sakula | 0bf99eaacbdea93e17ea8f81ddf16b7c5272a3e8edf1c9c2e1dae0a48b2c3486

General

Target

0bf99eaacbdea93e17ea8f81ddf16b7c5272a3e8edf1c9c2e1dae0a48b2c3486.exe
Size

150KB
MD5

18f97ff9d75fb30cef696669b83d0feb
SHA1

b8390b59155106eb75346ef4f982c366eb64e5ca
SHA256

0bf99eaacbdea93e17ea8f81ddf16b7c5272a3e8edf1c9c2e1dae0a48b2c3486
SHA512

bf4c1e9719c2383e652905488caac25d1abfcaddf33c82e28ee74143913e72d208f2644617889300a644612e7a2cf4394f87fe3f6f94a6e93d3d6f44b7fe8bd9

Score

10^/10

sakula persistence rat trojan

Malware Config

Signatures

Sakula
Sakula is a remote access trojan with various capabilities.
trojan rat sakula

Sakula Payload 2 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe	family_sakula
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe	family_sakula

Executes dropped EXE 1 IoCs

Processes:

MediaCenter.exe

pid process

508 MediaCenter.exe

pid	process
508	MediaCenter.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

0bf99eaacbdea93e17ea8f81ddf16b7c5272a3e8edf1c9c2e1dae0a48b2c3486.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Control Panel\International\Geo\Nation	0bf99eaacbdea93e17ea8f81ddf16b7c5272a3e8edf1c9c2e1dae0a48b2c3486.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

0bf99eaacbdea93e17ea8f81ddf16b7c5272a3e8edf1c9c2e1dae0a48b2c3486.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe"	0bf99eaacbdea93e17ea8f81ddf16b7c5272a3e8edf1c9c2e1dae0a48b2c3486.exe

Drops file in Windows directory 3 IoCs

Processes:

svchost.exeTiWorker.exe

description	ioc	process
File opened for modification	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\DeliveryOptimization\State\keyValueLKG.dat	svchost.exe
File opened for modification	C:\Windows\Logs\CBS\CBS.log	TiWorker.exe
File opened for modification	C:\Windows\WinSxS\pending.xml	TiWorker.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

MusNotifyIcon.exe

description	ioc	process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	MusNotifyIcon.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	MusNotifyIcon.exe

Modifies data under HKEY_USERS 49 IoCs

Processes:

svchost.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\DODownloadMode = "1"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyInternetBytes = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MonthID = "2"	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\GeoVersion_EndpointFullUri = "https://geover.prod.do.dsp.mp.microsoft.com/geoversion"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\PeerInfoCount = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CDNConnectionCount = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\GroupConnectionCount = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownlinkBps = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UploadCount = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MemoryUsageKB = "4312"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\SwarmCount = "0"	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\Geo_EndpointFullUri = "https://geo.prod.do.dsp.mp.microsoft.com/geo"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UploadMonthlyLanBytes = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\LANConnectionCount = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\BkDownloadRatePct = "45"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MonthlyUploadRestriction = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\PriorityDownloadPendingCount = "0"	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CPUpct = "0.000000"	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UploadMonthlyInternetBytes = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyCacheHostBytes = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateFrBps = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\LinkLocalConnectionCount = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UplinkBps = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UploadRatePct = "100"	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CPUpct = "12.336812"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\DownloadMode_BackCompat = "1"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyLanBytes = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyGroupBytes = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateFrCnt = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateBkCnt = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\NormalDownloadCount = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\NormalDownloadPendingCount = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyCdnBytes = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateBkBps = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CacheSizeBytes = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\InternetConnectionCount = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UplinkUsageBps = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MemoryUsageKB = "4088"	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Settings	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyLinkLocalBytes = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\KVFileExpirationTime = "132893030887284754"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\SwarmCount = "1"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownlinkUsageBps = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\FrDownloadRatePct = "90"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\PriorityDownloadCount = "0"	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CPUpct = "0.672648"	svchost.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

3804 PING.EXE

pid	process
3804	PING.EXE

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

0bf99eaacbdea93e17ea8f81ddf16b7c5272a3e8edf1c9c2e1dae0a48b2c3486.exeTiWorker.exe

description	pid	process
Token: SeIncBasePriorityPrivilege	1520	0bf99eaacbdea93e17ea8f81ddf16b7c5272a3e8edf1c9c2e1dae0a48b2c3486.exe
Token: SeSecurityPrivilege	4060	TiWorker.exe
Token: SeRestorePrivilege	4060	TiWorker.exe
Token: SeBackupPrivilege	4060	TiWorker.exe
Token: SeBackupPrivilege	4060	TiWorker.exe
Token: SeRestorePrivilege	4060	TiWorker.exe
Token: SeSecurityPrivilege	4060	TiWorker.exe
Token: SeBackupPrivilege	4060	TiWorker.exe
Token: SeRestorePrivilege	4060	TiWorker.exe
Token: SeSecurityPrivilege	4060	TiWorker.exe
Token: SeBackupPrivilege	4060	TiWorker.exe
Token: SeRestorePrivilege	4060	TiWorker.exe
Token: SeSecurityPrivilege	4060	TiWorker.exe
Token: SeBackupPrivilege	4060	TiWorker.exe
Token: SeRestorePrivilege	4060	TiWorker.exe
Token: SeSecurityPrivilege	4060	TiWorker.exe
Token: SeBackupPrivilege	4060	TiWorker.exe
Token: SeRestorePrivilege	4060	TiWorker.exe
Token: SeSecurityPrivilege	4060	TiWorker.exe
Token: SeBackupPrivilege	4060	TiWorker.exe
Token: SeRestorePrivilege	4060	TiWorker.exe
Token: SeSecurityPrivilege	4060	TiWorker.exe
Token: SeBackupPrivilege	4060	TiWorker.exe
Token: SeRestorePrivilege	4060	TiWorker.exe
Token: SeSecurityPrivilege	4060	TiWorker.exe
Token: SeBackupPrivilege	4060	TiWorker.exe
Token: SeRestorePrivilege	4060	TiWorker.exe
Token: SeSecurityPrivilege	4060	TiWorker.exe
Token: SeBackupPrivilege	4060	TiWorker.exe
Token: SeRestorePrivilege	4060	TiWorker.exe
Token: SeSecurityPrivilege	4060	TiWorker.exe
Token: SeBackupPrivilege	4060	TiWorker.exe
Token: SeRestorePrivilege	4060	TiWorker.exe
Token: SeSecurityPrivilege	4060	TiWorker.exe
Token: SeBackupPrivilege	4060	TiWorker.exe
Token: SeRestorePrivilege	4060	TiWorker.exe
Token: SeSecurityPrivilege	4060	TiWorker.exe
Token: SeBackupPrivilege	4060	TiWorker.exe
Token: SeRestorePrivilege	4060	TiWorker.exe
Token: SeSecurityPrivilege	4060	TiWorker.exe
Token: SeBackupPrivilege	4060	TiWorker.exe
Token: SeRestorePrivilege	4060	TiWorker.exe
Token: SeSecurityPrivilege	4060	TiWorker.exe
Token: SeBackupPrivilege	4060	TiWorker.exe
Token: SeRestorePrivilege	4060	TiWorker.exe
Token: SeSecurityPrivilege	4060	TiWorker.exe
Token: SeBackupPrivilege	4060	TiWorker.exe
Token: SeRestorePrivilege	4060	TiWorker.exe
Token: SeSecurityPrivilege	4060	TiWorker.exe
Token: SeBackupPrivilege	4060	TiWorker.exe
Token: SeRestorePrivilege	4060	TiWorker.exe
Token: SeSecurityPrivilege	4060	TiWorker.exe
Token: SeBackupPrivilege	4060	TiWorker.exe
Token: SeRestorePrivilege	4060	TiWorker.exe
Token: SeSecurityPrivilege	4060	TiWorker.exe
Token: SeBackupPrivilege	4060	TiWorker.exe
Token: SeRestorePrivilege	4060	TiWorker.exe
Token: SeSecurityPrivilege	4060	TiWorker.exe
Token: SeBackupPrivilege	4060	TiWorker.exe
Token: SeRestorePrivilege	4060	TiWorker.exe
Token: SeSecurityPrivilege	4060	TiWorker.exe
Token: SeBackupPrivilege	4060	TiWorker.exe
Token: SeRestorePrivilege	4060	TiWorker.exe
Token: SeSecurityPrivilege	4060	TiWorker.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

0bf99eaacbdea93e17ea8f81ddf16b7c5272a3e8edf1c9c2e1dae0a48b2c3486.execmd.exe

description	pid	process	target process
PID 1520 wrote to memory of 508	1520	0bf99eaacbdea93e17ea8f81ddf16b7c5272a3e8edf1c9c2e1dae0a48b2c3486.exe	MediaCenter.exe
PID 1520 wrote to memory of 508	1520	0bf99eaacbdea93e17ea8f81ddf16b7c5272a3e8edf1c9c2e1dae0a48b2c3486.exe	MediaCenter.exe
PID 1520 wrote to memory of 508	1520	0bf99eaacbdea93e17ea8f81ddf16b7c5272a3e8edf1c9c2e1dae0a48b2c3486.exe	MediaCenter.exe
PID 1520 wrote to memory of 3812	1520	0bf99eaacbdea93e17ea8f81ddf16b7c5272a3e8edf1c9c2e1dae0a48b2c3486.exe	cmd.exe
PID 1520 wrote to memory of 3812	1520	0bf99eaacbdea93e17ea8f81ddf16b7c5272a3e8edf1c9c2e1dae0a48b2c3486.exe	cmd.exe
PID 1520 wrote to memory of 3812	1520	0bf99eaacbdea93e17ea8f81ddf16b7c5272a3e8edf1c9c2e1dae0a48b2c3486.exe	cmd.exe
PID 3812 wrote to memory of 3804	3812	cmd.exe	PING.EXE
PID 3812 wrote to memory of 3804	3812	cmd.exe	PING.EXE
PID 3812 wrote to memory of 3804	3812	cmd.exe	PING.EXE

C:\Users\Admin\AppData\Local\Temp\0bf99eaacbdea93e17ea8f81ddf16b7c5272a3e8edf1c9c2e1dae0a48b2c3486.exe
"C:\Users\Admin\AppData\Local\Temp\0bf99eaacbdea93e17ea8f81ddf16b7c5272a3e8edf1c9c2e1dae0a48b2c3486.exe"
1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1520

C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
2⤵
- Executes dropped EXE
PID:508

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\0bf99eaacbdea93e17ea8f81ddf16b7c5272a3e8edf1c9c2e1dae0a48b2c3486.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:3812

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1
3⤵
- Runs ping.exe
PID:3804

C:\Windows\system32\MusNotifyIcon.exe
%systemroot%\system32\MusNotifyIcon.exe NotifyTrayIcon 13
1⤵
- Checks processor information in registry
PID:1988

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p
1⤵
- Drops file in Windows directory
- Modifies data under HKEY_USERS
PID:3388

C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:4060

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

2

T1012

Remote System Discovery

1

T1018

System Information Discovery

3

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe

MD5
b28cb9a4e556e7cb9c3f841509a8a25d

SHA1
a7c2490c51ca5bff2aed9e27e67a3323e4849599

SHA256
537da844d28ecac325c597a33947c615233bcbd87cfa33c1a16e8f70785e4bfa

SHA512
f03830a01eda1ef4e755d160dd3e0f85ef4c7ce2275cebaad9770dcae4c1b48efd684408611b25699d9d681cde1b0deef2227bb2884e699c076783467e696cd2

Download Submit
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe

MD5
b28cb9a4e556e7cb9c3f841509a8a25d

SHA1
a7c2490c51ca5bff2aed9e27e67a3323e4849599

SHA256
537da844d28ecac325c597a33947c615233bcbd87cfa33c1a16e8f70785e4bfa

SHA512
f03830a01eda1ef4e755d160dd3e0f85ef4c7ce2275cebaad9770dcae4c1b48efd684408611b25699d9d681cde1b0deef2227bb2884e699c076783467e696cd2

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads