sakula | 0da254418f70fb0cc5f62d9db51c56eaf3727fc79e824b599a7e9da8c5c23d91

General

Target

0da254418f70fb0cc5f62d9db51c56eaf3727fc79e824b599a7e9da8c5c23d91.exe
Size

216KB
MD5

079225c2f8b2c0cea518c888e6f3fde8
SHA1

ce8b5a306b4af29994af8314a16db232a551ff0a
SHA256

0da254418f70fb0cc5f62d9db51c56eaf3727fc79e824b599a7e9da8c5c23d91
SHA512

6e0891bad6e6443938f9603b4900f6965f4c1cf991ca09d224f9aa8a394aaa78176b302f80d7ae09102d0177e3e000ef147447614165f9bcc97b9fef05e6c317

Score

10^/10

sakula persistence rat trojan

Malware Config

Signatures

Sakula
Sakula is a remote access trojan with various capabilities.
trojan rat sakula

Sakula Payload 4 IoCs

Processes:

resource	yara_rule
\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe	family_sakula
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe	family_sakula
behavioral1/memory/1312-58-0x0000000000400000-0x0000000000420000-memory.dmp	family_sakula
behavioral1/memory/820-59-0x0000000000400000-0x0000000000420000-memory.dmp	family_sakula

Executes dropped EXE 1 IoCs

Processes:

MediaCenter.exe

pid process

820 MediaCenter.exe
Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

1816 cmd.exe
Loads dropped DLL 1 IoCs

Processes:

0da254418f70fb0cc5f62d9db51c56eaf3727fc79e824b599a7e9da8c5c23d91.exe

pid process

1312 0da254418f70fb0cc5f62d9db51c56eaf3727fc79e824b599a7e9da8c5c23d91.exe

pid	process
820	MediaCenter.exe

pid	process
1816	cmd.exe

pid	process
1312	0da254418f70fb0cc5f62d9db51c56eaf3727fc79e824b599a7e9da8c5c23d91.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

0da254418f70fb0cc5f62d9db51c56eaf3727fc79e824b599a7e9da8c5c23d91.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe"	0da254418f70fb0cc5f62d9db51c56eaf3727fc79e824b599a7e9da8c5c23d91.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

812 PING.EXE
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

0da254418f70fb0cc5f62d9db51c56eaf3727fc79e824b599a7e9da8c5c23d91.exe

description pid process

Token: SeIncBasePriorityPrivilege 1312 0da254418f70fb0cc5f62d9db51c56eaf3727fc79e824b599a7e9da8c5c23d91.exe

pid	process
812	PING.EXE

description	pid	process
Token: SeIncBasePriorityPrivilege	1312	0da254418f70fb0cc5f62d9db51c56eaf3727fc79e824b599a7e9da8c5c23d91.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

0da254418f70fb0cc5f62d9db51c56eaf3727fc79e824b599a7e9da8c5c23d91.execmd.exe

description	pid	process	target process
PID 1312 wrote to memory of 820	1312	0da254418f70fb0cc5f62d9db51c56eaf3727fc79e824b599a7e9da8c5c23d91.exe	MediaCenter.exe
PID 1312 wrote to memory of 820	1312	0da254418f70fb0cc5f62d9db51c56eaf3727fc79e824b599a7e9da8c5c23d91.exe	MediaCenter.exe
PID 1312 wrote to memory of 820	1312	0da254418f70fb0cc5f62d9db51c56eaf3727fc79e824b599a7e9da8c5c23d91.exe	MediaCenter.exe
PID 1312 wrote to memory of 820	1312	0da254418f70fb0cc5f62d9db51c56eaf3727fc79e824b599a7e9da8c5c23d91.exe	MediaCenter.exe
PID 1312 wrote to memory of 1816	1312	0da254418f70fb0cc5f62d9db51c56eaf3727fc79e824b599a7e9da8c5c23d91.exe	cmd.exe
PID 1312 wrote to memory of 1816	1312	0da254418f70fb0cc5f62d9db51c56eaf3727fc79e824b599a7e9da8c5c23d91.exe	cmd.exe
PID 1312 wrote to memory of 1816	1312	0da254418f70fb0cc5f62d9db51c56eaf3727fc79e824b599a7e9da8c5c23d91.exe	cmd.exe
PID 1312 wrote to memory of 1816	1312	0da254418f70fb0cc5f62d9db51c56eaf3727fc79e824b599a7e9da8c5c23d91.exe	cmd.exe
PID 1816 wrote to memory of 812	1816	cmd.exe	PING.EXE
PID 1816 wrote to memory of 812	1816	cmd.exe	PING.EXE
PID 1816 wrote to memory of 812	1816	cmd.exe	PING.EXE
PID 1816 wrote to memory of 812	1816	cmd.exe	PING.EXE

C:\Users\Admin\AppData\Local\Temp\0da254418f70fb0cc5f62d9db51c56eaf3727fc79e824b599a7e9da8c5c23d91.exe
"C:\Users\Admin\AppData\Local\Temp\0da254418f70fb0cc5f62d9db51c56eaf3727fc79e824b599a7e9da8c5c23d91.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1312

C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
2⤵
- Executes dropped EXE
PID:820

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\0da254418f70fb0cc5f62d9db51c56eaf3727fc79e824b599a7e9da8c5c23d91.exe"
2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:1816

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1
3⤵
- Runs ping.exe
PID:812

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Remote System Discovery

1

T1018

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe

MD5
40e4139ea2c1443d7446f6591e810bac

SHA1
343da6e6cf4f8133f172df06fed86cf8ce5f3e28

SHA256
bedad83e769b89fd8193bed4e67c203a19ace53ff5931c457be43b345435b083

SHA512
70787beee9bfa619eba4d14cd6d516704eeb3af288ead020285ab9e7457baaabfba2fdcf985ede150368fa58899905856e5eeb5eb774c60cc240060cb9fb356e

Download Submit
\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe

MD5
40e4139ea2c1443d7446f6591e810bac

SHA1
343da6e6cf4f8133f172df06fed86cf8ce5f3e28

SHA256
bedad83e769b89fd8193bed4e67c203a19ace53ff5931c457be43b345435b083

SHA512
70787beee9bfa619eba4d14cd6d516704eeb3af288ead020285ab9e7457baaabfba2fdcf985ede150368fa58899905856e5eeb5eb774c60cc240060cb9fb356e

Download Submit
memory/820-59-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/1312-54-0x0000000076911000-0x0000000076913000-memory.dmp

Filesize
8KB

Download
memory/1312-58-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads