sakula | 0cf34fc0ad5156b07b090f34337d01d97dd847c4e8bf15283fdd4d772d61559b

General

Target

0cf34fc0ad5156b07b090f34337d01d97dd847c4e8bf15283fdd4d772d61559b.exe
Size

151KB
MD5

7b4c4ad800a512eaf3ff6d84b060f819
SHA1

5d154448aba36481e4bd456a22fe14428b461f40
SHA256

0cf34fc0ad5156b07b090f34337d01d97dd847c4e8bf15283fdd4d772d61559b
SHA512

b35632794d47ee222da11357134c78c9caf6995712a2f318a7443a5f4fba8be67b17ac298ac4f5b2c13d687a8ca8e3989aac3d014ad67eea9bb5c96a0791c187

Score

10^/10

sakula persistence rat suricata trojan

Malware Config

Signatures

Sakula
Sakula is a remote access trojan with various capabilities.
trojan rat sakula

Sakula Payload 2 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe	family_sakula
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe	family_sakula

suricata: ET MALWARE SUSPICIOUS UA (iexplore)
suricata: ET MALWARE SUSPICIOUS UA (iexplore)
suricata
suricata: ET MALWARE Sakula/Mivast RAT CnC Beacon 1
suricata: ET MALWARE Sakula/Mivast RAT CnC Beacon 1
suricata
Executes dropped EXE 1 IoCs

Processes:

MediaCenter.exe

pid process

4844 MediaCenter.exe

pid	process
4844	MediaCenter.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

0cf34fc0ad5156b07b090f34337d01d97dd847c4e8bf15283fdd4d772d61559b.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation	0cf34fc0ad5156b07b090f34337d01d97dd847c4e8bf15283fdd4d772d61559b.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

0cf34fc0ad5156b07b090f34337d01d97dd847c4e8bf15283fdd4d772d61559b.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe"	0cf34fc0ad5156b07b090f34337d01d97dd847c4e8bf15283fdd4d772d61559b.exe

Drops file in Windows directory 8 IoCs

Processes:

svchost.exeTiWorker.exe

description	ioc	process
File opened for modification	C:\Windows\SoftwareDistribution\DataStore\DataStore.edb	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\DataStore\DataStore.jfm	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\ReportingEvents.log	svchost.exe
File opened for modification	C:\Windows\Logs\CBS\CBS.log	TiWorker.exe
File opened for modification	C:\Windows\WinSxS\pending.xml	TiWorker.exe
File opened for modification	C:\Windows\WindowsUpdate.log	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\DataStore\Logs\edb.chk	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\DataStore\Logs\edb.log	svchost.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

2460 PING.EXE

pid	process
2460	PING.EXE

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

svchost.exe0cf34fc0ad5156b07b090f34337d01d97dd847c4e8bf15283fdd4d772d61559b.exeTiWorker.exe

description	pid	process
Token: SeShutdownPrivilege	1328	svchost.exe
Token: SeCreatePagefilePrivilege	1328	svchost.exe
Token: SeShutdownPrivilege	1328	svchost.exe
Token: SeCreatePagefilePrivilege	1328	svchost.exe
Token: SeShutdownPrivilege	1328	svchost.exe
Token: SeCreatePagefilePrivilege	1328	svchost.exe
Token: SeIncBasePriorityPrivilege	3812	0cf34fc0ad5156b07b090f34337d01d97dd847c4e8bf15283fdd4d772d61559b.exe
Token: SeSecurityPrivilege	4828	TiWorker.exe
Token: SeRestorePrivilege	4828	TiWorker.exe
Token: SeBackupPrivilege	4828	TiWorker.exe
Token: SeBackupPrivilege	4828	TiWorker.exe
Token: SeRestorePrivilege	4828	TiWorker.exe
Token: SeSecurityPrivilege	4828	TiWorker.exe
Token: SeBackupPrivilege	4828	TiWorker.exe
Token: SeRestorePrivilege	4828	TiWorker.exe
Token: SeSecurityPrivilege	4828	TiWorker.exe
Token: SeBackupPrivilege	4828	TiWorker.exe
Token: SeRestorePrivilege	4828	TiWorker.exe
Token: SeSecurityPrivilege	4828	TiWorker.exe
Token: SeBackupPrivilege	4828	TiWorker.exe
Token: SeRestorePrivilege	4828	TiWorker.exe
Token: SeSecurityPrivilege	4828	TiWorker.exe
Token: SeBackupPrivilege	4828	TiWorker.exe
Token: SeRestorePrivilege	4828	TiWorker.exe
Token: SeSecurityPrivilege	4828	TiWorker.exe
Token: SeBackupPrivilege	4828	TiWorker.exe
Token: SeRestorePrivilege	4828	TiWorker.exe
Token: SeSecurityPrivilege	4828	TiWorker.exe
Token: SeBackupPrivilege	4828	TiWorker.exe
Token: SeRestorePrivilege	4828	TiWorker.exe
Token: SeSecurityPrivilege	4828	TiWorker.exe
Token: SeBackupPrivilege	4828	TiWorker.exe
Token: SeRestorePrivilege	4828	TiWorker.exe
Token: SeSecurityPrivilege	4828	TiWorker.exe
Token: SeBackupPrivilege	4828	TiWorker.exe
Token: SeRestorePrivilege	4828	TiWorker.exe
Token: SeSecurityPrivilege	4828	TiWorker.exe
Token: SeBackupPrivilege	4828	TiWorker.exe
Token: SeRestorePrivilege	4828	TiWorker.exe
Token: SeSecurityPrivilege	4828	TiWorker.exe
Token: SeBackupPrivilege	4828	TiWorker.exe
Token: SeRestorePrivilege	4828	TiWorker.exe
Token: SeSecurityPrivilege	4828	TiWorker.exe
Token: SeBackupPrivilege	4828	TiWorker.exe
Token: SeRestorePrivilege	4828	TiWorker.exe
Token: SeSecurityPrivilege	4828	TiWorker.exe
Token: SeBackupPrivilege	4828	TiWorker.exe
Token: SeRestorePrivilege	4828	TiWorker.exe
Token: SeSecurityPrivilege	4828	TiWorker.exe
Token: SeBackupPrivilege	4828	TiWorker.exe
Token: SeRestorePrivilege	4828	TiWorker.exe
Token: SeSecurityPrivilege	4828	TiWorker.exe
Token: SeBackupPrivilege	4828	TiWorker.exe
Token: SeRestorePrivilege	4828	TiWorker.exe
Token: SeSecurityPrivilege	4828	TiWorker.exe
Token: SeBackupPrivilege	4828	TiWorker.exe
Token: SeRestorePrivilege	4828	TiWorker.exe
Token: SeSecurityPrivilege	4828	TiWorker.exe
Token: SeBackupPrivilege	4828	TiWorker.exe
Token: SeRestorePrivilege	4828	TiWorker.exe
Token: SeSecurityPrivilege	4828	TiWorker.exe
Token: SeBackupPrivilege	4828	TiWorker.exe
Token: SeRestorePrivilege	4828	TiWorker.exe
Token: SeSecurityPrivilege	4828	TiWorker.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

0cf34fc0ad5156b07b090f34337d01d97dd847c4e8bf15283fdd4d772d61559b.execmd.exe

description	pid	process	target process
PID 3812 wrote to memory of 4844	3812	0cf34fc0ad5156b07b090f34337d01d97dd847c4e8bf15283fdd4d772d61559b.exe	MediaCenter.exe
PID 3812 wrote to memory of 4844	3812	0cf34fc0ad5156b07b090f34337d01d97dd847c4e8bf15283fdd4d772d61559b.exe	MediaCenter.exe
PID 3812 wrote to memory of 4844	3812	0cf34fc0ad5156b07b090f34337d01d97dd847c4e8bf15283fdd4d772d61559b.exe	MediaCenter.exe
PID 3812 wrote to memory of 480	3812	0cf34fc0ad5156b07b090f34337d01d97dd847c4e8bf15283fdd4d772d61559b.exe	cmd.exe
PID 3812 wrote to memory of 480	3812	0cf34fc0ad5156b07b090f34337d01d97dd847c4e8bf15283fdd4d772d61559b.exe	cmd.exe
PID 3812 wrote to memory of 480	3812	0cf34fc0ad5156b07b090f34337d01d97dd847c4e8bf15283fdd4d772d61559b.exe	cmd.exe
PID 480 wrote to memory of 2460	480	cmd.exe	PING.EXE
PID 480 wrote to memory of 2460	480	cmd.exe	PING.EXE
PID 480 wrote to memory of 2460	480	cmd.exe	PING.EXE

C:\Users\Admin\AppData\Local\Temp\0cf34fc0ad5156b07b090f34337d01d97dd847c4e8bf15283fdd4d772d61559b.exe
"C:\Users\Admin\AppData\Local\Temp\0cf34fc0ad5156b07b090f34337d01d97dd847c4e8bf15283fdd4d772d61559b.exe"
1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3812

C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
2⤵
- Executes dropped EXE
PID:4844

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\0cf34fc0ad5156b07b090f34337d01d97dd847c4e8bf15283fdd4d772d61559b.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:480

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1
3⤵
- Runs ping.exe
PID:2460

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:1328

C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:4828

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

Remote System Discovery

1

T1018

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe

MD5
f528c8c513d343ce1286e467d4044c50

SHA1
63ef265436006ac0b660cf77fb459a2d2feceb9b

SHA256
5cd9ca6b7a3d53e75ec4ba84a538fb8f6d317070054ec91e46e43c9091c20d3d

SHA512
dd710eedea529b661adf37590f07ca92f674b5751aa0750275a780bc13ee814df7fa9812c052aa1b324e2717304037ec99a28218ea5f4668104ab830afff881c

Download Submit
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe

MD5
f528c8c513d343ce1286e467d4044c50

SHA1
63ef265436006ac0b660cf77fb459a2d2feceb9b

SHA256
5cd9ca6b7a3d53e75ec4ba84a538fb8f6d317070054ec91e46e43c9091c20d3d

SHA512
dd710eedea529b661adf37590f07ca92f674b5751aa0750275a780bc13ee814df7fa9812c052aa1b324e2717304037ec99a28218ea5f4668104ab830afff881c

Download Submit
memory/1328-132-0x0000017ABB560000-0x0000017ABB570000-memory.dmp

Filesize
64KB

Download
memory/1328-133-0x0000017ABBB20000-0x0000017ABBB30000-memory.dmp

Filesize
64KB

Download
memory/1328-134-0x0000017ABE1A0000-0x0000017ABE1A4000-memory.dmp

Filesize
16KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads