sakula | 0a89671067c808a9b32bc1cf488ac2e7c1464a7bf085476a4351e94c952184b8

General

Target

0a89671067c808a9b32bc1cf488ac2e7c1464a7bf085476a4351e94c952184b8.exe
Size

150KB
MD5

f5eac658cebe544c926a47ac19dc940b
SHA1

625f191f4eee11ce4e66170248ef198d2f05041f
SHA256

0a89671067c808a9b32bc1cf488ac2e7c1464a7bf085476a4351e94c952184b8
SHA512

e707f199a405e846b6cf0c698268383587baabde3b2b078bd96dd554399c5ce34e38ed49fc0b38a99f04ec89ff707db55a2e6bbe58beb6ab967180a54d174ed5

Score

10^/10

sakula persistence rat trojan

Malware Config

Signatures

Sakula
Sakula is a remote access trojan with various capabilities.
trojan rat sakula

Sakula Payload 2 IoCs

Processes:

resource	yara_rule
\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe	family_sakula
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe	family_sakula

Executes dropped EXE 1 IoCs

Processes:

MediaCenter.exe

pid process

1512 MediaCenter.exe
Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

1064 cmd.exe
Loads dropped DLL 1 IoCs

Processes:

0a89671067c808a9b32bc1cf488ac2e7c1464a7bf085476a4351e94c952184b8.exe

pid process

1584 0a89671067c808a9b32bc1cf488ac2e7c1464a7bf085476a4351e94c952184b8.exe

pid	process
1512	MediaCenter.exe

pid	process
1064	cmd.exe

pid	process
1584	0a89671067c808a9b32bc1cf488ac2e7c1464a7bf085476a4351e94c952184b8.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

0a89671067c808a9b32bc1cf488ac2e7c1464a7bf085476a4351e94c952184b8.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe"	0a89671067c808a9b32bc1cf488ac2e7c1464a7bf085476a4351e94c952184b8.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

1200 PING.EXE
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

0a89671067c808a9b32bc1cf488ac2e7c1464a7bf085476a4351e94c952184b8.exe

description pid process

Token: SeIncBasePriorityPrivilege 1584 0a89671067c808a9b32bc1cf488ac2e7c1464a7bf085476a4351e94c952184b8.exe

pid	process
1200	PING.EXE

description	pid	process
Token: SeIncBasePriorityPrivilege	1584	0a89671067c808a9b32bc1cf488ac2e7c1464a7bf085476a4351e94c952184b8.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

0a89671067c808a9b32bc1cf488ac2e7c1464a7bf085476a4351e94c952184b8.execmd.exe

description	pid	process	target process
PID 1584 wrote to memory of 1512	1584	0a89671067c808a9b32bc1cf488ac2e7c1464a7bf085476a4351e94c952184b8.exe	MediaCenter.exe
PID 1584 wrote to memory of 1512	1584	0a89671067c808a9b32bc1cf488ac2e7c1464a7bf085476a4351e94c952184b8.exe	MediaCenter.exe
PID 1584 wrote to memory of 1512	1584	0a89671067c808a9b32bc1cf488ac2e7c1464a7bf085476a4351e94c952184b8.exe	MediaCenter.exe
PID 1584 wrote to memory of 1512	1584	0a89671067c808a9b32bc1cf488ac2e7c1464a7bf085476a4351e94c952184b8.exe	MediaCenter.exe
PID 1584 wrote to memory of 1064	1584	0a89671067c808a9b32bc1cf488ac2e7c1464a7bf085476a4351e94c952184b8.exe	cmd.exe
PID 1584 wrote to memory of 1064	1584	0a89671067c808a9b32bc1cf488ac2e7c1464a7bf085476a4351e94c952184b8.exe	cmd.exe
PID 1584 wrote to memory of 1064	1584	0a89671067c808a9b32bc1cf488ac2e7c1464a7bf085476a4351e94c952184b8.exe	cmd.exe
PID 1584 wrote to memory of 1064	1584	0a89671067c808a9b32bc1cf488ac2e7c1464a7bf085476a4351e94c952184b8.exe	cmd.exe
PID 1064 wrote to memory of 1200	1064	cmd.exe	PING.EXE
PID 1064 wrote to memory of 1200	1064	cmd.exe	PING.EXE
PID 1064 wrote to memory of 1200	1064	cmd.exe	PING.EXE
PID 1064 wrote to memory of 1200	1064	cmd.exe	PING.EXE

C:\Users\Admin\AppData\Local\Temp\0a89671067c808a9b32bc1cf488ac2e7c1464a7bf085476a4351e94c952184b8.exe
"C:\Users\Admin\AppData\Local\Temp\0a89671067c808a9b32bc1cf488ac2e7c1464a7bf085476a4351e94c952184b8.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1584

C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
2⤵
- Executes dropped EXE
PID:1512

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\0a89671067c808a9b32bc1cf488ac2e7c1464a7bf085476a4351e94c952184b8.exe"
2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:1064

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1
3⤵
- Runs ping.exe
PID:1200

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Remote System Discovery

1

T1018

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
MD5
89cf5ddb304dd3b51f815684b1af2606

SHA1
282799d386f8d681fbd01954599dd3334c9ec8ab

SHA256
0b9c91ec49af0f84912e8b66bc7ffea7e0fd66df100a3d17ec80129a8b8563e7

SHA512
6151ab1e3a7c76c31fa6db9d55de08a9c58b981dd3fb68d039c0f59eb39b1df9a2d894731094981a01d6f4e8bc42282a8d9f409317a8b4a090c820453c4266c3

Download Submit
\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
MD5
89cf5ddb304dd3b51f815684b1af2606

SHA1
282799d386f8d681fbd01954599dd3334c9ec8ab

SHA256
0b9c91ec49af0f84912e8b66bc7ffea7e0fd66df100a3d17ec80129a8b8563e7

SHA512
6151ab1e3a7c76c31fa6db9d55de08a9c58b981dd3fb68d039c0f59eb39b1df9a2d894731094981a01d6f4e8bc42282a8d9f409317a8b4a090c820453c4266c3

Download Submit
memory/1584-55-0x0000000075191000-0x0000000075193000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads