sakula | 0c3774f67777b766fee51524b5758c37e77830c79b81d196c115b7d0d2389da5

General

Target

0c3774f67777b766fee51524b5758c37e77830c79b81d196c115b7d0d2389da5.exe
Size

216KB
MD5

bbca6c39502f278261354129ecf991f6
SHA1

ec75ce4f5bf4a04f4279f53ee559e3a25a9bf156
SHA256

0c3774f67777b766fee51524b5758c37e77830c79b81d196c115b7d0d2389da5
SHA512

bde3b00d6bee7ba5917c0babd173aff2295c8ecbaec6d1c7a996adcfc2834d1df299ef846108ce2c7681a3ee1ccd5a1ff1c4b370d2449f403c56d7701605e69c

Score

10^/10

sakula persistence rat suricata trojan

Malware Config

Signatures

Sakula
Sakula is a remote access trojan with various capabilities.
trojan rat sakula

Sakula Payload 4 IoCs

Processes:

resource	yara_rule
\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe	family_sakula
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe	family_sakula
behavioral1/memory/1584-59-0x0000000000400000-0x0000000000420000-memory.dmp	family_sakula
behavioral1/memory/1512-60-0x0000000000400000-0x0000000000420000-memory.dmp	family_sakula

suricata: ET MALWARE SUSPICIOUS UA (iexplore)
suricata: ET MALWARE SUSPICIOUS UA (iexplore)
suricata
suricata: ET MALWARE Sakula/Mivast RAT CnC Beacon 1
suricata: ET MALWARE Sakula/Mivast RAT CnC Beacon 1
suricata
Executes dropped EXE 1 IoCs

Processes:

MediaCenter.exe

pid process

1512 MediaCenter.exe
Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

392 cmd.exe
Loads dropped DLL 1 IoCs

Processes:

0c3774f67777b766fee51524b5758c37e77830c79b81d196c115b7d0d2389da5.exe

pid process

1584 0c3774f67777b766fee51524b5758c37e77830c79b81d196c115b7d0d2389da5.exe

pid	process
1512	MediaCenter.exe

pid	process
392	cmd.exe

pid	process
1584	0c3774f67777b766fee51524b5758c37e77830c79b81d196c115b7d0d2389da5.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

0c3774f67777b766fee51524b5758c37e77830c79b81d196c115b7d0d2389da5.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe"	0c3774f67777b766fee51524b5758c37e77830c79b81d196c115b7d0d2389da5.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

1068 PING.EXE
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

0c3774f67777b766fee51524b5758c37e77830c79b81d196c115b7d0d2389da5.exe

description pid process

Token: SeIncBasePriorityPrivilege 1584 0c3774f67777b766fee51524b5758c37e77830c79b81d196c115b7d0d2389da5.exe

pid	process
1068	PING.EXE

description	pid	process
Token: SeIncBasePriorityPrivilege	1584	0c3774f67777b766fee51524b5758c37e77830c79b81d196c115b7d0d2389da5.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

0c3774f67777b766fee51524b5758c37e77830c79b81d196c115b7d0d2389da5.execmd.exe

description	pid	process	target process
PID 1584 wrote to memory of 1512	1584	0c3774f67777b766fee51524b5758c37e77830c79b81d196c115b7d0d2389da5.exe	MediaCenter.exe
PID 1584 wrote to memory of 1512	1584	0c3774f67777b766fee51524b5758c37e77830c79b81d196c115b7d0d2389da5.exe	MediaCenter.exe
PID 1584 wrote to memory of 1512	1584	0c3774f67777b766fee51524b5758c37e77830c79b81d196c115b7d0d2389da5.exe	MediaCenter.exe
PID 1584 wrote to memory of 1512	1584	0c3774f67777b766fee51524b5758c37e77830c79b81d196c115b7d0d2389da5.exe	MediaCenter.exe
PID 1584 wrote to memory of 392	1584	0c3774f67777b766fee51524b5758c37e77830c79b81d196c115b7d0d2389da5.exe	cmd.exe
PID 1584 wrote to memory of 392	1584	0c3774f67777b766fee51524b5758c37e77830c79b81d196c115b7d0d2389da5.exe	cmd.exe
PID 1584 wrote to memory of 392	1584	0c3774f67777b766fee51524b5758c37e77830c79b81d196c115b7d0d2389da5.exe	cmd.exe
PID 1584 wrote to memory of 392	1584	0c3774f67777b766fee51524b5758c37e77830c79b81d196c115b7d0d2389da5.exe	cmd.exe
PID 392 wrote to memory of 1068	392	cmd.exe	PING.EXE
PID 392 wrote to memory of 1068	392	cmd.exe	PING.EXE
PID 392 wrote to memory of 1068	392	cmd.exe	PING.EXE
PID 392 wrote to memory of 1068	392	cmd.exe	PING.EXE

C:\Users\Admin\AppData\Local\Temp\0c3774f67777b766fee51524b5758c37e77830c79b81d196c115b7d0d2389da5.exe
"C:\Users\Admin\AppData\Local\Temp\0c3774f67777b766fee51524b5758c37e77830c79b81d196c115b7d0d2389da5.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1584

C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
2⤵
- Executes dropped EXE
PID:1512

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\0c3774f67777b766fee51524b5758c37e77830c79b81d196c115b7d0d2389da5.exe"
2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:392

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1
3⤵
- Runs ping.exe
PID:1068

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Remote System Discovery

1

T1018

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe

MD5
d7ee7e58e11a51147bf2f4a55250594f

SHA1
76628109bb5fddbd6d9b56eb5b1cd58978350587

SHA256
2c5c0b284cb8303369d56d4096b9b94abc6e52840a9c58b9e7d6d88c3ec34ccc

SHA512
fb84a5661d0497776b9c3ef41cb7fd4181c75137164bfc686ead7c2479090c5c7a74e2298ee8a3715a32c01937f03078e3b38875d55981a05d6cfd8d928fc859

Download Submit
\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe

MD5
d7ee7e58e11a51147bf2f4a55250594f

SHA1
76628109bb5fddbd6d9b56eb5b1cd58978350587

SHA256
2c5c0b284cb8303369d56d4096b9b94abc6e52840a9c58b9e7d6d88c3ec34ccc

SHA512
fb84a5661d0497776b9c3ef41cb7fd4181c75137164bfc686ead7c2479090c5c7a74e2298ee8a3715a32c01937f03078e3b38875d55981a05d6cfd8d928fc859

Download Submit
memory/1512-60-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/1584-55-0x0000000075191000-0x0000000075193000-memory.dmp

Filesize
8KB

Download
memory/1584-59-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads