sakula | 1112b47d385f418bb27c7a9ee77bc32fb55f6ba5fc27acb335ec729c2e78581b

General

Target

1112b47d385f418bb27c7a9ee77bc32fb55f6ba5fc27acb335ec729c2e78581b.exe
Size

191KB
MD5

ef5a3363db75d8ab3297f0865386b2fb
SHA1

1aea7cf171e15ea9de46688a595cd4221bcd6e5e
SHA256

1112b47d385f418bb27c7a9ee77bc32fb55f6ba5fc27acb335ec729c2e78581b
SHA512

e31bd4b9ef837c5da9153fe36d71500e2a493a829f7502d4ad5c0321ba31a276bbf0f9668f7ef8d8b91b3be4bf30bdaeb7466c288aa270c17960cca9b6d93504

Score

10^/10

sakula persistence rat trojan

Malware Config

Signatures

Sakula
Sakula is a remote access trojan with various capabilities.
trojan rat sakula

Sakula Payload 3 IoCs

Processes:

resource	yara_rule
\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe	family_sakula
\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe	family_sakula
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe	family_sakula

Executes dropped EXE 1 IoCs

Processes:

MediaCenter.exe

pid process

1576 MediaCenter.exe
Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

828 cmd.exe

pid	process
1576	MediaCenter.exe

pid	process
828	cmd.exe

Loads dropped DLL 2 IoCs

Processes:

1112b47d385f418bb27c7a9ee77bc32fb55f6ba5fc27acb335ec729c2e78581b.exe

pid	process
1664	1112b47d385f418bb27c7a9ee77bc32fb55f6ba5fc27acb335ec729c2e78581b.exe
1664	1112b47d385f418bb27c7a9ee77bc32fb55f6ba5fc27acb335ec729c2e78581b.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

1112b47d385f418bb27c7a9ee77bc32fb55f6ba5fc27acb335ec729c2e78581b.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe"	1112b47d385f418bb27c7a9ee77bc32fb55f6ba5fc27acb335ec729c2e78581b.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

1856 PING.EXE
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

1112b47d385f418bb27c7a9ee77bc32fb55f6ba5fc27acb335ec729c2e78581b.exe

description pid process

Token: SeIncBasePriorityPrivilege 1664 1112b47d385f418bb27c7a9ee77bc32fb55f6ba5fc27acb335ec729c2e78581b.exe

pid	process
1856	PING.EXE

description	pid	process
Token: SeIncBasePriorityPrivilege	1664	1112b47d385f418bb27c7a9ee77bc32fb55f6ba5fc27acb335ec729c2e78581b.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

1112b47d385f418bb27c7a9ee77bc32fb55f6ba5fc27acb335ec729c2e78581b.execmd.exe

description	pid	process	target process
PID 1664 wrote to memory of 1576	1664	1112b47d385f418bb27c7a9ee77bc32fb55f6ba5fc27acb335ec729c2e78581b.exe	MediaCenter.exe
PID 1664 wrote to memory of 1576	1664	1112b47d385f418bb27c7a9ee77bc32fb55f6ba5fc27acb335ec729c2e78581b.exe	MediaCenter.exe
PID 1664 wrote to memory of 1576	1664	1112b47d385f418bb27c7a9ee77bc32fb55f6ba5fc27acb335ec729c2e78581b.exe	MediaCenter.exe
PID 1664 wrote to memory of 1576	1664	1112b47d385f418bb27c7a9ee77bc32fb55f6ba5fc27acb335ec729c2e78581b.exe	MediaCenter.exe
PID 1664 wrote to memory of 828	1664	1112b47d385f418bb27c7a9ee77bc32fb55f6ba5fc27acb335ec729c2e78581b.exe	cmd.exe
PID 1664 wrote to memory of 828	1664	1112b47d385f418bb27c7a9ee77bc32fb55f6ba5fc27acb335ec729c2e78581b.exe	cmd.exe
PID 1664 wrote to memory of 828	1664	1112b47d385f418bb27c7a9ee77bc32fb55f6ba5fc27acb335ec729c2e78581b.exe	cmd.exe
PID 1664 wrote to memory of 828	1664	1112b47d385f418bb27c7a9ee77bc32fb55f6ba5fc27acb335ec729c2e78581b.exe	cmd.exe
PID 828 wrote to memory of 1856	828	cmd.exe	PING.EXE
PID 828 wrote to memory of 1856	828	cmd.exe	PING.EXE
PID 828 wrote to memory of 1856	828	cmd.exe	PING.EXE
PID 828 wrote to memory of 1856	828	cmd.exe	PING.EXE

C:\Users\Admin\AppData\Local\Temp\1112b47d385f418bb27c7a9ee77bc32fb55f6ba5fc27acb335ec729c2e78581b.exe
"C:\Users\Admin\AppData\Local\Temp\1112b47d385f418bb27c7a9ee77bc32fb55f6ba5fc27acb335ec729c2e78581b.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1664

C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
2⤵
- Executes dropped EXE
PID:1576

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\1112b47d385f418bb27c7a9ee77bc32fb55f6ba5fc27acb335ec729c2e78581b.exe"
2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:828

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1
3⤵
- Runs ping.exe
PID:1856

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Remote System Discovery

1

T1018

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe

MD5
0732d179e9c55192663fe9c222c2f05d

SHA1
3102aafe653a6656fecff0b490ecc862fc32ee68

SHA256
eeb178f2e7a9c95dc61564ec91055e468c2dcaaa0ec5742615bbc634960a88c4

SHA512
15e91466251dc59a601bb2ebc7d4f8cf3f1a3c19a6f37d7f2b976b886a2ca8acbe25d8fee1bc26f0dabc2c2d04d662d503b8e0d9ecaa750f88f6da6f4203f0c3

Download Submit
\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe

MD5
0732d179e9c55192663fe9c222c2f05d

SHA1
3102aafe653a6656fecff0b490ecc862fc32ee68

SHA256
eeb178f2e7a9c95dc61564ec91055e468c2dcaaa0ec5742615bbc634960a88c4

SHA512
15e91466251dc59a601bb2ebc7d4f8cf3f1a3c19a6f37d7f2b976b886a2ca8acbe25d8fee1bc26f0dabc2c2d04d662d503b8e0d9ecaa750f88f6da6f4203f0c3

Download Submit
\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe

MD5
0732d179e9c55192663fe9c222c2f05d

SHA1
3102aafe653a6656fecff0b490ecc862fc32ee68

SHA256
eeb178f2e7a9c95dc61564ec91055e468c2dcaaa0ec5742615bbc634960a88c4

SHA512
15e91466251dc59a601bb2ebc7d4f8cf3f1a3c19a6f37d7f2b976b886a2ca8acbe25d8fee1bc26f0dabc2c2d04d662d503b8e0d9ecaa750f88f6da6f4203f0c3

Download Submit
memory/1664-54-0x00000000754B1000-0x00000000754B3000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads