sakula | 0e193d215e25b4372e2366d96edd8aea0a3a81c836c2f93cc0a5f2b58a5240fb

General

Target

0e193d215e25b4372e2366d96edd8aea0a3a81c836c2f93cc0a5f2b58a5240fb.exe
Size

60KB
MD5

ed3883d25ab8fe16dbafe4c975cdee32
SHA1

5671ea38fa95a6cdffbf81fa2b3575e6bc2304a0
SHA256

0e193d215e25b4372e2366d96edd8aea0a3a81c836c2f93cc0a5f2b58a5240fb
SHA512

f03cfda2fe3e753bee48e92b0ba26133c83f0202faf89641a3ae9e510fd72ab37510139377acb2fef6a8021b9e724ef8f74e7e480c2e75e6444dc33a96a59cdd

Score

10^/10

sakula persistence rat trojan

Malware Config

Signatures

Sakula
Sakula is a remote access trojan with various capabilities.
trojan rat sakula
Executes dropped EXE 1 IoCs

Processes:

MediaCenter.exe

pid process

1328 MediaCenter.exe
Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

1672 cmd.exe

pid	process
1328	MediaCenter.exe

pid	process
1672	cmd.exe

Loads dropped DLL 2 IoCs

Processes:

0e193d215e25b4372e2366d96edd8aea0a3a81c836c2f93cc0a5f2b58a5240fb.exe

pid	process
1308	0e193d215e25b4372e2366d96edd8aea0a3a81c836c2f93cc0a5f2b58a5240fb.exe
1308	0e193d215e25b4372e2366d96edd8aea0a3a81c836c2f93cc0a5f2b58a5240fb.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

0e193d215e25b4372e2366d96edd8aea0a3a81c836c2f93cc0a5f2b58a5240fb.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe"	0e193d215e25b4372e2366d96edd8aea0a3a81c836c2f93cc0a5f2b58a5240fb.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

1120 PING.EXE
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

0e193d215e25b4372e2366d96edd8aea0a3a81c836c2f93cc0a5f2b58a5240fb.exe

description pid process

Token: SeIncBasePriorityPrivilege 1308 0e193d215e25b4372e2366d96edd8aea0a3a81c836c2f93cc0a5f2b58a5240fb.exe

pid	process
1120	PING.EXE

description	pid	process
Token: SeIncBasePriorityPrivilege	1308	0e193d215e25b4372e2366d96edd8aea0a3a81c836c2f93cc0a5f2b58a5240fb.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

0e193d215e25b4372e2366d96edd8aea0a3a81c836c2f93cc0a5f2b58a5240fb.execmd.exe

description	pid	process	target process
PID 1308 wrote to memory of 1328	1308	0e193d215e25b4372e2366d96edd8aea0a3a81c836c2f93cc0a5f2b58a5240fb.exe	MediaCenter.exe
PID 1308 wrote to memory of 1328	1308	0e193d215e25b4372e2366d96edd8aea0a3a81c836c2f93cc0a5f2b58a5240fb.exe	MediaCenter.exe
PID 1308 wrote to memory of 1328	1308	0e193d215e25b4372e2366d96edd8aea0a3a81c836c2f93cc0a5f2b58a5240fb.exe	MediaCenter.exe
PID 1308 wrote to memory of 1328	1308	0e193d215e25b4372e2366d96edd8aea0a3a81c836c2f93cc0a5f2b58a5240fb.exe	MediaCenter.exe
PID 1308 wrote to memory of 1672	1308	0e193d215e25b4372e2366d96edd8aea0a3a81c836c2f93cc0a5f2b58a5240fb.exe	cmd.exe
PID 1308 wrote to memory of 1672	1308	0e193d215e25b4372e2366d96edd8aea0a3a81c836c2f93cc0a5f2b58a5240fb.exe	cmd.exe
PID 1308 wrote to memory of 1672	1308	0e193d215e25b4372e2366d96edd8aea0a3a81c836c2f93cc0a5f2b58a5240fb.exe	cmd.exe
PID 1308 wrote to memory of 1672	1308	0e193d215e25b4372e2366d96edd8aea0a3a81c836c2f93cc0a5f2b58a5240fb.exe	cmd.exe
PID 1672 wrote to memory of 1120	1672	cmd.exe	PING.EXE
PID 1672 wrote to memory of 1120	1672	cmd.exe	PING.EXE
PID 1672 wrote to memory of 1120	1672	cmd.exe	PING.EXE
PID 1672 wrote to memory of 1120	1672	cmd.exe	PING.EXE

C:\Users\Admin\AppData\Local\Temp\0e193d215e25b4372e2366d96edd8aea0a3a81c836c2f93cc0a5f2b58a5240fb.exe
"C:\Users\Admin\AppData\Local\Temp\0e193d215e25b4372e2366d96edd8aea0a3a81c836c2f93cc0a5f2b58a5240fb.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1308

C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
2⤵
- Executes dropped EXE
PID:1328

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\0e193d215e25b4372e2366d96edd8aea0a3a81c836c2f93cc0a5f2b58a5240fb.exe"
2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:1672

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1
3⤵
- Runs ping.exe
PID:1120

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Remote System Discovery

1

T1018

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe

MD5
153def4fc2ac1300e0d1a33d57197a4e

SHA1
98ae0026e71752a02af360368f7d906d6303241d

SHA256
86010175f6327d9466ea42565d30e69fe3678f9b64d6f1fc91aef37fd54b097e

SHA512
ad5e208f048db1e60f2e11db68ee08eba0562ce502758e5090c4eda8b70883af4f7088aefa23d213df6e5ac1e6b4b21a1ff5dac34719b43ec83807e9862f5783

Download Submit
\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe

MD5
153def4fc2ac1300e0d1a33d57197a4e

SHA1
98ae0026e71752a02af360368f7d906d6303241d

SHA256
86010175f6327d9466ea42565d30e69fe3678f9b64d6f1fc91aef37fd54b097e

SHA512
ad5e208f048db1e60f2e11db68ee08eba0562ce502758e5090c4eda8b70883af4f7088aefa23d213df6e5ac1e6b4b21a1ff5dac34719b43ec83807e9862f5783

Download Submit
\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe

MD5
153def4fc2ac1300e0d1a33d57197a4e

SHA1
98ae0026e71752a02af360368f7d906d6303241d

SHA256
86010175f6327d9466ea42565d30e69fe3678f9b64d6f1fc91aef37fd54b097e

SHA512
ad5e208f048db1e60f2e11db68ee08eba0562ce502758e5090c4eda8b70883af4f7088aefa23d213df6e5ac1e6b4b21a1ff5dac34719b43ec83807e9862f5783

Download Submit
memory/1308-54-0x0000000076451000-0x0000000076453000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads