sakula | 0ca3e2c88c0f82410b92b498fc9bdc9d499ac8737b7673bf34724421841ce9e1

General

Target

0ca3e2c88c0f82410b92b498fc9bdc9d499ac8737b7673bf34724421841ce9e1.exe
Size

212KB
MD5

4f555d008896698e15f7d99963c63382
SHA1

397fd99d2fb6f0159e84ca394526dd1ff2e1d4c4
SHA256

0ca3e2c88c0f82410b92b498fc9bdc9d499ac8737b7673bf34724421841ce9e1
SHA512

879319ea6a5ee001b8404b004d3494f33a9621dc5d24b1f2c41e000657205695b643dc528201fcfade2d5773f7d964edcb492177317ea8fe13a936c0da6a8a4e

Score

10^/10

sakula persistence rat suricata trojan upx

Malware Config

Signatures

Sakula
Sakula is a remote access trojan with various capabilities.
trojan rat sakula

Sakula Payload 2 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe	family_sakula
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe	family_sakula

suricata: ET MALWARE SUSPICIOUS UA (iexplore)
suricata: ET MALWARE SUSPICIOUS UA (iexplore)
suricata
suricata: ET MALWARE Sakula/Mivast RAT CnC Beacon 1
suricata: ET MALWARE Sakula/Mivast RAT CnC Beacon 1
suricata
Executes dropped EXE 1 IoCs

Processes:

MediaCenter.exe

pid process

2696 MediaCenter.exe

pid	process
2696	MediaCenter.exe

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe	upx
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe	upx

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

0ca3e2c88c0f82410b92b498fc9bdc9d499ac8737b7673bf34724421841ce9e1.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation	0ca3e2c88c0f82410b92b498fc9bdc9d499ac8737b7673bf34724421841ce9e1.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

0ca3e2c88c0f82410b92b498fc9bdc9d499ac8737b7673bf34724421841ce9e1.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe"	0ca3e2c88c0f82410b92b498fc9bdc9d499ac8737b7673bf34724421841ce9e1.exe

Drops file in Windows directory 8 IoCs

Processes:

TiWorker.exesvchost.exe

description	ioc	process
File opened for modification	C:\Windows\WinSxS\pending.xml	TiWorker.exe
File opened for modification	C:\Windows\WindowsUpdate.log	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\DataStore\Logs\edb.chk	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\DataStore\Logs\edb.log	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\DataStore\DataStore.edb	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\DataStore\DataStore.jfm	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\ReportingEvents.log	svchost.exe
File opened for modification	C:\Windows\Logs\CBS\CBS.log	TiWorker.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

3076 PING.EXE

pid	process
3076	PING.EXE

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

svchost.exeTiWorker.exe

description	pid	process
Token: SeShutdownPrivilege	4816	svchost.exe
Token: SeCreatePagefilePrivilege	4816	svchost.exe
Token: SeShutdownPrivilege	4816	svchost.exe
Token: SeCreatePagefilePrivilege	4816	svchost.exe
Token: SeShutdownPrivilege	4816	svchost.exe
Token: SeCreatePagefilePrivilege	4816	svchost.exe
Token: SeSecurityPrivilege	1496	TiWorker.exe
Token: SeRestorePrivilege	1496	TiWorker.exe
Token: SeBackupPrivilege	1496	TiWorker.exe
Token: SeBackupPrivilege	1496	TiWorker.exe
Token: SeRestorePrivilege	1496	TiWorker.exe
Token: SeSecurityPrivilege	1496	TiWorker.exe
Token: SeBackupPrivilege	1496	TiWorker.exe
Token: SeRestorePrivilege	1496	TiWorker.exe
Token: SeSecurityPrivilege	1496	TiWorker.exe
Token: SeBackupPrivilege	1496	TiWorker.exe
Token: SeRestorePrivilege	1496	TiWorker.exe
Token: SeSecurityPrivilege	1496	TiWorker.exe
Token: SeBackupPrivilege	1496	TiWorker.exe
Token: SeRestorePrivilege	1496	TiWorker.exe
Token: SeSecurityPrivilege	1496	TiWorker.exe
Token: SeBackupPrivilege	1496	TiWorker.exe
Token: SeRestorePrivilege	1496	TiWorker.exe
Token: SeSecurityPrivilege	1496	TiWorker.exe
Token: SeBackupPrivilege	1496	TiWorker.exe
Token: SeRestorePrivilege	1496	TiWorker.exe
Token: SeSecurityPrivilege	1496	TiWorker.exe
Token: SeBackupPrivilege	1496	TiWorker.exe
Token: SeRestorePrivilege	1496	TiWorker.exe
Token: SeSecurityPrivilege	1496	TiWorker.exe
Token: SeBackupPrivilege	1496	TiWorker.exe
Token: SeRestorePrivilege	1496	TiWorker.exe
Token: SeSecurityPrivilege	1496	TiWorker.exe
Token: SeBackupPrivilege	1496	TiWorker.exe
Token: SeRestorePrivilege	1496	TiWorker.exe
Token: SeSecurityPrivilege	1496	TiWorker.exe
Token: SeBackupPrivilege	1496	TiWorker.exe
Token: SeRestorePrivilege	1496	TiWorker.exe
Token: SeSecurityPrivilege	1496	TiWorker.exe
Token: SeBackupPrivilege	1496	TiWorker.exe
Token: SeRestorePrivilege	1496	TiWorker.exe
Token: SeSecurityPrivilege	1496	TiWorker.exe
Token: SeBackupPrivilege	1496	TiWorker.exe
Token: SeRestorePrivilege	1496	TiWorker.exe
Token: SeSecurityPrivilege	1496	TiWorker.exe
Token: SeBackupPrivilege	1496	TiWorker.exe
Token: SeRestorePrivilege	1496	TiWorker.exe
Token: SeSecurityPrivilege	1496	TiWorker.exe
Token: SeBackupPrivilege	1496	TiWorker.exe
Token: SeRestorePrivilege	1496	TiWorker.exe
Token: SeSecurityPrivilege	1496	TiWorker.exe
Token: SeBackupPrivilege	1496	TiWorker.exe
Token: SeRestorePrivilege	1496	TiWorker.exe
Token: SeSecurityPrivilege	1496	TiWorker.exe
Token: SeBackupPrivilege	1496	TiWorker.exe
Token: SeRestorePrivilege	1496	TiWorker.exe
Token: SeSecurityPrivilege	1496	TiWorker.exe
Token: SeBackupPrivilege	1496	TiWorker.exe
Token: SeRestorePrivilege	1496	TiWorker.exe
Token: SeSecurityPrivilege	1496	TiWorker.exe
Token: SeBackupPrivilege	1496	TiWorker.exe
Token: SeRestorePrivilege	1496	TiWorker.exe
Token: SeSecurityPrivilege	1496	TiWorker.exe
Token: SeBackupPrivilege	1496	TiWorker.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

0ca3e2c88c0f82410b92b498fc9bdc9d499ac8737b7673bf34724421841ce9e1.execmd.exe

description	pid	process	target process
PID 2136 wrote to memory of 2696	2136	0ca3e2c88c0f82410b92b498fc9bdc9d499ac8737b7673bf34724421841ce9e1.exe	MediaCenter.exe
PID 2136 wrote to memory of 2696	2136	0ca3e2c88c0f82410b92b498fc9bdc9d499ac8737b7673bf34724421841ce9e1.exe	MediaCenter.exe
PID 2136 wrote to memory of 2696	2136	0ca3e2c88c0f82410b92b498fc9bdc9d499ac8737b7673bf34724421841ce9e1.exe	MediaCenter.exe
PID 2136 wrote to memory of 8	2136	0ca3e2c88c0f82410b92b498fc9bdc9d499ac8737b7673bf34724421841ce9e1.exe	cmd.exe
PID 2136 wrote to memory of 8	2136	0ca3e2c88c0f82410b92b498fc9bdc9d499ac8737b7673bf34724421841ce9e1.exe	cmd.exe
PID 2136 wrote to memory of 8	2136	0ca3e2c88c0f82410b92b498fc9bdc9d499ac8737b7673bf34724421841ce9e1.exe	cmd.exe
PID 8 wrote to memory of 3076	8	cmd.exe	PING.EXE
PID 8 wrote to memory of 3076	8	cmd.exe	PING.EXE
PID 8 wrote to memory of 3076	8	cmd.exe	PING.EXE

C:\Users\Admin\AppData\Local\Temp\0ca3e2c88c0f82410b92b498fc9bdc9d499ac8737b7673bf34724421841ce9e1.exe
"C:\Users\Admin\AppData\Local\Temp\0ca3e2c88c0f82410b92b498fc9bdc9d499ac8737b7673bf34724421841ce9e1.exe"
1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2136

C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
2⤵
- Executes dropped EXE
PID:2696

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\0ca3e2c88c0f82410b92b498fc9bdc9d499ac8737b7673bf34724421841ce9e1.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:8

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1
3⤵
- Runs ping.exe
PID:3076

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:4816

C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:1496

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

Remote System Discovery

1

T1018

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe

MD5
cfddc5b1c3653b87aac62f5d1f89cd96

SHA1
a386f260ce33e0957d1ac7f9834d0ce16f9a2051

SHA256
609421b3910a5523e10dd2cd11ca85ea70eb820328baefc7c19bc2634a8629c6

SHA512
42d6bf836a936d140f4947a1096d6acd08a6b6cc12c79eb6cdf7a999e30e369fca2e7d74b1d0044da8a1e24f7d211ff8139a1ed42d93e138f539f22defdeea70

Download Submit
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe

MD5
cfddc5b1c3653b87aac62f5d1f89cd96

SHA1
a386f260ce33e0957d1ac7f9834d0ce16f9a2051

SHA256
609421b3910a5523e10dd2cd11ca85ea70eb820328baefc7c19bc2634a8629c6

SHA512
42d6bf836a936d140f4947a1096d6acd08a6b6cc12c79eb6cdf7a999e30e369fca2e7d74b1d0044da8a1e24f7d211ff8139a1ed42d93e138f539f22defdeea70

Download Submit
memory/4816-132-0x000001E5C9780000-0x000001E5C9790000-memory.dmp

Filesize
64KB

Download
memory/4816-133-0x000001E5C9F60000-0x000001E5C9F70000-memory.dmp

Filesize
64KB

Download
memory/4816-134-0x000001E5CCB60000-0x000001E5CCB64000-memory.dmp

Filesize
16KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads