sakula | 0adcd8d9cdd371c76c8ba6ba5e9588640116391a5d5d61b96a49513ef8c18edc

General

Target

0adcd8d9cdd371c76c8ba6ba5e9588640116391a5d5d61b96a49513ef8c18edc.exe
Size

58KB
MD5

f83736426c098b434998d717bb2ff9a1
SHA1

e71e33ffdc1887c3c4bf658d0fe5792b82dcda9c
SHA256

0adcd8d9cdd371c76c8ba6ba5e9588640116391a5d5d61b96a49513ef8c18edc
SHA512

9e1ffdb1b9bc1a09b82c2c265c0b2c538ad0c3687922a93dedb4f278384e60e4bf0641b18b61226006ee3aaa21098741515598998187abd1651897709342c816

Score

10^/10

sakula persistence rat trojan

Malware Config

Signatures

Sakula
Sakula is a remote access trojan with various capabilities.
trojan rat sakula
Executes dropped EXE 1 IoCs

Processes:

MediaCenter.exe

pid process

4084 MediaCenter.exe

pid	process
4084	MediaCenter.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

0adcd8d9cdd371c76c8ba6ba5e9588640116391a5d5d61b96a49513ef8c18edc.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation	0adcd8d9cdd371c76c8ba6ba5e9588640116391a5d5d61b96a49513ef8c18edc.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

0adcd8d9cdd371c76c8ba6ba5e9588640116391a5d5d61b96a49513ef8c18edc.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe"	0adcd8d9cdd371c76c8ba6ba5e9588640116391a5d5d61b96a49513ef8c18edc.exe

Drops file in Windows directory 8 IoCs

Processes:

svchost.exeTiWorker.exe

description	ioc	process
File opened for modification	C:\Windows\SoftwareDistribution\DataStore\Logs\edb.log	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\DataStore\DataStore.edb	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\DataStore\DataStore.jfm	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\ReportingEvents.log	svchost.exe
File opened for modification	C:\Windows\Logs\CBS\CBS.log	TiWorker.exe
File opened for modification	C:\Windows\WinSxS\pending.xml	TiWorker.exe
File opened for modification	C:\Windows\WindowsUpdate.log	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\DataStore\Logs\edb.chk	svchost.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

1700 PING.EXE

pid	process
1700	PING.EXE

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

svchost.exeTiWorker.exe

description	pid	process
Token: SeShutdownPrivilege	4448	svchost.exe
Token: SeCreatePagefilePrivilege	4448	svchost.exe
Token: SeShutdownPrivilege	4448	svchost.exe
Token: SeCreatePagefilePrivilege	4448	svchost.exe
Token: SeShutdownPrivilege	4448	svchost.exe
Token: SeCreatePagefilePrivilege	4448	svchost.exe
Token: SeSecurityPrivilege	320	TiWorker.exe
Token: SeRestorePrivilege	320	TiWorker.exe
Token: SeBackupPrivilege	320	TiWorker.exe
Token: SeBackupPrivilege	320	TiWorker.exe
Token: SeRestorePrivilege	320	TiWorker.exe
Token: SeSecurityPrivilege	320	TiWorker.exe
Token: SeBackupPrivilege	320	TiWorker.exe
Token: SeRestorePrivilege	320	TiWorker.exe
Token: SeSecurityPrivilege	320	TiWorker.exe
Token: SeBackupPrivilege	320	TiWorker.exe
Token: SeRestorePrivilege	320	TiWorker.exe
Token: SeSecurityPrivilege	320	TiWorker.exe
Token: SeBackupPrivilege	320	TiWorker.exe
Token: SeRestorePrivilege	320	TiWorker.exe
Token: SeSecurityPrivilege	320	TiWorker.exe
Token: SeBackupPrivilege	320	TiWorker.exe
Token: SeRestorePrivilege	320	TiWorker.exe
Token: SeSecurityPrivilege	320	TiWorker.exe
Token: SeBackupPrivilege	320	TiWorker.exe
Token: SeRestorePrivilege	320	TiWorker.exe
Token: SeSecurityPrivilege	320	TiWorker.exe
Token: SeBackupPrivilege	320	TiWorker.exe
Token: SeRestorePrivilege	320	TiWorker.exe
Token: SeSecurityPrivilege	320	TiWorker.exe
Token: SeBackupPrivilege	320	TiWorker.exe
Token: SeRestorePrivilege	320	TiWorker.exe
Token: SeSecurityPrivilege	320	TiWorker.exe
Token: SeBackupPrivilege	320	TiWorker.exe
Token: SeRestorePrivilege	320	TiWorker.exe
Token: SeSecurityPrivilege	320	TiWorker.exe
Token: SeBackupPrivilege	320	TiWorker.exe
Token: SeRestorePrivilege	320	TiWorker.exe
Token: SeSecurityPrivilege	320	TiWorker.exe
Token: SeBackupPrivilege	320	TiWorker.exe
Token: SeRestorePrivilege	320	TiWorker.exe
Token: SeSecurityPrivilege	320	TiWorker.exe
Token: SeBackupPrivilege	320	TiWorker.exe
Token: SeRestorePrivilege	320	TiWorker.exe
Token: SeSecurityPrivilege	320	TiWorker.exe
Token: SeBackupPrivilege	320	TiWorker.exe
Token: SeRestorePrivilege	320	TiWorker.exe
Token: SeSecurityPrivilege	320	TiWorker.exe
Token: SeBackupPrivilege	320	TiWorker.exe
Token: SeRestorePrivilege	320	TiWorker.exe
Token: SeSecurityPrivilege	320	TiWorker.exe
Token: SeBackupPrivilege	320	TiWorker.exe
Token: SeRestorePrivilege	320	TiWorker.exe
Token: SeSecurityPrivilege	320	TiWorker.exe
Token: SeBackupPrivilege	320	TiWorker.exe
Token: SeRestorePrivilege	320	TiWorker.exe
Token: SeSecurityPrivilege	320	TiWorker.exe
Token: SeBackupPrivilege	320	TiWorker.exe
Token: SeRestorePrivilege	320	TiWorker.exe
Token: SeSecurityPrivilege	320	TiWorker.exe
Token: SeBackupPrivilege	320	TiWorker.exe
Token: SeRestorePrivilege	320	TiWorker.exe
Token: SeSecurityPrivilege	320	TiWorker.exe
Token: SeBackupPrivilege	320	TiWorker.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

0adcd8d9cdd371c76c8ba6ba5e9588640116391a5d5d61b96a49513ef8c18edc.execmd.exe

description	pid	process	target process
PID 1264 wrote to memory of 4084	1264	0adcd8d9cdd371c76c8ba6ba5e9588640116391a5d5d61b96a49513ef8c18edc.exe	MediaCenter.exe
PID 1264 wrote to memory of 4084	1264	0adcd8d9cdd371c76c8ba6ba5e9588640116391a5d5d61b96a49513ef8c18edc.exe	MediaCenter.exe
PID 1264 wrote to memory of 4084	1264	0adcd8d9cdd371c76c8ba6ba5e9588640116391a5d5d61b96a49513ef8c18edc.exe	MediaCenter.exe
PID 1264 wrote to memory of 4648	1264	0adcd8d9cdd371c76c8ba6ba5e9588640116391a5d5d61b96a49513ef8c18edc.exe	cmd.exe
PID 1264 wrote to memory of 4648	1264	0adcd8d9cdd371c76c8ba6ba5e9588640116391a5d5d61b96a49513ef8c18edc.exe	cmd.exe
PID 1264 wrote to memory of 4648	1264	0adcd8d9cdd371c76c8ba6ba5e9588640116391a5d5d61b96a49513ef8c18edc.exe	cmd.exe
PID 4648 wrote to memory of 1700	4648	cmd.exe	PING.EXE
PID 4648 wrote to memory of 1700	4648	cmd.exe	PING.EXE
PID 4648 wrote to memory of 1700	4648	cmd.exe	PING.EXE

C:\Users\Admin\AppData\Local\Temp\0adcd8d9cdd371c76c8ba6ba5e9588640116391a5d5d61b96a49513ef8c18edc.exe
"C:\Users\Admin\AppData\Local\Temp\0adcd8d9cdd371c76c8ba6ba5e9588640116391a5d5d61b96a49513ef8c18edc.exe"
1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1264

C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
2⤵
- Executes dropped EXE
PID:4084

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\0adcd8d9cdd371c76c8ba6ba5e9588640116391a5d5d61b96a49513ef8c18edc.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:4648

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1
3⤵
- Runs ping.exe
PID:1700

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:4448

C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:320

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

Remote System Discovery

1

T1018

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
MD5
40d3aa709dde6a7235125a689881b736

SHA1
cc8b87b790d425160edfd310f553daadc56675eb

SHA256
9cc8824b6cb2989e04e8d7fbf69de927a841048ba0437d69478ec4da2c6679da

SHA512
e12e6055a3edb93729215e3933a8352e4f793dc1d9b0fb38230d0ae56335805e25ba5c89e584d6e60f3b884542b07bf204d15674b24f777beda157f6556a8cdc

Download Submit
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
MD5
40d3aa709dde6a7235125a689881b736

SHA1
cc8b87b790d425160edfd310f553daadc56675eb

SHA256
9cc8824b6cb2989e04e8d7fbf69de927a841048ba0437d69478ec4da2c6679da

SHA512
e12e6055a3edb93729215e3933a8352e4f793dc1d9b0fb38230d0ae56335805e25ba5c89e584d6e60f3b884542b07bf204d15674b24f777beda157f6556a8cdc

Download Submit
memory/4448-132-0x00000241A6790000-0x00000241A67A0000-memory.dmp

Filesize
64KB

Download
memory/4448-133-0x00000241A6E20000-0x00000241A6E30000-memory.dmp

Filesize
64KB

Download
memory/4448-134-0x00000241A9510000-0x00000241A9514000-memory.dmp

Filesize
16KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads