sakula | 0a7dbd67442b12068179dcb2ea2a48aea77750c5df2134e9246a90e6c925e196

General

Target

0a7dbd67442b12068179dcb2ea2a48aea77750c5df2134e9246a90e6c925e196.exe
Size

35KB
MD5

a379f535ff71e6f1c933873565c795a8
SHA1

5364ce112f61d89f73b7dfac89e052e87a2444ea
SHA256

0a7dbd67442b12068179dcb2ea2a48aea77750c5df2134e9246a90e6c925e196
SHA512

72423ba9f939a3f840e2f16660ace0ceb855394d7c1e1e28eb307f186c8dcdcf88a67e5563fd5b59d3d3de0aba73f4cea07eeff18c4802309c896f601a1bdb43

Score

10^/10

sakula persistence rat trojan

Malware Config

Signatures

Sakula
Sakula is a remote access trojan with various capabilities.
trojan rat sakula
Executes dropped EXE 1 IoCs

Processes:

MediaCenter.exe

pid process

948 MediaCenter.exe
Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

928 cmd.exe

pid	process
948	MediaCenter.exe

pid	process
928	cmd.exe

Loads dropped DLL 2 IoCs

Processes:

0a7dbd67442b12068179dcb2ea2a48aea77750c5df2134e9246a90e6c925e196.exe

pid	process
1768	0a7dbd67442b12068179dcb2ea2a48aea77750c5df2134e9246a90e6c925e196.exe
1768	0a7dbd67442b12068179dcb2ea2a48aea77750c5df2134e9246a90e6c925e196.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

0a7dbd67442b12068179dcb2ea2a48aea77750c5df2134e9246a90e6c925e196.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe"	0a7dbd67442b12068179dcb2ea2a48aea77750c5df2134e9246a90e6c925e196.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

1696 PING.EXE
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

0a7dbd67442b12068179dcb2ea2a48aea77750c5df2134e9246a90e6c925e196.exe

description pid process

Token: SeIncBasePriorityPrivilege 1768 0a7dbd67442b12068179dcb2ea2a48aea77750c5df2134e9246a90e6c925e196.exe

pid	process
1696	PING.EXE

description	pid	process
Token: SeIncBasePriorityPrivilege	1768	0a7dbd67442b12068179dcb2ea2a48aea77750c5df2134e9246a90e6c925e196.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

0a7dbd67442b12068179dcb2ea2a48aea77750c5df2134e9246a90e6c925e196.execmd.exe

description	pid	process	target process
PID 1768 wrote to memory of 948	1768	0a7dbd67442b12068179dcb2ea2a48aea77750c5df2134e9246a90e6c925e196.exe	MediaCenter.exe
PID 1768 wrote to memory of 948	1768	0a7dbd67442b12068179dcb2ea2a48aea77750c5df2134e9246a90e6c925e196.exe	MediaCenter.exe
PID 1768 wrote to memory of 948	1768	0a7dbd67442b12068179dcb2ea2a48aea77750c5df2134e9246a90e6c925e196.exe	MediaCenter.exe
PID 1768 wrote to memory of 948	1768	0a7dbd67442b12068179dcb2ea2a48aea77750c5df2134e9246a90e6c925e196.exe	MediaCenter.exe
PID 1768 wrote to memory of 928	1768	0a7dbd67442b12068179dcb2ea2a48aea77750c5df2134e9246a90e6c925e196.exe	cmd.exe
PID 1768 wrote to memory of 928	1768	0a7dbd67442b12068179dcb2ea2a48aea77750c5df2134e9246a90e6c925e196.exe	cmd.exe
PID 1768 wrote to memory of 928	1768	0a7dbd67442b12068179dcb2ea2a48aea77750c5df2134e9246a90e6c925e196.exe	cmd.exe
PID 1768 wrote to memory of 928	1768	0a7dbd67442b12068179dcb2ea2a48aea77750c5df2134e9246a90e6c925e196.exe	cmd.exe
PID 928 wrote to memory of 1696	928	cmd.exe	PING.EXE
PID 928 wrote to memory of 1696	928	cmd.exe	PING.EXE
PID 928 wrote to memory of 1696	928	cmd.exe	PING.EXE
PID 928 wrote to memory of 1696	928	cmd.exe	PING.EXE

C:\Users\Admin\AppData\Local\Temp\0a7dbd67442b12068179dcb2ea2a48aea77750c5df2134e9246a90e6c925e196.exe
"C:\Users\Admin\AppData\Local\Temp\0a7dbd67442b12068179dcb2ea2a48aea77750c5df2134e9246a90e6c925e196.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1768

C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
2⤵
- Executes dropped EXE
PID:948

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\0a7dbd67442b12068179dcb2ea2a48aea77750c5df2134e9246a90e6c925e196.exe"
2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:928

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1
3⤵
- Runs ping.exe
PID:1696

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Remote System Discovery

1

T1018

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
MD5
af43df41b7e859abcaab8ba10c1df00a

SHA1
f8525ea48b94ba20d5ab4d861eb5a7f4baf1c920

SHA256
646021cc29e1cd1a850c393470154475cce4e9a37e3e01a742672d948c4cb502

SHA512
f04e30a05937d74b7d5ef7e780a837ab683d38d3650055210b94dcb21a3bd520a055ca29f4c70fa0d7f980eb3a5ecc5b162199c50a8d1e278e6ec070678bbf28

Download Submit
\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
MD5
af43df41b7e859abcaab8ba10c1df00a

SHA1
f8525ea48b94ba20d5ab4d861eb5a7f4baf1c920

SHA256
646021cc29e1cd1a850c393470154475cce4e9a37e3e01a742672d948c4cb502

SHA512
f04e30a05937d74b7d5ef7e780a837ab683d38d3650055210b94dcb21a3bd520a055ca29f4c70fa0d7f980eb3a5ecc5b162199c50a8d1e278e6ec070678bbf28

Download Submit
\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
MD5
af43df41b7e859abcaab8ba10c1df00a

SHA1
f8525ea48b94ba20d5ab4d861eb5a7f4baf1c920

SHA256
646021cc29e1cd1a850c393470154475cce4e9a37e3e01a742672d948c4cb502

SHA512
f04e30a05937d74b7d5ef7e780a837ab683d38d3650055210b94dcb21a3bd520a055ca29f4c70fa0d7f980eb3a5ecc5b162199c50a8d1e278e6ec070678bbf28

Download Submit
memory/1768-55-0x00000000762C1000-0x00000000762C3000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads