sakula | 0dcc90d1fda582d73efa7d404869690a963e83c04d1f5496df9ac44f12fe7987

General

Target

0dcc90d1fda582d73efa7d404869690a963e83c04d1f5496df9ac44f12fe7987.exe
Size

220KB
MD5

168530370de699589b5615f74712cc0e
SHA1

312864c10c5e983fc3c29a9cf8c62fa9830a2527
SHA256

0dcc90d1fda582d73efa7d404869690a963e83c04d1f5496df9ac44f12fe7987
SHA512

e6a125f5768f0dd6169313e04164d63f6e9ade43d36df137be09adaae824cdbdf2cab569bf15992995b5f0c87bb7258d8dbbd2800d835a554fbdf82ca6ba339d

Score

10^/10

sakula persistence rat suricata trojan

Malware Config

Signatures

Sakula
Sakula is a remote access trojan with various capabilities.
trojan rat sakula

Sakula Payload 4 IoCs

Processes:

resource	yara_rule
\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe	family_sakula
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe	family_sakula
behavioral1/memory/1632-59-0x0000000000400000-0x0000000000420000-memory.dmp	family_sakula
behavioral1/memory/780-60-0x0000000000400000-0x0000000000420000-memory.dmp	family_sakula

suricata: ET MALWARE SUSPICIOUS UA (iexplore)
suricata: ET MALWARE SUSPICIOUS UA (iexplore)
suricata
suricata: ET MALWARE Sakula/Mivast RAT CnC Beacon 1
suricata: ET MALWARE Sakula/Mivast RAT CnC Beacon 1
suricata
Executes dropped EXE 1 IoCs

Processes:

MediaCenter.exe

pid process

780 MediaCenter.exe
Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

1668 cmd.exe
Loads dropped DLL 1 IoCs

Processes:

0dcc90d1fda582d73efa7d404869690a963e83c04d1f5496df9ac44f12fe7987.exe

pid process

1632 0dcc90d1fda582d73efa7d404869690a963e83c04d1f5496df9ac44f12fe7987.exe

pid	process
780	MediaCenter.exe

pid	process
1668	cmd.exe

pid	process
1632	0dcc90d1fda582d73efa7d404869690a963e83c04d1f5496df9ac44f12fe7987.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

0dcc90d1fda582d73efa7d404869690a963e83c04d1f5496df9ac44f12fe7987.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe"	0dcc90d1fda582d73efa7d404869690a963e83c04d1f5496df9ac44f12fe7987.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

1152 PING.EXE
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

0dcc90d1fda582d73efa7d404869690a963e83c04d1f5496df9ac44f12fe7987.exe

description pid process

Token: SeIncBasePriorityPrivilege 1632 0dcc90d1fda582d73efa7d404869690a963e83c04d1f5496df9ac44f12fe7987.exe

pid	process
1152	PING.EXE

description	pid	process
Token: SeIncBasePriorityPrivilege	1632	0dcc90d1fda582d73efa7d404869690a963e83c04d1f5496df9ac44f12fe7987.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

0dcc90d1fda582d73efa7d404869690a963e83c04d1f5496df9ac44f12fe7987.execmd.exe

description	pid	process	target process
PID 1632 wrote to memory of 780	1632	0dcc90d1fda582d73efa7d404869690a963e83c04d1f5496df9ac44f12fe7987.exe	MediaCenter.exe
PID 1632 wrote to memory of 780	1632	0dcc90d1fda582d73efa7d404869690a963e83c04d1f5496df9ac44f12fe7987.exe	MediaCenter.exe
PID 1632 wrote to memory of 780	1632	0dcc90d1fda582d73efa7d404869690a963e83c04d1f5496df9ac44f12fe7987.exe	MediaCenter.exe
PID 1632 wrote to memory of 780	1632	0dcc90d1fda582d73efa7d404869690a963e83c04d1f5496df9ac44f12fe7987.exe	MediaCenter.exe
PID 1632 wrote to memory of 1668	1632	0dcc90d1fda582d73efa7d404869690a963e83c04d1f5496df9ac44f12fe7987.exe	cmd.exe
PID 1632 wrote to memory of 1668	1632	0dcc90d1fda582d73efa7d404869690a963e83c04d1f5496df9ac44f12fe7987.exe	cmd.exe
PID 1632 wrote to memory of 1668	1632	0dcc90d1fda582d73efa7d404869690a963e83c04d1f5496df9ac44f12fe7987.exe	cmd.exe
PID 1632 wrote to memory of 1668	1632	0dcc90d1fda582d73efa7d404869690a963e83c04d1f5496df9ac44f12fe7987.exe	cmd.exe
PID 1668 wrote to memory of 1152	1668	cmd.exe	PING.EXE
PID 1668 wrote to memory of 1152	1668	cmd.exe	PING.EXE
PID 1668 wrote to memory of 1152	1668	cmd.exe	PING.EXE
PID 1668 wrote to memory of 1152	1668	cmd.exe	PING.EXE

C:\Users\Admin\AppData\Local\Temp\0dcc90d1fda582d73efa7d404869690a963e83c04d1f5496df9ac44f12fe7987.exe
"C:\Users\Admin\AppData\Local\Temp\0dcc90d1fda582d73efa7d404869690a963e83c04d1f5496df9ac44f12fe7987.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1632

C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
2⤵
- Executes dropped EXE
PID:780

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\0dcc90d1fda582d73efa7d404869690a963e83c04d1f5496df9ac44f12fe7987.exe"
2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:1668

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1
3⤵
- Runs ping.exe
PID:1152

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Remote System Discovery

1

T1018

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe

MD5
861727aef7c214b10c7806eddaa955fb

SHA1
5396befb221ff384c4edfbb1a51ff3657441f4d8

SHA256
0d1929a6dcb17a301cc7bedc207dc0a4c3a55da106ab17b2120749da190794fe

SHA512
55f0293df26ec9e261f6cc733559cf9e98c753f9f976d00a6227764658141ac382629834e52174ca67e5234e3e240be3d07fe5cb01da0b9bbcbcf85629a7139b

Download Submit
\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe

MD5
861727aef7c214b10c7806eddaa955fb

SHA1
5396befb221ff384c4edfbb1a51ff3657441f4d8

SHA256
0d1929a6dcb17a301cc7bedc207dc0a4c3a55da106ab17b2120749da190794fe

SHA512
55f0293df26ec9e261f6cc733559cf9e98c753f9f976d00a6227764658141ac382629834e52174ca67e5234e3e240be3d07fe5cb01da0b9bbcbcf85629a7139b

Download Submit
memory/780-60-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/1632-55-0x0000000076B81000-0x0000000076B83000-memory.dmp

Filesize
8KB

Download
memory/1632-59-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads