sakula | 0fb29a584eb880ef530d7c2d9ec79674223232b1b10bdd8c6918f88d8cb4b27a

General

Target

0fb29a584eb880ef530d7c2d9ec79674223232b1b10bdd8c6918f88d8cb4b27a.exe
Size

99KB
MD5

2d77a12a3da6ae20200a7f8ec9502eb0
SHA1

0b7d40a7bfaa7e23df0c7a6de308bf3234f1aa71
SHA256

0fb29a584eb880ef530d7c2d9ec79674223232b1b10bdd8c6918f88d8cb4b27a
SHA512

c052b37a66d39a504e7df1510af67a9d7198c5287552b7dde3cf7435470cea4f39954c8f3493759a41b27250e3c9aeb3c9e3c9dbb5eaa04180213a102da940a9

Score

10^/10

sakula persistence rat trojan

Malware Config

Signatures

Sakula
Sakula is a remote access trojan with various capabilities.
trojan rat sakula

Sakula Payload 3 IoCs

Processes:

resource	yara_rule
\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe	family_sakula
\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe	family_sakula
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe	family_sakula

Executes dropped EXE 1 IoCs

Processes:

MediaCenter.exe

pid process

1624 MediaCenter.exe
Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

1068 cmd.exe

pid	process
1624	MediaCenter.exe

pid	process
1068	cmd.exe

Loads dropped DLL 2 IoCs

Processes:

0fb29a584eb880ef530d7c2d9ec79674223232b1b10bdd8c6918f88d8cb4b27a.exe

pid	process
976	0fb29a584eb880ef530d7c2d9ec79674223232b1b10bdd8c6918f88d8cb4b27a.exe
976	0fb29a584eb880ef530d7c2d9ec79674223232b1b10bdd8c6918f88d8cb4b27a.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

0fb29a584eb880ef530d7c2d9ec79674223232b1b10bdd8c6918f88d8cb4b27a.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe"	0fb29a584eb880ef530d7c2d9ec79674223232b1b10bdd8c6918f88d8cb4b27a.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

880 PING.EXE
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

0fb29a584eb880ef530d7c2d9ec79674223232b1b10bdd8c6918f88d8cb4b27a.exe

description pid process

Token: SeIncBasePriorityPrivilege 976 0fb29a584eb880ef530d7c2d9ec79674223232b1b10bdd8c6918f88d8cb4b27a.exe

pid	process
880	PING.EXE

description	pid	process
Token: SeIncBasePriorityPrivilege	976	0fb29a584eb880ef530d7c2d9ec79674223232b1b10bdd8c6918f88d8cb4b27a.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

0fb29a584eb880ef530d7c2d9ec79674223232b1b10bdd8c6918f88d8cb4b27a.execmd.exe

description	pid	process	target process
PID 976 wrote to memory of 1624	976	0fb29a584eb880ef530d7c2d9ec79674223232b1b10bdd8c6918f88d8cb4b27a.exe	MediaCenter.exe
PID 976 wrote to memory of 1624	976	0fb29a584eb880ef530d7c2d9ec79674223232b1b10bdd8c6918f88d8cb4b27a.exe	MediaCenter.exe
PID 976 wrote to memory of 1624	976	0fb29a584eb880ef530d7c2d9ec79674223232b1b10bdd8c6918f88d8cb4b27a.exe	MediaCenter.exe
PID 976 wrote to memory of 1624	976	0fb29a584eb880ef530d7c2d9ec79674223232b1b10bdd8c6918f88d8cb4b27a.exe	MediaCenter.exe
PID 976 wrote to memory of 1068	976	0fb29a584eb880ef530d7c2d9ec79674223232b1b10bdd8c6918f88d8cb4b27a.exe	cmd.exe
PID 976 wrote to memory of 1068	976	0fb29a584eb880ef530d7c2d9ec79674223232b1b10bdd8c6918f88d8cb4b27a.exe	cmd.exe
PID 976 wrote to memory of 1068	976	0fb29a584eb880ef530d7c2d9ec79674223232b1b10bdd8c6918f88d8cb4b27a.exe	cmd.exe
PID 976 wrote to memory of 1068	976	0fb29a584eb880ef530d7c2d9ec79674223232b1b10bdd8c6918f88d8cb4b27a.exe	cmd.exe
PID 1068 wrote to memory of 880	1068	cmd.exe	PING.EXE
PID 1068 wrote to memory of 880	1068	cmd.exe	PING.EXE
PID 1068 wrote to memory of 880	1068	cmd.exe	PING.EXE
PID 1068 wrote to memory of 880	1068	cmd.exe	PING.EXE

C:\Users\Admin\AppData\Local\Temp\0fb29a584eb880ef530d7c2d9ec79674223232b1b10bdd8c6918f88d8cb4b27a.exe
"C:\Users\Admin\AppData\Local\Temp\0fb29a584eb880ef530d7c2d9ec79674223232b1b10bdd8c6918f88d8cb4b27a.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:976

C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
2⤵
- Executes dropped EXE
PID:1624

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\0fb29a584eb880ef530d7c2d9ec79674223232b1b10bdd8c6918f88d8cb4b27a.exe"
2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:1068

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1
3⤵
- Runs ping.exe
PID:880

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Remote System Discovery

1

T1018

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe

MD5
e6a7d08a482cfd56d5f721c4e9372302

SHA1
2fb37f15a73451349865f41f4944cb911ddce484

SHA256
f37784a8a2f73584f34b8aa593f9a68d3d288bc33574c30267740d7c53cbda48

SHA512
00556b0b4222a0ab6c0b1a31625248eb17c84fede5ce5642a08bff613d0e5fd32c34b476f4d8c7a5650988fdbe8a1c0c66cb48eca7fbc99e69586c30c2bf0814

Download Submit
\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe

MD5
e6a7d08a482cfd56d5f721c4e9372302

SHA1
2fb37f15a73451349865f41f4944cb911ddce484

SHA256
f37784a8a2f73584f34b8aa593f9a68d3d288bc33574c30267740d7c53cbda48

SHA512
00556b0b4222a0ab6c0b1a31625248eb17c84fede5ce5642a08bff613d0e5fd32c34b476f4d8c7a5650988fdbe8a1c0c66cb48eca7fbc99e69586c30c2bf0814

Download Submit
\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe

MD5
e6a7d08a482cfd56d5f721c4e9372302

SHA1
2fb37f15a73451349865f41f4944cb911ddce484

SHA256
f37784a8a2f73584f34b8aa593f9a68d3d288bc33574c30267740d7c53cbda48

SHA512
00556b0b4222a0ab6c0b1a31625248eb17c84fede5ce5642a08bff613d0e5fd32c34b476f4d8c7a5650988fdbe8a1c0c66cb48eca7fbc99e69586c30c2bf0814

Download Submit
memory/976-54-0x0000000075761000-0x0000000075763000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads