sakula | 0d5528fe2890f8451a9ea3c1b70878b2a9f1787769500932f78be2d419b0c17a

General

Target

0d5528fe2890f8451a9ea3c1b70878b2a9f1787769500932f78be2d419b0c17a.exe
Size

89KB
MD5

b4af6c589f78a3798c5d8db01e29b5e9
SHA1

5bf902599a1d23da28ab33afc9ad9aeab7a0df25
SHA256

0d5528fe2890f8451a9ea3c1b70878b2a9f1787769500932f78be2d419b0c17a
SHA512

e523eb5d871b834be35539bbf9056ea4e98f34dd30a2a40392ab144bf5391f80872a3e274ec5246140f09fecbaddb07f3355b1ff280c0aeb492031eb6faa515c

Score

10^/10

sakula persistence rat trojan

Malware Config

Signatures

Sakula
Sakula is a remote access trojan with various capabilities.
trojan rat sakula

Sakula Payload 2 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe	family_sakula
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe	family_sakula

Executes dropped EXE 1 IoCs

Processes:

MediaCenter.exe

pid process

2128 MediaCenter.exe

pid	process
2128	MediaCenter.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

0d5528fe2890f8451a9ea3c1b70878b2a9f1787769500932f78be2d419b0c17a.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation	0d5528fe2890f8451a9ea3c1b70878b2a9f1787769500932f78be2d419b0c17a.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

0d5528fe2890f8451a9ea3c1b70878b2a9f1787769500932f78be2d419b0c17a.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe"	0d5528fe2890f8451a9ea3c1b70878b2a9f1787769500932f78be2d419b0c17a.exe

Drops file in Windows directory 8 IoCs

Processes:

svchost.exeTiWorker.exe

description	ioc	process
File opened for modification	C:\Windows\SoftwareDistribution\DataStore\DataStore.jfm	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\ReportingEvents.log	svchost.exe
File opened for modification	C:\Windows\Logs\CBS\CBS.log	TiWorker.exe
File opened for modification	C:\Windows\WinSxS\pending.xml	TiWorker.exe
File opened for modification	C:\Windows\WindowsUpdate.log	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\DataStore\Logs\edb.chk	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\DataStore\Logs\edb.log	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\DataStore\DataStore.edb	svchost.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

3048 PING.EXE

pid	process
3048	PING.EXE

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

svchost.exe0d5528fe2890f8451a9ea3c1b70878b2a9f1787769500932f78be2d419b0c17a.exeTiWorker.exe

description	pid	process
Token: SeShutdownPrivilege	4064	svchost.exe
Token: SeCreatePagefilePrivilege	4064	svchost.exe
Token: SeShutdownPrivilege	4064	svchost.exe
Token: SeCreatePagefilePrivilege	4064	svchost.exe
Token: SeShutdownPrivilege	4064	svchost.exe
Token: SeCreatePagefilePrivilege	4064	svchost.exe
Token: SeIncBasePriorityPrivilege	2088	0d5528fe2890f8451a9ea3c1b70878b2a9f1787769500932f78be2d419b0c17a.exe
Token: SeSecurityPrivilege	3484	TiWorker.exe
Token: SeRestorePrivilege	3484	TiWorker.exe
Token: SeBackupPrivilege	3484	TiWorker.exe
Token: SeBackupPrivilege	3484	TiWorker.exe
Token: SeRestorePrivilege	3484	TiWorker.exe
Token: SeSecurityPrivilege	3484	TiWorker.exe
Token: SeBackupPrivilege	3484	TiWorker.exe
Token: SeRestorePrivilege	3484	TiWorker.exe
Token: SeSecurityPrivilege	3484	TiWorker.exe
Token: SeBackupPrivilege	3484	TiWorker.exe
Token: SeRestorePrivilege	3484	TiWorker.exe
Token: SeSecurityPrivilege	3484	TiWorker.exe
Token: SeBackupPrivilege	3484	TiWorker.exe
Token: SeRestorePrivilege	3484	TiWorker.exe
Token: SeSecurityPrivilege	3484	TiWorker.exe
Token: SeBackupPrivilege	3484	TiWorker.exe
Token: SeRestorePrivilege	3484	TiWorker.exe
Token: SeSecurityPrivilege	3484	TiWorker.exe
Token: SeBackupPrivilege	3484	TiWorker.exe
Token: SeRestorePrivilege	3484	TiWorker.exe
Token: SeSecurityPrivilege	3484	TiWorker.exe
Token: SeBackupPrivilege	3484	TiWorker.exe
Token: SeRestorePrivilege	3484	TiWorker.exe
Token: SeSecurityPrivilege	3484	TiWorker.exe
Token: SeBackupPrivilege	3484	TiWorker.exe
Token: SeRestorePrivilege	3484	TiWorker.exe
Token: SeSecurityPrivilege	3484	TiWorker.exe
Token: SeBackupPrivilege	3484	TiWorker.exe
Token: SeRestorePrivilege	3484	TiWorker.exe
Token: SeSecurityPrivilege	3484	TiWorker.exe
Token: SeBackupPrivilege	3484	TiWorker.exe
Token: SeRestorePrivilege	3484	TiWorker.exe
Token: SeSecurityPrivilege	3484	TiWorker.exe
Token: SeBackupPrivilege	3484	TiWorker.exe
Token: SeRestorePrivilege	3484	TiWorker.exe
Token: SeSecurityPrivilege	3484	TiWorker.exe
Token: SeBackupPrivilege	3484	TiWorker.exe
Token: SeRestorePrivilege	3484	TiWorker.exe
Token: SeSecurityPrivilege	3484	TiWorker.exe
Token: SeBackupPrivilege	3484	TiWorker.exe
Token: SeRestorePrivilege	3484	TiWorker.exe
Token: SeSecurityPrivilege	3484	TiWorker.exe
Token: SeBackupPrivilege	3484	TiWorker.exe
Token: SeRestorePrivilege	3484	TiWorker.exe
Token: SeSecurityPrivilege	3484	TiWorker.exe
Token: SeBackupPrivilege	3484	TiWorker.exe
Token: SeRestorePrivilege	3484	TiWorker.exe
Token: SeSecurityPrivilege	3484	TiWorker.exe
Token: SeBackupPrivilege	3484	TiWorker.exe
Token: SeRestorePrivilege	3484	TiWorker.exe
Token: SeSecurityPrivilege	3484	TiWorker.exe
Token: SeBackupPrivilege	3484	TiWorker.exe
Token: SeRestorePrivilege	3484	TiWorker.exe
Token: SeSecurityPrivilege	3484	TiWorker.exe
Token: SeBackupPrivilege	3484	TiWorker.exe
Token: SeRestorePrivilege	3484	TiWorker.exe
Token: SeSecurityPrivilege	3484	TiWorker.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

0d5528fe2890f8451a9ea3c1b70878b2a9f1787769500932f78be2d419b0c17a.execmd.exe

description	pid	process	target process
PID 2088 wrote to memory of 2128	2088	0d5528fe2890f8451a9ea3c1b70878b2a9f1787769500932f78be2d419b0c17a.exe	MediaCenter.exe
PID 2088 wrote to memory of 2128	2088	0d5528fe2890f8451a9ea3c1b70878b2a9f1787769500932f78be2d419b0c17a.exe	MediaCenter.exe
PID 2088 wrote to memory of 2128	2088	0d5528fe2890f8451a9ea3c1b70878b2a9f1787769500932f78be2d419b0c17a.exe	MediaCenter.exe
PID 2088 wrote to memory of 3404	2088	0d5528fe2890f8451a9ea3c1b70878b2a9f1787769500932f78be2d419b0c17a.exe	cmd.exe
PID 2088 wrote to memory of 3404	2088	0d5528fe2890f8451a9ea3c1b70878b2a9f1787769500932f78be2d419b0c17a.exe	cmd.exe
PID 2088 wrote to memory of 3404	2088	0d5528fe2890f8451a9ea3c1b70878b2a9f1787769500932f78be2d419b0c17a.exe	cmd.exe
PID 3404 wrote to memory of 3048	3404	cmd.exe	PING.EXE
PID 3404 wrote to memory of 3048	3404	cmd.exe	PING.EXE
PID 3404 wrote to memory of 3048	3404	cmd.exe	PING.EXE

C:\Users\Admin\AppData\Local\Temp\0d5528fe2890f8451a9ea3c1b70878b2a9f1787769500932f78be2d419b0c17a.exe
"C:\Users\Admin\AppData\Local\Temp\0d5528fe2890f8451a9ea3c1b70878b2a9f1787769500932f78be2d419b0c17a.exe"
1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2088

C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
2⤵
- Executes dropped EXE
PID:2128

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\0d5528fe2890f8451a9ea3c1b70878b2a9f1787769500932f78be2d419b0c17a.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:3404

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1
3⤵
- Runs ping.exe
PID:3048

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:4064

C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:3484

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

Remote System Discovery

1

T1018

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe

MD5
ceaef43be6dd8d06fb1ebb8df5fe3900

SHA1
96b91fd5ed85913886259f721e6bfb7c00aee2fb

SHA256
75219f301410d4c4d4ccbe473c7b6fd19b918bb16891e8e7349e68f32f2f6ad2

SHA512
72ad53f89e85e835d5be88a34cb055f53c962618aff5bcef2f15e57949e6dc346c03b9befe69ea2bf8f2c45216e0aef19993b49eb18e49c8819dcbd416d8812d

Download Submit
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe

MD5
ceaef43be6dd8d06fb1ebb8df5fe3900

SHA1
96b91fd5ed85913886259f721e6bfb7c00aee2fb

SHA256
75219f301410d4c4d4ccbe473c7b6fd19b918bb16891e8e7349e68f32f2f6ad2

SHA512
72ad53f89e85e835d5be88a34cb055f53c962618aff5bcef2f15e57949e6dc346c03b9befe69ea2bf8f2c45216e0aef19993b49eb18e49c8819dcbd416d8812d

Download Submit
memory/4064-132-0x0000014654130000-0x0000014654140000-memory.dmp

Filesize
64KB

Download
memory/4064-133-0x0000014654190000-0x00000146541A0000-memory.dmp

Filesize
64KB

Download
memory/4064-134-0x0000014656EA0000-0x0000014656EA4000-memory.dmp

Filesize
16KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads