sakula | 0f4f381d2fcad2bd19c99488d24408b68d548d370bbc8a05cc0ce2a31352635a

General

Target

0f4f381d2fcad2bd19c99488d24408b68d548d370bbc8a05cc0ce2a31352635a.exe
Size

101KB
MD5

cc11547a7d17bc897020cd6f97c4fb55
SHA1

0d87e8af9ee04c348309f012755fb780d2bd2d21
SHA256

0f4f381d2fcad2bd19c99488d24408b68d548d370bbc8a05cc0ce2a31352635a
SHA512

debd5adb3036f022eb6226543bf6ba7b824f9bfabade5e3cbcad16f291fe991280d5b7803244392d647f913c4f8464c90ee6738799fdc80bf5edbc6d8d5a451d

Score

10^/10

sakula persistence rat trojan

Malware Config

Signatures

Sakula
Sakula is a remote access trojan with various capabilities.
trojan rat sakula

Sakula Payload 2 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe	family_sakula
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe	family_sakula

Executes dropped EXE 1 IoCs

Processes:

MediaCenter.exe

pid process

4720 MediaCenter.exe

pid	process
4720	MediaCenter.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

0f4f381d2fcad2bd19c99488d24408b68d548d370bbc8a05cc0ce2a31352635a.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation	0f4f381d2fcad2bd19c99488d24408b68d548d370bbc8a05cc0ce2a31352635a.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

0f4f381d2fcad2bd19c99488d24408b68d548d370bbc8a05cc0ce2a31352635a.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe"	0f4f381d2fcad2bd19c99488d24408b68d548d370bbc8a05cc0ce2a31352635a.exe

Drops file in Windows directory 8 IoCs

Processes:

svchost.exeTiWorker.exe

description	ioc	process
File opened for modification	C:\Windows\SoftwareDistribution\DataStore\DataStore.jfm	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\ReportingEvents.log	svchost.exe
File opened for modification	C:\Windows\Logs\CBS\CBS.log	TiWorker.exe
File opened for modification	C:\Windows\WinSxS\pending.xml	TiWorker.exe
File opened for modification	C:\Windows\WindowsUpdate.log	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\DataStore\Logs\edb.chk	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\DataStore\Logs\edb.log	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\DataStore\DataStore.edb	svchost.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

4328 PING.EXE

pid	process
4328	PING.EXE

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

svchost.exeTiWorker.exe0f4f381d2fcad2bd19c99488d24408b68d548d370bbc8a05cc0ce2a31352635a.exe

description	pid	process
Token: SeShutdownPrivilege	4836	svchost.exe
Token: SeCreatePagefilePrivilege	4836	svchost.exe
Token: SeShutdownPrivilege	4836	svchost.exe
Token: SeCreatePagefilePrivilege	4836	svchost.exe
Token: SeShutdownPrivilege	4836	svchost.exe
Token: SeCreatePagefilePrivilege	4836	svchost.exe
Token: SeSecurityPrivilege	2788	TiWorker.exe
Token: SeRestorePrivilege	2788	TiWorker.exe
Token: SeBackupPrivilege	2788	TiWorker.exe
Token: SeBackupPrivilege	2788	TiWorker.exe
Token: SeRestorePrivilege	2788	TiWorker.exe
Token: SeSecurityPrivilege	2788	TiWorker.exe
Token: SeBackupPrivilege	2788	TiWorker.exe
Token: SeRestorePrivilege	2788	TiWorker.exe
Token: SeSecurityPrivilege	2788	TiWorker.exe
Token: SeBackupPrivilege	2788	TiWorker.exe
Token: SeRestorePrivilege	2788	TiWorker.exe
Token: SeSecurityPrivilege	2788	TiWorker.exe
Token: SeBackupPrivilege	2788	TiWorker.exe
Token: SeRestorePrivilege	2788	TiWorker.exe
Token: SeSecurityPrivilege	2788	TiWorker.exe
Token: SeBackupPrivilege	2788	TiWorker.exe
Token: SeRestorePrivilege	2788	TiWorker.exe
Token: SeSecurityPrivilege	2788	TiWorker.exe
Token: SeBackupPrivilege	2788	TiWorker.exe
Token: SeRestorePrivilege	2788	TiWorker.exe
Token: SeSecurityPrivilege	2788	TiWorker.exe
Token: SeBackupPrivilege	2788	TiWorker.exe
Token: SeRestorePrivilege	2788	TiWorker.exe
Token: SeSecurityPrivilege	2788	TiWorker.exe
Token: SeBackupPrivilege	2788	TiWorker.exe
Token: SeRestorePrivilege	2788	TiWorker.exe
Token: SeSecurityPrivilege	2788	TiWorker.exe
Token: SeBackupPrivilege	2788	TiWorker.exe
Token: SeRestorePrivilege	2788	TiWorker.exe
Token: SeSecurityPrivilege	2788	TiWorker.exe
Token: SeBackupPrivilege	2788	TiWorker.exe
Token: SeRestorePrivilege	2788	TiWorker.exe
Token: SeSecurityPrivilege	2788	TiWorker.exe
Token: SeBackupPrivilege	2788	TiWorker.exe
Token: SeRestorePrivilege	2788	TiWorker.exe
Token: SeSecurityPrivilege	2788	TiWorker.exe
Token: SeBackupPrivilege	2788	TiWorker.exe
Token: SeRestorePrivilege	2788	TiWorker.exe
Token: SeSecurityPrivilege	2788	TiWorker.exe
Token: SeBackupPrivilege	2788	TiWorker.exe
Token: SeRestorePrivilege	2788	TiWorker.exe
Token: SeSecurityPrivilege	2788	TiWorker.exe
Token: SeBackupPrivilege	2788	TiWorker.exe
Token: SeRestorePrivilege	2788	TiWorker.exe
Token: SeSecurityPrivilege	2788	TiWorker.exe
Token: SeBackupPrivilege	2788	TiWorker.exe
Token: SeRestorePrivilege	2788	TiWorker.exe
Token: SeSecurityPrivilege	2788	TiWorker.exe
Token: SeIncBasePriorityPrivilege	4800	0f4f381d2fcad2bd19c99488d24408b68d548d370bbc8a05cc0ce2a31352635a.exe
Token: SeBackupPrivilege	2788	TiWorker.exe
Token: SeRestorePrivilege	2788	TiWorker.exe
Token: SeSecurityPrivilege	2788	TiWorker.exe
Token: SeBackupPrivilege	2788	TiWorker.exe
Token: SeRestorePrivilege	2788	TiWorker.exe
Token: SeSecurityPrivilege	2788	TiWorker.exe
Token: SeBackupPrivilege	2788	TiWorker.exe
Token: SeRestorePrivilege	2788	TiWorker.exe
Token: SeSecurityPrivilege	2788	TiWorker.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

0f4f381d2fcad2bd19c99488d24408b68d548d370bbc8a05cc0ce2a31352635a.execmd.exe

description	pid	process	target process
PID 4800 wrote to memory of 4720	4800	0f4f381d2fcad2bd19c99488d24408b68d548d370bbc8a05cc0ce2a31352635a.exe	MediaCenter.exe
PID 4800 wrote to memory of 4720	4800	0f4f381d2fcad2bd19c99488d24408b68d548d370bbc8a05cc0ce2a31352635a.exe	MediaCenter.exe
PID 4800 wrote to memory of 4720	4800	0f4f381d2fcad2bd19c99488d24408b68d548d370bbc8a05cc0ce2a31352635a.exe	MediaCenter.exe
PID 4800 wrote to memory of 4496	4800	0f4f381d2fcad2bd19c99488d24408b68d548d370bbc8a05cc0ce2a31352635a.exe	cmd.exe
PID 4800 wrote to memory of 4496	4800	0f4f381d2fcad2bd19c99488d24408b68d548d370bbc8a05cc0ce2a31352635a.exe	cmd.exe
PID 4800 wrote to memory of 4496	4800	0f4f381d2fcad2bd19c99488d24408b68d548d370bbc8a05cc0ce2a31352635a.exe	cmd.exe
PID 4496 wrote to memory of 4328	4496	cmd.exe	PING.EXE
PID 4496 wrote to memory of 4328	4496	cmd.exe	PING.EXE
PID 4496 wrote to memory of 4328	4496	cmd.exe	PING.EXE

C:\Users\Admin\AppData\Local\Temp\0f4f381d2fcad2bd19c99488d24408b68d548d370bbc8a05cc0ce2a31352635a.exe
"C:\Users\Admin\AppData\Local\Temp\0f4f381d2fcad2bd19c99488d24408b68d548d370bbc8a05cc0ce2a31352635a.exe"
1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4800

C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
2⤵
- Executes dropped EXE
PID:4720

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\0f4f381d2fcad2bd19c99488d24408b68d548d370bbc8a05cc0ce2a31352635a.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:4496

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1
3⤵
- Runs ping.exe
PID:4328

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:4836

C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2788

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

Remote System Discovery

1

T1018

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe

MD5
6c1ad81b8ca0fe8194645559bb965bc6

SHA1
9f24f62112d3c83df707d6374001c97f61a5b7b5

SHA256
d56eee822db72b0af4026a813721da3c9031c8472d1f0f769ec0bcb9137b3fb7

SHA512
860f3bf7990932ddc73c58468f911b9fbf786c147606a87e2ec32deeed9aba19068bbf3165a49cf12d8a0335ed45e6163ebb57650b7416eab7b9d53222564347

Download Submit
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe

MD5
6c1ad81b8ca0fe8194645559bb965bc6

SHA1
9f24f62112d3c83df707d6374001c97f61a5b7b5

SHA256
d56eee822db72b0af4026a813721da3c9031c8472d1f0f769ec0bcb9137b3fb7

SHA512
860f3bf7990932ddc73c58468f911b9fbf786c147606a87e2ec32deeed9aba19068bbf3165a49cf12d8a0335ed45e6163ebb57650b7416eab7b9d53222564347

Download Submit
memory/4836-132-0x0000019B5AB20000-0x0000019B5AB30000-memory.dmp

Filesize
64KB

Download
memory/4836-133-0x0000019B5AB80000-0x0000019B5AB90000-memory.dmp

Filesize
64KB

Download
memory/4836-134-0x0000019B5D250000-0x0000019B5D254000-memory.dmp

Filesize
16KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads