sakula | 0b4f98b2c4707095fb262fc19cde0ece98c55e3c3c3a80b54cef4eb827587ad7

General

Target

0b4f98b2c4707095fb262fc19cde0ece98c55e3c3c3a80b54cef4eb827587ad7.exe
Size

152KB
MD5

6778e78f1c00c3bf6f8ce8c9bf867a27
SHA1

99a8d40230eff419c8fbc30cee8d6234b96b38ea
SHA256

0b4f98b2c4707095fb262fc19cde0ece98c55e3c3c3a80b54cef4eb827587ad7
SHA512

0412507308eff3a64d2a74456b1d43b3fc630543fc942658053a757cac9338df96bff03ef7a5b80aa0c52e08e3ae103c0b7f6e880a52365e4fd14e10dc5d28c3

Score

10^/10

sakula persistence rat trojan

Malware Config

Signatures

Sakula
Sakula is a remote access trojan with various capabilities.
trojan rat sakula

Sakula Payload 2 IoCs

Processes:

resource	yara_rule
\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe	family_sakula
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe	family_sakula

Executes dropped EXE 1 IoCs

Processes:

MediaCenter.exe

pid process

1132 MediaCenter.exe
Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

1048 cmd.exe
Loads dropped DLL 1 IoCs

Processes:

0b4f98b2c4707095fb262fc19cde0ece98c55e3c3c3a80b54cef4eb827587ad7.exe

pid process

1492 0b4f98b2c4707095fb262fc19cde0ece98c55e3c3c3a80b54cef4eb827587ad7.exe

pid	process
1132	MediaCenter.exe

pid	process
1048	cmd.exe

pid	process
1492	0b4f98b2c4707095fb262fc19cde0ece98c55e3c3c3a80b54cef4eb827587ad7.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

0b4f98b2c4707095fb262fc19cde0ece98c55e3c3c3a80b54cef4eb827587ad7.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe"	0b4f98b2c4707095fb262fc19cde0ece98c55e3c3c3a80b54cef4eb827587ad7.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

2008 PING.EXE
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

0b4f98b2c4707095fb262fc19cde0ece98c55e3c3c3a80b54cef4eb827587ad7.exe

description pid process

Token: SeIncBasePriorityPrivilege 1492 0b4f98b2c4707095fb262fc19cde0ece98c55e3c3c3a80b54cef4eb827587ad7.exe

pid	process
2008	PING.EXE

description	pid	process
Token: SeIncBasePriorityPrivilege	1492	0b4f98b2c4707095fb262fc19cde0ece98c55e3c3c3a80b54cef4eb827587ad7.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

0b4f98b2c4707095fb262fc19cde0ece98c55e3c3c3a80b54cef4eb827587ad7.execmd.exe

description	pid	process	target process
PID 1492 wrote to memory of 1132	1492	0b4f98b2c4707095fb262fc19cde0ece98c55e3c3c3a80b54cef4eb827587ad7.exe	MediaCenter.exe
PID 1492 wrote to memory of 1132	1492	0b4f98b2c4707095fb262fc19cde0ece98c55e3c3c3a80b54cef4eb827587ad7.exe	MediaCenter.exe
PID 1492 wrote to memory of 1132	1492	0b4f98b2c4707095fb262fc19cde0ece98c55e3c3c3a80b54cef4eb827587ad7.exe	MediaCenter.exe
PID 1492 wrote to memory of 1132	1492	0b4f98b2c4707095fb262fc19cde0ece98c55e3c3c3a80b54cef4eb827587ad7.exe	MediaCenter.exe
PID 1492 wrote to memory of 1048	1492	0b4f98b2c4707095fb262fc19cde0ece98c55e3c3c3a80b54cef4eb827587ad7.exe	cmd.exe
PID 1492 wrote to memory of 1048	1492	0b4f98b2c4707095fb262fc19cde0ece98c55e3c3c3a80b54cef4eb827587ad7.exe	cmd.exe
PID 1492 wrote to memory of 1048	1492	0b4f98b2c4707095fb262fc19cde0ece98c55e3c3c3a80b54cef4eb827587ad7.exe	cmd.exe
PID 1492 wrote to memory of 1048	1492	0b4f98b2c4707095fb262fc19cde0ece98c55e3c3c3a80b54cef4eb827587ad7.exe	cmd.exe
PID 1048 wrote to memory of 2008	1048	cmd.exe	PING.EXE
PID 1048 wrote to memory of 2008	1048	cmd.exe	PING.EXE
PID 1048 wrote to memory of 2008	1048	cmd.exe	PING.EXE
PID 1048 wrote to memory of 2008	1048	cmd.exe	PING.EXE

C:\Users\Admin\AppData\Local\Temp\0b4f98b2c4707095fb262fc19cde0ece98c55e3c3c3a80b54cef4eb827587ad7.exe
"C:\Users\Admin\AppData\Local\Temp\0b4f98b2c4707095fb262fc19cde0ece98c55e3c3c3a80b54cef4eb827587ad7.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1492

C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
2⤵
- Executes dropped EXE
PID:1132

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\0b4f98b2c4707095fb262fc19cde0ece98c55e3c3c3a80b54cef4eb827587ad7.exe"
2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:1048

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1
3⤵
- Runs ping.exe
PID:2008

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Remote System Discovery

1

T1018

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe

MD5
26013070841336449a31ce0ee0e10e15

SHA1
717c28012279b36f2e550257cfd4b2a7c2117714

SHA256
4c205a0388cc253a136b3db950b82f0828271e09f4e8507caea08a7ddacd22cf

SHA512
83dfe2d472b0473ff2b74c2018cfc3a4c620df97999340f7566417adfe4a97946623a3cf9407e14f881eaadfba95f187842049045b0d425ad25dd76863d080ea

Download Submit
\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe

MD5
26013070841336449a31ce0ee0e10e15

SHA1
717c28012279b36f2e550257cfd4b2a7c2117714

SHA256
4c205a0388cc253a136b3db950b82f0828271e09f4e8507caea08a7ddacd22cf

SHA512
83dfe2d472b0473ff2b74c2018cfc3a4c620df97999340f7566417adfe4a97946623a3cf9407e14f881eaadfba95f187842049045b0d425ad25dd76863d080ea

Download Submit
memory/1492-55-0x0000000076851000-0x0000000076853000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads