sakula | 0bfce0c49bc232490835d6a9359b951278bf968a794b0d46ac6e178d7eb3756e

General

Target

0bfce0c49bc232490835d6a9359b951278bf968a794b0d46ac6e178d7eb3756e.exe
Size

60KB
MD5

476e22009f28d2d531d13d4fa12efa59
SHA1

c15681556068a4c42081f08a50b52cca5a164ddc
SHA256

0bfce0c49bc232490835d6a9359b951278bf968a794b0d46ac6e178d7eb3756e
SHA512

5e032487f51dd016e6b50998c464bea06b581ea006de2eb57d715b2a358d6e0980cc740db191a8621daee53b4ffd0d352f847b0cad5a5fd317e2ed1820f9f477

Score

10^/10

sakula persistence rat trojan

Malware Config

Signatures

Sakula
Sakula is a remote access trojan with various capabilities.
trojan rat sakula
Executes dropped EXE 1 IoCs

Processes:

MediaCenter.exe

pid process

1568 MediaCenter.exe
Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

1780 cmd.exe

pid	process
1568	MediaCenter.exe

pid	process
1780	cmd.exe

Loads dropped DLL 2 IoCs

Processes:

0bfce0c49bc232490835d6a9359b951278bf968a794b0d46ac6e178d7eb3756e.exe

pid	process
804	0bfce0c49bc232490835d6a9359b951278bf968a794b0d46ac6e178d7eb3756e.exe
804	0bfce0c49bc232490835d6a9359b951278bf968a794b0d46ac6e178d7eb3756e.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

0bfce0c49bc232490835d6a9359b951278bf968a794b0d46ac6e178d7eb3756e.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe"	0bfce0c49bc232490835d6a9359b951278bf968a794b0d46ac6e178d7eb3756e.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

672 PING.EXE
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

0bfce0c49bc232490835d6a9359b951278bf968a794b0d46ac6e178d7eb3756e.exe

description pid process

Token: SeIncBasePriorityPrivilege 804 0bfce0c49bc232490835d6a9359b951278bf968a794b0d46ac6e178d7eb3756e.exe

pid	process
672	PING.EXE

description	pid	process
Token: SeIncBasePriorityPrivilege	804	0bfce0c49bc232490835d6a9359b951278bf968a794b0d46ac6e178d7eb3756e.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

0bfce0c49bc232490835d6a9359b951278bf968a794b0d46ac6e178d7eb3756e.execmd.exe

description	pid	process	target process
PID 804 wrote to memory of 1568	804	0bfce0c49bc232490835d6a9359b951278bf968a794b0d46ac6e178d7eb3756e.exe	MediaCenter.exe
PID 804 wrote to memory of 1568	804	0bfce0c49bc232490835d6a9359b951278bf968a794b0d46ac6e178d7eb3756e.exe	MediaCenter.exe
PID 804 wrote to memory of 1568	804	0bfce0c49bc232490835d6a9359b951278bf968a794b0d46ac6e178d7eb3756e.exe	MediaCenter.exe
PID 804 wrote to memory of 1568	804	0bfce0c49bc232490835d6a9359b951278bf968a794b0d46ac6e178d7eb3756e.exe	MediaCenter.exe
PID 804 wrote to memory of 1780	804	0bfce0c49bc232490835d6a9359b951278bf968a794b0d46ac6e178d7eb3756e.exe	cmd.exe
PID 804 wrote to memory of 1780	804	0bfce0c49bc232490835d6a9359b951278bf968a794b0d46ac6e178d7eb3756e.exe	cmd.exe
PID 804 wrote to memory of 1780	804	0bfce0c49bc232490835d6a9359b951278bf968a794b0d46ac6e178d7eb3756e.exe	cmd.exe
PID 804 wrote to memory of 1780	804	0bfce0c49bc232490835d6a9359b951278bf968a794b0d46ac6e178d7eb3756e.exe	cmd.exe
PID 1780 wrote to memory of 672	1780	cmd.exe	PING.EXE
PID 1780 wrote to memory of 672	1780	cmd.exe	PING.EXE
PID 1780 wrote to memory of 672	1780	cmd.exe	PING.EXE
PID 1780 wrote to memory of 672	1780	cmd.exe	PING.EXE

C:\Users\Admin\AppData\Local\Temp\0bfce0c49bc232490835d6a9359b951278bf968a794b0d46ac6e178d7eb3756e.exe
"C:\Users\Admin\AppData\Local\Temp\0bfce0c49bc232490835d6a9359b951278bf968a794b0d46ac6e178d7eb3756e.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:804

C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
2⤵
- Executes dropped EXE
PID:1568

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\0bfce0c49bc232490835d6a9359b951278bf968a794b0d46ac6e178d7eb3756e.exe"
2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:1780

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1
3⤵
- Runs ping.exe
PID:672

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Remote System Discovery

1

T1018

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe

MD5
6c035f82d9f2f90c2f718891926fccef

SHA1
0f52ee711741c32f857b591e273e7003f0f3a784

SHA256
f35a55d7785183af46a07b8f7b175276ed3d4407f4ed000a5ca602b59edd2427

SHA512
f36998f9479ad121b0f933aed2d1f7bc0efa0192457ecb53ec1c168459c3f500dd51918cbda455dea36059ae1ce4b76d497bf0d02e8f3cb02d3cbf92f5b3d7a5

Download Submit
\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe

MD5
6c035f82d9f2f90c2f718891926fccef

SHA1
0f52ee711741c32f857b591e273e7003f0f3a784

SHA256
f35a55d7785183af46a07b8f7b175276ed3d4407f4ed000a5ca602b59edd2427

SHA512
f36998f9479ad121b0f933aed2d1f7bc0efa0192457ecb53ec1c168459c3f500dd51918cbda455dea36059ae1ce4b76d497bf0d02e8f3cb02d3cbf92f5b3d7a5

Download Submit
\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe

MD5
6c035f82d9f2f90c2f718891926fccef

SHA1
0f52ee711741c32f857b591e273e7003f0f3a784

SHA256
f35a55d7785183af46a07b8f7b175276ed3d4407f4ed000a5ca602b59edd2427

SHA512
f36998f9479ad121b0f933aed2d1f7bc0efa0192457ecb53ec1c168459c3f500dd51918cbda455dea36059ae1ce4b76d497bf0d02e8f3cb02d3cbf92f5b3d7a5

Download Submit
memory/804-54-0x0000000075D11000-0x0000000075D13000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads