sakula | 0e52472f06dd8c8c5a84af494d127a517e4f3dd34766f9cadcdd902e2732b198

General

Target

0e52472f06dd8c8c5a84af494d127a517e4f3dd34766f9cadcdd902e2732b198.exe
Size

60KB
MD5

e6cc1f6382dc996a347e1497d5cb6124
SHA1

1dc86bfa0f5781635a7b93e839e94cb87b55b377
SHA256

0e52472f06dd8c8c5a84af494d127a517e4f3dd34766f9cadcdd902e2732b198
SHA512

9e739ab2deed898b0692835cfcf101f8cf58bffb0251e594ab8e2b673dc3694ada2df269d197e118b4ea4087cc63f6a2ea178e371ba1f57d08bdabcdf278824a

Score

10^/10

sakula persistence rat trojan

Malware Config

Signatures

Sakula
Sakula is a remote access trojan with various capabilities.
trojan rat sakula
Executes dropped EXE 1 IoCs

Processes:

MediaCenter.exe

pid process

3612 MediaCenter.exe

pid	process
3612	MediaCenter.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

0e52472f06dd8c8c5a84af494d127a517e4f3dd34766f9cadcdd902e2732b198.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation	0e52472f06dd8c8c5a84af494d127a517e4f3dd34766f9cadcdd902e2732b198.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

0e52472f06dd8c8c5a84af494d127a517e4f3dd34766f9cadcdd902e2732b198.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe"	0e52472f06dd8c8c5a84af494d127a517e4f3dd34766f9cadcdd902e2732b198.exe

Drops file in Windows directory 8 IoCs

Processes:

TiWorker.exesvchost.exe

description	ioc	process
File opened for modification	C:\Windows\WinSxS\pending.xml	TiWorker.exe
File opened for modification	C:\Windows\WindowsUpdate.log	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\DataStore\Logs\edb.chk	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\DataStore\Logs\edb.log	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\DataStore\DataStore.edb	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\DataStore\DataStore.jfm	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\ReportingEvents.log	svchost.exe
File opened for modification	C:\Windows\Logs\CBS\CBS.log	TiWorker.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

1068 PING.EXE

pid	process
1068	PING.EXE

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

svchost.exe0e52472f06dd8c8c5a84af494d127a517e4f3dd34766f9cadcdd902e2732b198.exeTiWorker.exe

description	pid	process
Token: SeShutdownPrivilege	4920	svchost.exe
Token: SeCreatePagefilePrivilege	4920	svchost.exe
Token: SeShutdownPrivilege	4920	svchost.exe
Token: SeCreatePagefilePrivilege	4920	svchost.exe
Token: SeShutdownPrivilege	4920	svchost.exe
Token: SeCreatePagefilePrivilege	4920	svchost.exe
Token: SeIncBasePriorityPrivilege	3472	0e52472f06dd8c8c5a84af494d127a517e4f3dd34766f9cadcdd902e2732b198.exe
Token: SeSecurityPrivilege	2792	TiWorker.exe
Token: SeRestorePrivilege	2792	TiWorker.exe
Token: SeBackupPrivilege	2792	TiWorker.exe
Token: SeBackupPrivilege	2792	TiWorker.exe
Token: SeRestorePrivilege	2792	TiWorker.exe
Token: SeSecurityPrivilege	2792	TiWorker.exe
Token: SeBackupPrivilege	2792	TiWorker.exe
Token: SeRestorePrivilege	2792	TiWorker.exe
Token: SeSecurityPrivilege	2792	TiWorker.exe
Token: SeBackupPrivilege	2792	TiWorker.exe
Token: SeRestorePrivilege	2792	TiWorker.exe
Token: SeSecurityPrivilege	2792	TiWorker.exe
Token: SeBackupPrivilege	2792	TiWorker.exe
Token: SeRestorePrivilege	2792	TiWorker.exe
Token: SeSecurityPrivilege	2792	TiWorker.exe
Token: SeBackupPrivilege	2792	TiWorker.exe
Token: SeRestorePrivilege	2792	TiWorker.exe
Token: SeSecurityPrivilege	2792	TiWorker.exe
Token: SeBackupPrivilege	2792	TiWorker.exe
Token: SeRestorePrivilege	2792	TiWorker.exe
Token: SeSecurityPrivilege	2792	TiWorker.exe
Token: SeBackupPrivilege	2792	TiWorker.exe
Token: SeRestorePrivilege	2792	TiWorker.exe
Token: SeSecurityPrivilege	2792	TiWorker.exe
Token: SeBackupPrivilege	2792	TiWorker.exe
Token: SeRestorePrivilege	2792	TiWorker.exe
Token: SeSecurityPrivilege	2792	TiWorker.exe
Token: SeBackupPrivilege	2792	TiWorker.exe
Token: SeRestorePrivilege	2792	TiWorker.exe
Token: SeSecurityPrivilege	2792	TiWorker.exe
Token: SeBackupPrivilege	2792	TiWorker.exe
Token: SeRestorePrivilege	2792	TiWorker.exe
Token: SeSecurityPrivilege	2792	TiWorker.exe
Token: SeBackupPrivilege	2792	TiWorker.exe
Token: SeRestorePrivilege	2792	TiWorker.exe
Token: SeSecurityPrivilege	2792	TiWorker.exe
Token: SeBackupPrivilege	2792	TiWorker.exe
Token: SeRestorePrivilege	2792	TiWorker.exe
Token: SeSecurityPrivilege	2792	TiWorker.exe
Token: SeBackupPrivilege	2792	TiWorker.exe
Token: SeRestorePrivilege	2792	TiWorker.exe
Token: SeSecurityPrivilege	2792	TiWorker.exe
Token: SeBackupPrivilege	2792	TiWorker.exe
Token: SeRestorePrivilege	2792	TiWorker.exe
Token: SeSecurityPrivilege	2792	TiWorker.exe
Token: SeBackupPrivilege	2792	TiWorker.exe
Token: SeRestorePrivilege	2792	TiWorker.exe
Token: SeSecurityPrivilege	2792	TiWorker.exe
Token: SeBackupPrivilege	2792	TiWorker.exe
Token: SeRestorePrivilege	2792	TiWorker.exe
Token: SeSecurityPrivilege	2792	TiWorker.exe
Token: SeBackupPrivilege	2792	TiWorker.exe
Token: SeRestorePrivilege	2792	TiWorker.exe
Token: SeSecurityPrivilege	2792	TiWorker.exe
Token: SeBackupPrivilege	2792	TiWorker.exe
Token: SeRestorePrivilege	2792	TiWorker.exe
Token: SeSecurityPrivilege	2792	TiWorker.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

0e52472f06dd8c8c5a84af494d127a517e4f3dd34766f9cadcdd902e2732b198.execmd.exe

description	pid	process	target process
PID 3472 wrote to memory of 3612	3472	0e52472f06dd8c8c5a84af494d127a517e4f3dd34766f9cadcdd902e2732b198.exe	MediaCenter.exe
PID 3472 wrote to memory of 3612	3472	0e52472f06dd8c8c5a84af494d127a517e4f3dd34766f9cadcdd902e2732b198.exe	MediaCenter.exe
PID 3472 wrote to memory of 3612	3472	0e52472f06dd8c8c5a84af494d127a517e4f3dd34766f9cadcdd902e2732b198.exe	MediaCenter.exe
PID 3472 wrote to memory of 1680	3472	0e52472f06dd8c8c5a84af494d127a517e4f3dd34766f9cadcdd902e2732b198.exe	cmd.exe
PID 3472 wrote to memory of 1680	3472	0e52472f06dd8c8c5a84af494d127a517e4f3dd34766f9cadcdd902e2732b198.exe	cmd.exe
PID 3472 wrote to memory of 1680	3472	0e52472f06dd8c8c5a84af494d127a517e4f3dd34766f9cadcdd902e2732b198.exe	cmd.exe
PID 1680 wrote to memory of 1068	1680	cmd.exe	PING.EXE
PID 1680 wrote to memory of 1068	1680	cmd.exe	PING.EXE
PID 1680 wrote to memory of 1068	1680	cmd.exe	PING.EXE

C:\Users\Admin\AppData\Local\Temp\0e52472f06dd8c8c5a84af494d127a517e4f3dd34766f9cadcdd902e2732b198.exe
"C:\Users\Admin\AppData\Local\Temp\0e52472f06dd8c8c5a84af494d127a517e4f3dd34766f9cadcdd902e2732b198.exe"
1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3472

C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
2⤵
- Executes dropped EXE
PID:3612

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\0e52472f06dd8c8c5a84af494d127a517e4f3dd34766f9cadcdd902e2732b198.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:1680

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1
3⤵
- Runs ping.exe
PID:1068

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:4920

C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2792

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

Remote System Discovery

1

T1018

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe

MD5
8641b30400d1fcff8c1482141b8169f6

SHA1
b797ccaaae6fde30e2a928f797cb6df3131c3370

SHA256
0df062b99b8801a2c150e4fdf38d1ff8705e60e68c7a5d2d8088c6f8f3e6aa2d

SHA512
a82c3373186bac92485a917c31b93515d461c0b18d106e606658f4d1d989bd378c9e7ecdd2677ecadb0b0369a45d5e3a48e78fa26e9ede567ddd83e76defb95c

Download Submit
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe

MD5
8641b30400d1fcff8c1482141b8169f6

SHA1
b797ccaaae6fde30e2a928f797cb6df3131c3370

SHA256
0df062b99b8801a2c150e4fdf38d1ff8705e60e68c7a5d2d8088c6f8f3e6aa2d

SHA512
a82c3373186bac92485a917c31b93515d461c0b18d106e606658f4d1d989bd378c9e7ecdd2677ecadb0b0369a45d5e3a48e78fa26e9ede567ddd83e76defb95c

Download Submit
memory/4920-132-0x0000022CBBD80000-0x0000022CBBD90000-memory.dmp

Filesize
64KB

Download
memory/4920-133-0x0000022CBC320000-0x0000022CBC330000-memory.dmp

Filesize
64KB

Download
memory/4920-134-0x0000022CBEA00000-0x0000022CBEA04000-memory.dmp

Filesize
16KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads