sakula | 10b586297c1099ffe5cbc482c96deb35f4e5e385ee7d2c295f03783055364cee

General

Target

10b586297c1099ffe5cbc482c96deb35f4e5e385ee7d2c295f03783055364cee.exe
Size

99KB
MD5

81dc2f4681a82d261aacbdc48e0291cb
SHA1

76aed370fabce2958f83432c15edadab185acf88
SHA256

10b586297c1099ffe5cbc482c96deb35f4e5e385ee7d2c295f03783055364cee
SHA512

8787d40d3adb30ee3db531982b2ad00337cda6437686f8a2ac68a73b77fbf0b3007b911f37015d34dac8a09f4fdee498a203ef4dd2907e71c6d852a242fe4916

Score

10^/10

sakula persistence rat trojan

Malware Config

Signatures

Sakula
Sakula is a remote access trojan with various capabilities.
trojan rat sakula

Sakula Payload 2 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe	family_sakula
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe	family_sakula

Executes dropped EXE 1 IoCs

Processes:

MediaCenter.exe

pid process

1836 MediaCenter.exe

pid	process
1836	MediaCenter.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

10b586297c1099ffe5cbc482c96deb35f4e5e385ee7d2c295f03783055364cee.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation	10b586297c1099ffe5cbc482c96deb35f4e5e385ee7d2c295f03783055364cee.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

10b586297c1099ffe5cbc482c96deb35f4e5e385ee7d2c295f03783055364cee.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe"	10b586297c1099ffe5cbc482c96deb35f4e5e385ee7d2c295f03783055364cee.exe

Drops file in Windows directory 8 IoCs

Processes:

svchost.exeTiWorker.exe

description	ioc	process
File opened for modification	C:\Windows\SoftwareDistribution\DataStore\Logs\edb.log	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\DataStore\DataStore.edb	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\DataStore\DataStore.jfm	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\ReportingEvents.log	svchost.exe
File opened for modification	C:\Windows\Logs\CBS\CBS.log	TiWorker.exe
File opened for modification	C:\Windows\WinSxS\pending.xml	TiWorker.exe
File opened for modification	C:\Windows\WindowsUpdate.log	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\DataStore\Logs\edb.chk	svchost.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

3900 PING.EXE

pid	process
3900	PING.EXE

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

svchost.exeTiWorker.exe10b586297c1099ffe5cbc482c96deb35f4e5e385ee7d2c295f03783055364cee.exe

description	pid	process
Token: SeShutdownPrivilege	2656	svchost.exe
Token: SeCreatePagefilePrivilege	2656	svchost.exe
Token: SeShutdownPrivilege	2656	svchost.exe
Token: SeCreatePagefilePrivilege	2656	svchost.exe
Token: SeShutdownPrivilege	2656	svchost.exe
Token: SeCreatePagefilePrivilege	2656	svchost.exe
Token: SeSecurityPrivilege	3448	TiWorker.exe
Token: SeRestorePrivilege	3448	TiWorker.exe
Token: SeBackupPrivilege	3448	TiWorker.exe
Token: SeBackupPrivilege	3448	TiWorker.exe
Token: SeRestorePrivilege	3448	TiWorker.exe
Token: SeSecurityPrivilege	3448	TiWorker.exe
Token: SeBackupPrivilege	3448	TiWorker.exe
Token: SeRestorePrivilege	3448	TiWorker.exe
Token: SeSecurityPrivilege	3448	TiWorker.exe
Token: SeBackupPrivilege	3448	TiWorker.exe
Token: SeRestorePrivilege	3448	TiWorker.exe
Token: SeSecurityPrivilege	3448	TiWorker.exe
Token: SeBackupPrivilege	3448	TiWorker.exe
Token: SeRestorePrivilege	3448	TiWorker.exe
Token: SeSecurityPrivilege	3448	TiWorker.exe
Token: SeBackupPrivilege	3448	TiWorker.exe
Token: SeRestorePrivilege	3448	TiWorker.exe
Token: SeSecurityPrivilege	3448	TiWorker.exe
Token: SeBackupPrivilege	3448	TiWorker.exe
Token: SeRestorePrivilege	3448	TiWorker.exe
Token: SeSecurityPrivilege	3448	TiWorker.exe
Token: SeBackupPrivilege	3448	TiWorker.exe
Token: SeRestorePrivilege	3448	TiWorker.exe
Token: SeSecurityPrivilege	3448	TiWorker.exe
Token: SeBackupPrivilege	3448	TiWorker.exe
Token: SeRestorePrivilege	3448	TiWorker.exe
Token: SeSecurityPrivilege	3448	TiWorker.exe
Token: SeBackupPrivilege	3448	TiWorker.exe
Token: SeRestorePrivilege	3448	TiWorker.exe
Token: SeSecurityPrivilege	3448	TiWorker.exe
Token: SeBackupPrivilege	3448	TiWorker.exe
Token: SeRestorePrivilege	3448	TiWorker.exe
Token: SeSecurityPrivilege	3448	TiWorker.exe
Token: SeIncBasePriorityPrivilege	3656	10b586297c1099ffe5cbc482c96deb35f4e5e385ee7d2c295f03783055364cee.exe
Token: SeBackupPrivilege	3448	TiWorker.exe
Token: SeRestorePrivilege	3448	TiWorker.exe
Token: SeSecurityPrivilege	3448	TiWorker.exe
Token: SeBackupPrivilege	3448	TiWorker.exe
Token: SeRestorePrivilege	3448	TiWorker.exe
Token: SeSecurityPrivilege	3448	TiWorker.exe
Token: SeBackupPrivilege	3448	TiWorker.exe
Token: SeRestorePrivilege	3448	TiWorker.exe
Token: SeSecurityPrivilege	3448	TiWorker.exe
Token: SeBackupPrivilege	3448	TiWorker.exe
Token: SeRestorePrivilege	3448	TiWorker.exe
Token: SeSecurityPrivilege	3448	TiWorker.exe
Token: SeBackupPrivilege	3448	TiWorker.exe
Token: SeRestorePrivilege	3448	TiWorker.exe
Token: SeSecurityPrivilege	3448	TiWorker.exe
Token: SeBackupPrivilege	3448	TiWorker.exe
Token: SeRestorePrivilege	3448	TiWorker.exe
Token: SeSecurityPrivilege	3448	TiWorker.exe
Token: SeBackupPrivilege	3448	TiWorker.exe
Token: SeRestorePrivilege	3448	TiWorker.exe
Token: SeSecurityPrivilege	3448	TiWorker.exe
Token: SeBackupPrivilege	3448	TiWorker.exe
Token: SeRestorePrivilege	3448	TiWorker.exe
Token: SeSecurityPrivilege	3448	TiWorker.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

10b586297c1099ffe5cbc482c96deb35f4e5e385ee7d2c295f03783055364cee.execmd.exe

description	pid	process	target process
PID 3656 wrote to memory of 1836	3656	10b586297c1099ffe5cbc482c96deb35f4e5e385ee7d2c295f03783055364cee.exe	MediaCenter.exe
PID 3656 wrote to memory of 1836	3656	10b586297c1099ffe5cbc482c96deb35f4e5e385ee7d2c295f03783055364cee.exe	MediaCenter.exe
PID 3656 wrote to memory of 1836	3656	10b586297c1099ffe5cbc482c96deb35f4e5e385ee7d2c295f03783055364cee.exe	MediaCenter.exe
PID 3656 wrote to memory of 2168	3656	10b586297c1099ffe5cbc482c96deb35f4e5e385ee7d2c295f03783055364cee.exe	cmd.exe
PID 3656 wrote to memory of 2168	3656	10b586297c1099ffe5cbc482c96deb35f4e5e385ee7d2c295f03783055364cee.exe	cmd.exe
PID 3656 wrote to memory of 2168	3656	10b586297c1099ffe5cbc482c96deb35f4e5e385ee7d2c295f03783055364cee.exe	cmd.exe
PID 2168 wrote to memory of 3900	2168	cmd.exe	PING.EXE
PID 2168 wrote to memory of 3900	2168	cmd.exe	PING.EXE
PID 2168 wrote to memory of 3900	2168	cmd.exe	PING.EXE

C:\Users\Admin\AppData\Local\Temp\10b586297c1099ffe5cbc482c96deb35f4e5e385ee7d2c295f03783055364cee.exe
"C:\Users\Admin\AppData\Local\Temp\10b586297c1099ffe5cbc482c96deb35f4e5e385ee7d2c295f03783055364cee.exe"
1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3656

C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
2⤵
- Executes dropped EXE
PID:1836

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\10b586297c1099ffe5cbc482c96deb35f4e5e385ee7d2c295f03783055364cee.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:2168

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1
3⤵
- Runs ping.exe
PID:3900

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2656

C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:3448

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

Remote System Discovery

1

T1018

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe

MD5
b07578b748a0ce0861750ef3a86b45cf

SHA1
7af38b8e3becc732a76942de8868bf5f54085e3a

SHA256
03c801458dbd74c5df58f48414053288ab31b836e997a010b32793f5f074a178

SHA512
b286b79b637a2b09917a44c970453d4c693cd3572ce3319c1236a657c64eb4d5d6ef66dd12342269dedf502757210750c5cfe18773ae05c41cabb422e9724d3f

Download Submit
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe

MD5
b07578b748a0ce0861750ef3a86b45cf

SHA1
7af38b8e3becc732a76942de8868bf5f54085e3a

SHA256
03c801458dbd74c5df58f48414053288ab31b836e997a010b32793f5f074a178

SHA512
b286b79b637a2b09917a44c970453d4c693cd3572ce3319c1236a657c64eb4d5d6ef66dd12342269dedf502757210750c5cfe18773ae05c41cabb422e9724d3f

Download Submit
memory/2656-135-0x000002B392F60000-0x000002B392F70000-memory.dmp

Filesize
64KB

Download
memory/2656-136-0x000002B393520000-0x000002B393530000-memory.dmp

Filesize
64KB

Download
memory/2656-137-0x000002B395BD0000-0x000002B395BD4000-memory.dmp

Filesize
16KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads