a57f34fba914c0.exe"
2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:1368

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1
3⤵
- Runs ping.exe
PID:428

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Remote System Discovery

1

T1018

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe

MD5
dbfac22d57ec7c6995aee4d3ccc8bde2

SHA1
855b533af2427c67e34649e684bc6c3c2b773c67

SHA256
e74f2be9647634199b027f90bf0583c367f50ea9e94001955f6f9e43b7c37fdb

SHA512
fedb2ce7cacaeedc8235b59cd3434b626d068b6960cae52a1c04fd7aa88120024fcbca86057c900480e6fa4cd1faa24d5310a462903484a556e0e3c40700f13b

Download Submit
\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe

MD5
dbfac22d57ec7c6995aee4d3ccc8bde2

SHA1
855b533af2427c67e34649e684bc6c3c2b773c67

SHA256
e74f2be9647634199b027f90bf0583c367f50ea9e94001955f6f9e43b7c37fdb

SHA512
fedb2ce7cacaeedc8235b59cd3434b626d068b6960cae52a1c04fd7aa88120024fcbca86057c900480e6fa4cd1faa24d5310a462903484a556e0e3c40700f13b

Download Submit
\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe

MD5
dbfac22d57ec7c6995aee4d3ccc8bde2

SHA1
855b533af2427c67e34649e684bc6c3c2b773c67

SHA256
e74f2be9647634199b027f90bf0583c367f50ea9e94001955f6f9e43b7c37fdb

SHA512
fedb2ce7cacaeedc8235b59cd3434b626d068b6960cae52a1c04fd7aa88120024fcbca86057c900480e6fa4cd1faa24d5310a462903484a556e0e3c40700f13b

Download Submit
memory/1780-55-0x0000000075F91000-0x0000000075F93000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads