sakula | 0ba1ed465a2c9e18ec05d33d7ab7da442487facfd5ed2addaa762b0c1251fccd

General

Target

0ba1ed465a2c9e18ec05d33d7ab7da442487facfd5ed2addaa762b0c1251fccd.exe
Size

101KB
MD5

ca318c838cd1c3c6a2ddf3abc538b652
SHA1

13a91edaf4f5727c5f5fa4277b4041e7110bd8fa
SHA256

0ba1ed465a2c9e18ec05d33d7ab7da442487facfd5ed2addaa762b0c1251fccd
SHA512

92ff016c800290cedca1cc2d0168520120d7277d357b37f9df07e3b73440ccaec9d11406286c99116c5cda6669d25a30cea118ea580685bebd6fac70e9a0fea9

Score

10^/10

sakula persistence rat trojan

Malware Config

Signatures

Sakula
Sakula is a remote access trojan with various capabilities.
trojan rat sakula

Sakula Payload 3 IoCs

Processes:

resource	yara_rule
\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe	family_sakula
\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe	family_sakula
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe	family_sakula

Executes dropped EXE 1 IoCs

Processes:

MediaCenter.exe

pid process

1652 MediaCenter.exe
Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

1452 cmd.exe

pid	process
1652	MediaCenter.exe

pid	process
1452	cmd.exe

Loads dropped DLL 2 IoCs

Processes:

0ba1ed465a2c9e18ec05d33d7ab7da442487facfd5ed2addaa762b0c1251fccd.exe

pid	process
1320	0ba1ed465a2c9e18ec05d33d7ab7da442487facfd5ed2addaa762b0c1251fccd.exe
1320	0ba1ed465a2c9e18ec05d33d7ab7da442487facfd5ed2addaa762b0c1251fccd.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

0ba1ed465a2c9e18ec05d33d7ab7da442487facfd5ed2addaa762b0c1251fccd.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe"	0ba1ed465a2c9e18ec05d33d7ab7da442487facfd5ed2addaa762b0c1251fccd.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

340 PING.EXE
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

0ba1ed465a2c9e18ec05d33d7ab7da442487facfd5ed2addaa762b0c1251fccd.exe

description pid process

Token: SeIncBasePriorityPrivilege 1320 0ba1ed465a2c9e18ec05d33d7ab7da442487facfd5ed2addaa762b0c1251fccd.exe

pid	process
340	PING.EXE

description	pid	process
Token: SeIncBasePriorityPrivilege	1320	0ba1ed465a2c9e18ec05d33d7ab7da442487facfd5ed2addaa762b0c1251fccd.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

0ba1ed465a2c9e18ec05d33d7ab7da442487facfd5ed2addaa762b0c1251fccd.execmd.exe

description	pid	process	target process
PID 1320 wrote to memory of 1652	1320	0ba1ed465a2c9e18ec05d33d7ab7da442487facfd5ed2addaa762b0c1251fccd.exe	MediaCenter.exe
PID 1320 wrote to memory of 1652	1320	0ba1ed465a2c9e18ec05d33d7ab7da442487facfd5ed2addaa762b0c1251fccd.exe	MediaCenter.exe
PID 1320 wrote to memory of 1652	1320	0ba1ed465a2c9e18ec05d33d7ab7da442487facfd5ed2addaa762b0c1251fccd.exe	MediaCenter.exe
PID 1320 wrote to memory of 1652	1320	0ba1ed465a2c9e18ec05d33d7ab7da442487facfd5ed2addaa762b0c1251fccd.exe	MediaCenter.exe
PID 1320 wrote to memory of 1452	1320	0ba1ed465a2c9e18ec05d33d7ab7da442487facfd5ed2addaa762b0c1251fccd.exe	cmd.exe
PID 1320 wrote to memory of 1452	1320	0ba1ed465a2c9e18ec05d33d7ab7da442487facfd5ed2addaa762b0c1251fccd.exe	cmd.exe
PID 1320 wrote to memory of 1452	1320	0ba1ed465a2c9e18ec05d33d7ab7da442487facfd5ed2addaa762b0c1251fccd.exe	cmd.exe
PID 1320 wrote to memory of 1452	1320	0ba1ed465a2c9e18ec05d33d7ab7da442487facfd5ed2addaa762b0c1251fccd.exe	cmd.exe
PID 1452 wrote to memory of 340	1452	cmd.exe	PING.EXE
PID 1452 wrote to memory of 340	1452	cmd.exe	PING.EXE
PID 1452 wrote to memory of 340	1452	cmd.exe	PING.EXE
PID 1452 wrote to memory of 340	1452	cmd.exe	PING.EXE

C:\Users\Admin\AppData\Local\Temp\0ba1ed465a2c9e18ec05d33d7ab7da442487facfd5ed2addaa762b0c1251fccd.exe
"C:\Users\Admin\AppData\Local\Temp\0ba1ed465a2c9e18ec05d33d7ab7da442487facfd5ed2addaa762b0c1251fccd.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1320

C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
2⤵
- Executes dropped EXE
PID:1652

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\0ba1ed465a2c9e18ec05d33d7ab7da442487facfd5ed2addaa762b0c1251fccd.exe"
2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:1452

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1
3⤵
- Runs ping.exe
PID:340

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Remote System Discovery

1

T1018

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe

MD5
29f3ecd7a06b7d40e120e71d10d44c8d

SHA1
d2c78719c1cd7dbb3b50b70895bf95296215b4ec

SHA256
2d67cbe9652d8db403766a4f7dac9602f0756a10861f166a9b67d92aca9b65e1

SHA512
8d18b8c616acb0fcfc8464aef3e1855c8f8a05ad57e90a388d015eaa53cd4f1c383a087bce837467e5fa97e4c0799db4a264087be66114928c10a24922dd4766

Download Submit
\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe

MD5
29f3ecd7a06b7d40e120e71d10d44c8d

SHA1
d2c78719c1cd7dbb3b50b70895bf95296215b4ec

SHA256
2d67cbe9652d8db403766a4f7dac9602f0756a10861f166a9b67d92aca9b65e1

SHA512
8d18b8c616acb0fcfc8464aef3e1855c8f8a05ad57e90a388d015eaa53cd4f1c383a087bce837467e5fa97e4c0799db4a264087be66114928c10a24922dd4766

Download Submit
\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe

MD5
29f3ecd7a06b7d40e120e71d10d44c8d

SHA1
d2c78719c1cd7dbb3b50b70895bf95296215b4ec

SHA256
2d67cbe9652d8db403766a4f7dac9602f0756a10861f166a9b67d92aca9b65e1

SHA512
8d18b8c616acb0fcfc8464aef3e1855c8f8a05ad57e90a388d015eaa53cd4f1c383a087bce837467e5fa97e4c0799db4a264087be66114928c10a24922dd4766

Download Submit
memory/1320-55-0x0000000074B21000-0x0000000074B23000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads