sakula | 0dc535484767bc8b462b638777f249bf0aa79d99f2369dbdb7f41626af11fea9

General

Target

0dc535484767bc8b462b638777f249bf0aa79d99f2369dbdb7f41626af11fea9.exe
Size

58KB
MD5

12191f2938b2782e0c75f8a6d3b36356
SHA1

ccc211de003f8d7f8b19fc5e7b9025a71186c6dc
SHA256

0dc535484767bc8b462b638777f249bf0aa79d99f2369dbdb7f41626af11fea9
SHA512

ec3228915f514c99a2febed89acaf1fd5b898dbbc48ef283e127c187f565fed4fd72e7ca152bbe37f4dede7247368de97a3c501236628db54ae0a5439a3b3f7e

Score

10^/10

sakula persistence rat trojan

Malware Config

Signatures

Sakula
Sakula is a remote access trojan with various capabilities.
trojan rat sakula
Executes dropped EXE 1 IoCs

Processes:

MediaCenter.exe

pid process

1616 MediaCenter.exe
Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

440 cmd.exe

pid	process
1616	MediaCenter.exe

pid	process
440	cmd.exe

Loads dropped DLL 2 IoCs

Processes:

0dc535484767bc8b462b638777f249bf0aa79d99f2369dbdb7f41626af11fea9.exe

pid	process
956	0dc535484767bc8b462b638777f249bf0aa79d99f2369dbdb7f41626af11fea9.exe
956	0dc535484767bc8b462b638777f249bf0aa79d99f2369dbdb7f41626af11fea9.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

0dc535484767bc8b462b638777f249bf0aa79d99f2369dbdb7f41626af11fea9.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe"	0dc535484767bc8b462b638777f249bf0aa79d99f2369dbdb7f41626af11fea9.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

1932 PING.EXE
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

0dc535484767bc8b462b638777f249bf0aa79d99f2369dbdb7f41626af11fea9.exe

description pid process

Token: SeIncBasePriorityPrivilege 956 0dc535484767bc8b462b638777f249bf0aa79d99f2369dbdb7f41626af11fea9.exe

pid	process
1932	PING.EXE

description	pid	process
Token: SeIncBasePriorityPrivilege	956	0dc535484767bc8b462b638777f249bf0aa79d99f2369dbdb7f41626af11fea9.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

0dc535484767bc8b462b638777f249bf0aa79d99f2369dbdb7f41626af11fea9.execmd.exe

description	pid	process	target process
PID 956 wrote to memory of 1616	956	0dc535484767bc8b462b638777f249bf0aa79d99f2369dbdb7f41626af11fea9.exe	MediaCenter.exe
PID 956 wrote to memory of 1616	956	0dc535484767bc8b462b638777f249bf0aa79d99f2369dbdb7f41626af11fea9.exe	MediaCenter.exe
PID 956 wrote to memory of 1616	956	0dc535484767bc8b462b638777f249bf0aa79d99f2369dbdb7f41626af11fea9.exe	MediaCenter.exe
PID 956 wrote to memory of 1616	956	0dc535484767bc8b462b638777f249bf0aa79d99f2369dbdb7f41626af11fea9.exe	MediaCenter.exe
PID 956 wrote to memory of 440	956	0dc535484767bc8b462b638777f249bf0aa79d99f2369dbdb7f41626af11fea9.exe	cmd.exe
PID 956 wrote to memory of 440	956	0dc535484767bc8b462b638777f249bf0aa79d99f2369dbdb7f41626af11fea9.exe	cmd.exe
PID 956 wrote to memory of 440	956	0dc535484767bc8b462b638777f249bf0aa79d99f2369dbdb7f41626af11fea9.exe	cmd.exe
PID 956 wrote to memory of 440	956	0dc535484767bc8b462b638777f249bf0aa79d99f2369dbdb7f41626af11fea9.exe	cmd.exe
PID 440 wrote to memory of 1932	440	cmd.exe	PING.EXE
PID 440 wrote to memory of 1932	440	cmd.exe	PING.EXE
PID 440 wrote to memory of 1932	440	cmd.exe	PING.EXE
PID 440 wrote to memory of 1932	440	cmd.exe	PING.EXE

C:\Users\Admin\AppData\Local\Temp\0dc535484767bc8b462b638777f249bf0aa79d99f2369dbdb7f41626af11fea9.exe
"C:\Users\Admin\AppData\Local\Temp\0dc535484767bc8b462b638777f249bf0aa79d99f2369dbdb7f41626af11fea9.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:956

C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
2⤵
- Executes dropped EXE
PID:1616

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\0dc535484767bc8b462b638777f249bf0aa79d99f2369dbdb7f41626af11fea9.exe"
2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:440

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1
3⤵
- Runs ping.exe
PID:1932

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Remote System Discovery

1

T1018

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe

MD5
cdbaba1f59633634f2a2944b8cbad0e9

SHA1
1c03f152a9233ed9ebdf6ae94c803708496630ca

SHA256
2047302342f07ea47bd29a5987b02295fe778befac370168932b1142932fd73a

SHA512
dfaf222497462454210d6342dc141a49341d6f2bf142affead59ee3d4b4284c925f693d6ecb5fabfff20ec8d5995aec6711e824bd08a326cbfe3772fa573c439

Download Submit
\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe

MD5
cdbaba1f59633634f2a2944b8cbad0e9

SHA1
1c03f152a9233ed9ebdf6ae94c803708496630ca

SHA256
2047302342f07ea47bd29a5987b02295fe778befac370168932b1142932fd73a

SHA512
dfaf222497462454210d6342dc141a49341d6f2bf142affead59ee3d4b4284c925f693d6ecb5fabfff20ec8d5995aec6711e824bd08a326cbfe3772fa573c439

Download Submit
\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe

MD5
cdbaba1f59633634f2a2944b8cbad0e9

SHA1
1c03f152a9233ed9ebdf6ae94c803708496630ca

SHA256
2047302342f07ea47bd29a5987b02295fe778befac370168932b1142932fd73a

SHA512
dfaf222497462454210d6342dc141a49341d6f2bf142affead59ee3d4b4284c925f693d6ecb5fabfff20ec8d5995aec6711e824bd08a326cbfe3772fa573c439

Download Submit
memory/956-54-0x0000000075D11000-0x0000000075D13000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads