sakula | 0e18acfbb5ec6fc399ce75eaadc247ccc4a5cd05201dc58d28ef9824e3764365

General

Target

0e18acfbb5ec6fc399ce75eaadc247ccc4a5cd05201dc58d28ef9824e3764365.exe
Size

58KB
MD5

853fbd3bcea827937815a937a3d3c32f
SHA1

b34b66e65507e2b3413728d8965279cb737308b1
SHA256

0e18acfbb5ec6fc399ce75eaadc247ccc4a5cd05201dc58d28ef9824e3764365
SHA512

49e4b577ea31b520df811370dc21db0daf23e2f2b708a68bbfe166072407d0eea5b1d30d43669f1637c32139b069fed532149717b8b7b317d0286bbf852d2bf9

Score

10^/10

sakula persistence rat trojan

Malware Config

Signatures

Sakula
Sakula is a remote access trojan with various capabilities.
trojan rat sakula
Executes dropped EXE 1 IoCs

Processes:

MediaCenter.exe

pid process

5008 MediaCenter.exe

pid	process
5008	MediaCenter.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

0e18acfbb5ec6fc399ce75eaadc247ccc4a5cd05201dc58d28ef9824e3764365.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation	0e18acfbb5ec6fc399ce75eaadc247ccc4a5cd05201dc58d28ef9824e3764365.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

0e18acfbb5ec6fc399ce75eaadc247ccc4a5cd05201dc58d28ef9824e3764365.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe"	0e18acfbb5ec6fc399ce75eaadc247ccc4a5cd05201dc58d28ef9824e3764365.exe

Drops file in Windows directory 8 IoCs

Processes:

TiWorker.exesvchost.exe

description	ioc	process
File opened for modification	C:\Windows\Logs\CBS\CBS.log	TiWorker.exe
File opened for modification	C:\Windows\WinSxS\pending.xml	TiWorker.exe
File opened for modification	C:\Windows\WindowsUpdate.log	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\DataStore\Logs\edb.chk	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\DataStore\Logs\edb.log	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\DataStore\DataStore.edb	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\DataStore\DataStore.jfm	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\ReportingEvents.log	svchost.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

4332 PING.EXE

pid	process
4332	PING.EXE

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

0e18acfbb5ec6fc399ce75eaadc247ccc4a5cd05201dc58d28ef9824e3764365.exesvchost.exeTiWorker.exe

description	pid	process
Token: SeIncBasePriorityPrivilege	3772	0e18acfbb5ec6fc399ce75eaadc247ccc4a5cd05201dc58d28ef9824e3764365.exe
Token: SeShutdownPrivilege	4540	svchost.exe
Token: SeCreatePagefilePrivilege	4540	svchost.exe
Token: SeShutdownPrivilege	4540	svchost.exe
Token: SeCreatePagefilePrivilege	4540	svchost.exe
Token: SeShutdownPrivilege	4540	svchost.exe
Token: SeCreatePagefilePrivilege	4540	svchost.exe
Token: SeSecurityPrivilege	3008	TiWorker.exe
Token: SeRestorePrivilege	3008	TiWorker.exe
Token: SeBackupPrivilege	3008	TiWorker.exe
Token: SeBackupPrivilege	3008	TiWorker.exe
Token: SeRestorePrivilege	3008	TiWorker.exe
Token: SeSecurityPrivilege	3008	TiWorker.exe
Token: SeBackupPrivilege	3008	TiWorker.exe
Token: SeRestorePrivilege	3008	TiWorker.exe
Token: SeSecurityPrivilege	3008	TiWorker.exe
Token: SeBackupPrivilege	3008	TiWorker.exe
Token: SeRestorePrivilege	3008	TiWorker.exe
Token: SeSecurityPrivilege	3008	TiWorker.exe
Token: SeBackupPrivilege	3008	TiWorker.exe
Token: SeRestorePrivilege	3008	TiWorker.exe
Token: SeSecurityPrivilege	3008	TiWorker.exe
Token: SeBackupPrivilege	3008	TiWorker.exe
Token: SeRestorePrivilege	3008	TiWorker.exe
Token: SeSecurityPrivilege	3008	TiWorker.exe
Token: SeBackupPrivilege	3008	TiWorker.exe
Token: SeRestorePrivilege	3008	TiWorker.exe
Token: SeSecurityPrivilege	3008	TiWorker.exe
Token: SeBackupPrivilege	3008	TiWorker.exe
Token: SeRestorePrivilege	3008	TiWorker.exe
Token: SeSecurityPrivilege	3008	TiWorker.exe
Token: SeBackupPrivilege	3008	TiWorker.exe
Token: SeRestorePrivilege	3008	TiWorker.exe
Token: SeSecurityPrivilege	3008	TiWorker.exe
Token: SeBackupPrivilege	3008	TiWorker.exe
Token: SeRestorePrivilege	3008	TiWorker.exe
Token: SeSecurityPrivilege	3008	TiWorker.exe
Token: SeBackupPrivilege	3008	TiWorker.exe
Token: SeRestorePrivilege	3008	TiWorker.exe
Token: SeSecurityPrivilege	3008	TiWorker.exe
Token: SeBackupPrivilege	3008	TiWorker.exe
Token: SeRestorePrivilege	3008	TiWorker.exe
Token: SeSecurityPrivilege	3008	TiWorker.exe
Token: SeBackupPrivilege	3008	TiWorker.exe
Token: SeRestorePrivilege	3008	TiWorker.exe
Token: SeSecurityPrivilege	3008	TiWorker.exe
Token: SeBackupPrivilege	3008	TiWorker.exe
Token: SeRestorePrivilege	3008	TiWorker.exe
Token: SeSecurityPrivilege	3008	TiWorker.exe
Token: SeBackupPrivilege	3008	TiWorker.exe
Token: SeRestorePrivilege	3008	TiWorker.exe
Token: SeSecurityPrivilege	3008	TiWorker.exe
Token: SeBackupPrivilege	3008	TiWorker.exe
Token: SeRestorePrivilege	3008	TiWorker.exe
Token: SeSecurityPrivilege	3008	TiWorker.exe
Token: SeBackupPrivilege	3008	TiWorker.exe
Token: SeRestorePrivilege	3008	TiWorker.exe
Token: SeSecurityPrivilege	3008	TiWorker.exe
Token: SeBackupPrivilege	3008	TiWorker.exe
Token: SeRestorePrivilege	3008	TiWorker.exe
Token: SeSecurityPrivilege	3008	TiWorker.exe
Token: SeBackupPrivilege	3008	TiWorker.exe
Token: SeRestorePrivilege	3008	TiWorker.exe
Token: SeSecurityPrivilege	3008	TiWorker.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

0e18acfbb5ec6fc399ce75eaadc247ccc4a5cd05201dc58d28ef9824e3764365.execmd.exe

description	pid	process	target process
PID 3772 wrote to memory of 5008	3772	0e18acfbb5ec6fc399ce75eaadc247ccc4a5cd05201dc58d28ef9824e3764365.exe	MediaCenter.exe
PID 3772 wrote to memory of 5008	3772	0e18acfbb5ec6fc399ce75eaadc247ccc4a5cd05201dc58d28ef9824e3764365.exe	MediaCenter.exe
PID 3772 wrote to memory of 5008	3772	0e18acfbb5ec6fc399ce75eaadc247ccc4a5cd05201dc58d28ef9824e3764365.exe	MediaCenter.exe
PID 3772 wrote to memory of 1020	3772	0e18acfbb5ec6fc399ce75eaadc247ccc4a5cd05201dc58d28ef9824e3764365.exe	cmd.exe
PID 3772 wrote to memory of 1020	3772	0e18acfbb5ec6fc399ce75eaadc247ccc4a5cd05201dc58d28ef9824e3764365.exe	cmd.exe
PID 3772 wrote to memory of 1020	3772	0e18acfbb5ec6fc399ce75eaadc247ccc4a5cd05201dc58d28ef9824e3764365.exe	cmd.exe
PID 1020 wrote to memory of 4332	1020	cmd.exe	PING.EXE
PID 1020 wrote to memory of 4332	1020	cmd.exe	PING.EXE
PID 1020 wrote to memory of 4332	1020	cmd.exe	PING.EXE

C:\Users\Admin\AppData\Local\Temp\0e18acfbb5ec6fc399ce75eaadc247ccc4a5cd05201dc58d28ef9824e3764365.exe
"C:\Users\Admin\AppData\Local\Temp\0e18acfbb5ec6fc399ce75eaadc247ccc4a5cd05201dc58d28ef9824e3764365.exe"
1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3772

C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
2⤵
- Executes dropped EXE
PID:5008

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\0e18acfbb5ec6fc399ce75eaadc247ccc4a5cd05201dc58d28ef9824e3764365.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:1020

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1
3⤵
- Runs ping.exe
PID:4332

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:4540

C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:3008

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

Remote System Discovery

1

T1018

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe

MD5
564f1717aa53498f9f3de395cc7cc3a5

SHA1
64b5d94b33630d7bcc4d74cf94b3a92702d3ea2e

SHA256
218228faa30be651f78e190895258ac47e11f1dd6d467c0957c347c397dfa2f1

SHA512
af1aecd64fa034f8de5b9f38a86f4f9163753267c639398ad34f9d58b9e79ef74468e199b9849b50a9b69a39bb401e97cf7bfb7bb5a0f8962e17d14827a10a3d

Download Submit
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe

MD5
564f1717aa53498f9f3de395cc7cc3a5

SHA1
64b5d94b33630d7bcc4d74cf94b3a92702d3ea2e

SHA256
218228faa30be651f78e190895258ac47e11f1dd6d467c0957c347c397dfa2f1

SHA512
af1aecd64fa034f8de5b9f38a86f4f9163753267c639398ad34f9d58b9e79ef74468e199b9849b50a9b69a39bb401e97cf7bfb7bb5a0f8962e17d14827a10a3d

Download Submit
memory/4540-132-0x00000274737A0000-0x00000274737B0000-memory.dmp

Filesize
64KB

Download
memory/4540-133-0x0000027473F60000-0x0000027473F70000-memory.dmp

Filesize
64KB

Download
memory/4540-134-0x0000027476B80000-0x0000027476B84000-memory.dmp

Filesize
16KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads