sakula | 0f055f3137e08e60fff6271ac8665723e38c71c0663cd7a4796203bf0b4f2b53

General

Target

0f055f3137e08e60fff6271ac8665723e38c71c0663cd7a4796203bf0b4f2b53.exe
Size

216KB
MD5

de2e33614b5252f8fc4a904c184e113c
SHA1

308534741cecae7488b25261ca08c039206e9e7f
SHA256

0f055f3137e08e60fff6271ac8665723e38c71c0663cd7a4796203bf0b4f2b53
SHA512

08b9a9e4755932ef025e85d89adf27a8eeb2f3bf2b6697072d46c52de23d853e8ba645f321695bc2f925ecb2d7f8a402091c888e27b053cd8f75215b34aa6259

Score

10^/10

sakula persistence rat trojan

Malware Config

Signatures

Sakula
Sakula is a remote access trojan with various capabilities.
trojan rat sakula

Sakula Payload 4 IoCs

Processes:

resource	yara_rule
\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe	family_sakula
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe	family_sakula
behavioral1/memory/1524-58-0x0000000000400000-0x0000000000420000-memory.dmp	family_sakula
behavioral1/memory/1492-59-0x0000000000400000-0x0000000000420000-memory.dmp	family_sakula

Executes dropped EXE 1 IoCs

Processes:

MediaCenter.exe

pid process

1492 MediaCenter.exe
Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

1708 cmd.exe
Loads dropped DLL 1 IoCs

Processes:

0f055f3137e08e60fff6271ac8665723e38c71c0663cd7a4796203bf0b4f2b53.exe

pid process

1524 0f055f3137e08e60fff6271ac8665723e38c71c0663cd7a4796203bf0b4f2b53.exe

pid	process
1492	MediaCenter.exe

pid	process
1708	cmd.exe

pid	process
1524	0f055f3137e08e60fff6271ac8665723e38c71c0663cd7a4796203bf0b4f2b53.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

0f055f3137e08e60fff6271ac8665723e38c71c0663cd7a4796203bf0b4f2b53.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe"	0f055f3137e08e60fff6271ac8665723e38c71c0663cd7a4796203bf0b4f2b53.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

288 PING.EXE
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

0f055f3137e08e60fff6271ac8665723e38c71c0663cd7a4796203bf0b4f2b53.exe

description pid process

Token: SeIncBasePriorityPrivilege 1524 0f055f3137e08e60fff6271ac8665723e38c71c0663cd7a4796203bf0b4f2b53.exe

pid	process
288	PING.EXE

description	pid	process
Token: SeIncBasePriorityPrivilege	1524	0f055f3137e08e60fff6271ac8665723e38c71c0663cd7a4796203bf0b4f2b53.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

0f055f3137e08e60fff6271ac8665723e38c71c0663cd7a4796203bf0b4f2b53.execmd.exe

description	pid	process	target process
PID 1524 wrote to memory of 1492	1524	0f055f3137e08e60fff6271ac8665723e38c71c0663cd7a4796203bf0b4f2b53.exe	MediaCenter.exe
PID 1524 wrote to memory of 1492	1524	0f055f3137e08e60fff6271ac8665723e38c71c0663cd7a4796203bf0b4f2b53.exe	MediaCenter.exe
PID 1524 wrote to memory of 1492	1524	0f055f3137e08e60fff6271ac8665723e38c71c0663cd7a4796203bf0b4f2b53.exe	MediaCenter.exe
PID 1524 wrote to memory of 1492	1524	0f055f3137e08e60fff6271ac8665723e38c71c0663cd7a4796203bf0b4f2b53.exe	MediaCenter.exe
PID 1524 wrote to memory of 1708	1524	0f055f3137e08e60fff6271ac8665723e38c71c0663cd7a4796203bf0b4f2b53.exe	cmd.exe
PID 1524 wrote to memory of 1708	1524	0f055f3137e08e60fff6271ac8665723e38c71c0663cd7a4796203bf0b4f2b53.exe	cmd.exe
PID 1524 wrote to memory of 1708	1524	0f055f3137e08e60fff6271ac8665723e38c71c0663cd7a4796203bf0b4f2b53.exe	cmd.exe
PID 1524 wrote to memory of 1708	1524	0f055f3137e08e60fff6271ac8665723e38c71c0663cd7a4796203bf0b4f2b53.exe	cmd.exe
PID 1708 wrote to memory of 288	1708	cmd.exe	PING.EXE
PID 1708 wrote to memory of 288	1708	cmd.exe	PING.EXE
PID 1708 wrote to memory of 288	1708	cmd.exe	PING.EXE
PID 1708 wrote to memory of 288	1708	cmd.exe	PING.EXE

C:\Users\Admin\AppData\Local\Temp\0f055f3137e08e60fff6271ac8665723e38c71c0663cd7a4796203bf0b4f2b53.exe
"C:\Users\Admin\AppData\Local\Temp\0f055f3137e08e60fff6271ac8665723e38c71c0663cd7a4796203bf0b4f2b53.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1524

C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
2⤵
- Executes dropped EXE
PID:1492

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\0f055f3137e08e60fff6271ac8665723e38c71c0663cd7a4796203bf0b4f2b53.exe"
2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:1708

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1
3⤵
- Runs ping.exe
PID:288

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Remote System Discovery

1

T1018

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe

MD5
4a5fcd222c244568f42b1c729b57009e

SHA1
a77eeb842644b2ba6e45f3dbbe5cd5cb09d74872

SHA256
2ebad1cd3dce2e90f89b434db1e57167a28557484bd83afde9bb69af33908199

SHA512
8fa1d1c59529c928f0bb909116ce1f96fd4a8b9559ef7d9541ba89da7db836c9dfa9f434f24fa60a3e5fc261fc8dc3b029c4698dbc3d69b03fd1be711219bc59

Download Submit
\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe

MD5
4a5fcd222c244568f42b1c729b57009e

SHA1
a77eeb842644b2ba6e45f3dbbe5cd5cb09d74872

SHA256
2ebad1cd3dce2e90f89b434db1e57167a28557484bd83afde9bb69af33908199

SHA512
8fa1d1c59529c928f0bb909116ce1f96fd4a8b9559ef7d9541ba89da7db836c9dfa9f434f24fa60a3e5fc261fc8dc3b029c4698dbc3d69b03fd1be711219bc59

Download Submit
memory/1492-59-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/1524-54-0x0000000075D51000-0x0000000075D53000-memory.dmp

Filesize
8KB

Download
memory/1524-58-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads