sakula | 0d7c81e04d3496c37e898b0f182bd05047514c6d4d59417b1a3046576016f1d8

General

Target

0d7c81e04d3496c37e898b0f182bd05047514c6d4d59417b1a3046576016f1d8.exe
Size

99KB
MD5

5d1c15e90754e64146c8795404770fb6
SHA1

e3767b712a8622c4854e7e35f397b64cbfdfe4d3
SHA256

0d7c81e04d3496c37e898b0f182bd05047514c6d4d59417b1a3046576016f1d8
SHA512

df39564d0cd2b287ad467aa1edd4a8f3c2dd04f66abe331349c3285d3c6c744c2c3712bef375dfeb032fd547095399aaea278a5154f5bb438c493c3fd49eae78

Score

10^/10

sakula persistence rat trojan

Malware Config

Signatures

Sakula
Sakula is a remote access trojan with various capabilities.
trojan rat sakula

Sakula Payload 2 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe	family_sakula
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe	family_sakula

Executes dropped EXE 1 IoCs

Processes:

MediaCenter.exe

pid process

3816 MediaCenter.exe

pid	process
3816	MediaCenter.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

0d7c81e04d3496c37e898b0f182bd05047514c6d4d59417b1a3046576016f1d8.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation	0d7c81e04d3496c37e898b0f182bd05047514c6d4d59417b1a3046576016f1d8.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

0d7c81e04d3496c37e898b0f182bd05047514c6d4d59417b1a3046576016f1d8.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe"	0d7c81e04d3496c37e898b0f182bd05047514c6d4d59417b1a3046576016f1d8.exe

Drops file in Windows directory 8 IoCs

Processes:

svchost.exeTiWorker.exe

description	ioc	process
File opened for modification	C:\Windows\SoftwareDistribution\DataStore\Logs\edb.chk	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\DataStore\Logs\edb.log	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\DataStore\DataStore.edb	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\DataStore\DataStore.jfm	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\ReportingEvents.log	svchost.exe
File opened for modification	C:\Windows\Logs\CBS\CBS.log	TiWorker.exe
File opened for modification	C:\Windows\WinSxS\pending.xml	TiWorker.exe
File opened for modification	C:\Windows\WindowsUpdate.log	svchost.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

2536 PING.EXE

pid	process
2536	PING.EXE

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

svchost.exeTiWorker.exe0d7c81e04d3496c37e898b0f182bd05047514c6d4d59417b1a3046576016f1d8.exe

description	pid	process
Token: SeShutdownPrivilege	1132	svchost.exe
Token: SeCreatePagefilePrivilege	1132	svchost.exe
Token: SeShutdownPrivilege	1132	svchost.exe
Token: SeCreatePagefilePrivilege	1132	svchost.exe
Token: SeShutdownPrivilege	1132	svchost.exe
Token: SeCreatePagefilePrivilege	1132	svchost.exe
Token: SeSecurityPrivilege	4404	TiWorker.exe
Token: SeRestorePrivilege	4404	TiWorker.exe
Token: SeBackupPrivilege	4404	TiWorker.exe
Token: SeBackupPrivilege	4404	TiWorker.exe
Token: SeRestorePrivilege	4404	TiWorker.exe
Token: SeSecurityPrivilege	4404	TiWorker.exe
Token: SeBackupPrivilege	4404	TiWorker.exe
Token: SeRestorePrivilege	4404	TiWorker.exe
Token: SeSecurityPrivilege	4404	TiWorker.exe
Token: SeBackupPrivilege	4404	TiWorker.exe
Token: SeRestorePrivilege	4404	TiWorker.exe
Token: SeSecurityPrivilege	4404	TiWorker.exe
Token: SeBackupPrivilege	4404	TiWorker.exe
Token: SeRestorePrivilege	4404	TiWorker.exe
Token: SeSecurityPrivilege	4404	TiWorker.exe
Token: SeIncBasePriorityPrivilege	2736	0d7c81e04d3496c37e898b0f182bd05047514c6d4d59417b1a3046576016f1d8.exe
Token: SeBackupPrivilege	4404	TiWorker.exe
Token: SeRestorePrivilege	4404	TiWorker.exe
Token: SeSecurityPrivilege	4404	TiWorker.exe
Token: SeBackupPrivilege	4404	TiWorker.exe
Token: SeRestorePrivilege	4404	TiWorker.exe
Token: SeSecurityPrivilege	4404	TiWorker.exe
Token: SeBackupPrivilege	4404	TiWorker.exe
Token: SeRestorePrivilege	4404	TiWorker.exe
Token: SeSecurityPrivilege	4404	TiWorker.exe
Token: SeBackupPrivilege	4404	TiWorker.exe
Token: SeRestorePrivilege	4404	TiWorker.exe
Token: SeSecurityPrivilege	4404	TiWorker.exe
Token: SeBackupPrivilege	4404	TiWorker.exe
Token: SeRestorePrivilege	4404	TiWorker.exe
Token: SeSecurityPrivilege	4404	TiWorker.exe
Token: SeBackupPrivilege	4404	TiWorker.exe
Token: SeRestorePrivilege	4404	TiWorker.exe
Token: SeSecurityPrivilege	4404	TiWorker.exe
Token: SeBackupPrivilege	4404	TiWorker.exe
Token: SeRestorePrivilege	4404	TiWorker.exe
Token: SeSecurityPrivilege	4404	TiWorker.exe
Token: SeBackupPrivilege	4404	TiWorker.exe
Token: SeRestorePrivilege	4404	TiWorker.exe
Token: SeSecurityPrivilege	4404	TiWorker.exe
Token: SeBackupPrivilege	4404	TiWorker.exe
Token: SeRestorePrivilege	4404	TiWorker.exe
Token: SeSecurityPrivilege	4404	TiWorker.exe
Token: SeBackupPrivilege	4404	TiWorker.exe
Token: SeRestorePrivilege	4404	TiWorker.exe
Token: SeSecurityPrivilege	4404	TiWorker.exe
Token: SeBackupPrivilege	4404	TiWorker.exe
Token: SeRestorePrivilege	4404	TiWorker.exe
Token: SeSecurityPrivilege	4404	TiWorker.exe
Token: SeBackupPrivilege	4404	TiWorker.exe
Token: SeRestorePrivilege	4404	TiWorker.exe
Token: SeSecurityPrivilege	4404	TiWorker.exe
Token: SeBackupPrivilege	4404	TiWorker.exe
Token: SeRestorePrivilege	4404	TiWorker.exe
Token: SeSecurityPrivilege	4404	TiWorker.exe
Token: SeBackupPrivilege	4404	TiWorker.exe
Token: SeRestorePrivilege	4404	TiWorker.exe
Token: SeSecurityPrivilege	4404	TiWorker.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

0d7c81e04d3496c37e898b0f182bd05047514c6d4d59417b1a3046576016f1d8.execmd.exe

description	pid	process	target process
PID 2736 wrote to memory of 3816	2736	0d7c81e04d3496c37e898b0f182bd05047514c6d4d59417b1a3046576016f1d8.exe	MediaCenter.exe
PID 2736 wrote to memory of 3816	2736	0d7c81e04d3496c37e898b0f182bd05047514c6d4d59417b1a3046576016f1d8.exe	MediaCenter.exe
PID 2736 wrote to memory of 3816	2736	0d7c81e04d3496c37e898b0f182bd05047514c6d4d59417b1a3046576016f1d8.exe	MediaCenter.exe
PID 2736 wrote to memory of 1756	2736	0d7c81e04d3496c37e898b0f182bd05047514c6d4d59417b1a3046576016f1d8.exe	cmd.exe
PID 2736 wrote to memory of 1756	2736	0d7c81e04d3496c37e898b0f182bd05047514c6d4d59417b1a3046576016f1d8.exe	cmd.exe
PID 2736 wrote to memory of 1756	2736	0d7c81e04d3496c37e898b0f182bd05047514c6d4d59417b1a3046576016f1d8.exe	cmd.exe
PID 1756 wrote to memory of 2536	1756	cmd.exe	PING.EXE
PID 1756 wrote to memory of 2536	1756	cmd.exe	PING.EXE
PID 1756 wrote to memory of 2536	1756	cmd.exe	PING.EXE

C:\Users\Admin\AppData\Local\Temp\0d7c81e04d3496c37e898b0f182bd05047514c6d4d59417b1a3046576016f1d8.exe
"C:\Users\Admin\AppData\Local\Temp\0d7c81e04d3496c37e898b0f182bd05047514c6d4d59417b1a3046576016f1d8.exe"
1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2736

C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
2⤵
- Executes dropped EXE
PID:3816

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\0d7c81e04d3496c37e898b0f182bd05047514c6d4d59417b1a3046576016f1d8.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:1756

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1
3⤵
- Runs ping.exe
PID:2536

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:1132

C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:4404

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

Remote System Discovery

1

T1018

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe

MD5
02d0fd0739ec1d8ab81159023c0f0b0b

SHA1
0a15e0814c8ae6f068aa398b872cc5d588afb60a

SHA256
a4f2293e017fb2950b56dd9f941528651c1a468419aea66818344af4fd770534

SHA512
654047f783c7ba662e3119aa36ef16f0a40174a668a323f1cd8e8a679b1b7f1eace1333ed8cb0267eb815d622f9db7bdc97e3989015a4167c97a6433466577a4

Download Submit
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe

MD5
02d0fd0739ec1d8ab81159023c0f0b0b

SHA1
0a15e0814c8ae6f068aa398b872cc5d588afb60a

SHA256
a4f2293e017fb2950b56dd9f941528651c1a468419aea66818344af4fd770534

SHA512
654047f783c7ba662e3119aa36ef16f0a40174a668a323f1cd8e8a679b1b7f1eace1333ed8cb0267eb815d622f9db7bdc97e3989015a4167c97a6433466577a4

Download Submit
memory/1132-132-0x000001A245D20000-0x000001A245D30000-memory.dmp

Filesize
64KB

Download
memory/1132-133-0x000001A245D80000-0x000001A245D90000-memory.dmp

Filesize
64KB

Download
memory/1132-134-0x000001A248440000-0x000001A248444000-memory.dmp

Filesize
16KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads