sakula | 0af826337a8565cd2f5751e591656d586adaa4df703b6759490f0e86556340bf

General

Target

0af826337a8565cd2f5751e591656d586adaa4df703b6759490f0e86556340bf.exe
Size

36KB
MD5

df5e61ebcc07a243702efe6260c7b881
SHA1

78f7a059e79d4fee43a6edd301ad93cd8586200a
SHA256

0af826337a8565cd2f5751e591656d586adaa4df703b6759490f0e86556340bf
SHA512

26dcbc6ff5c6e8e0d0e62c9e7b6c1c9585a2d958567a48f851e4f28139d5892df9b892a9c9a2225d6a390c8f42311f623b96240559bad196fc3a6b65e1db9237

Score

10^/10

sakula persistence rat trojan

Malware Config

Signatures

Sakula
Sakula is a remote access trojan with various capabilities.
trojan rat sakula
Executes dropped EXE 1 IoCs

Processes:

MediaCenter.exe

pid process

1180 MediaCenter.exe
Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

1316 cmd.exe

pid	process
1180	MediaCenter.exe

pid	process
1316	cmd.exe

Loads dropped DLL 2 IoCs

Processes:

0af826337a8565cd2f5751e591656d586adaa4df703b6759490f0e86556340bf.exe

pid	process
800	0af826337a8565cd2f5751e591656d586adaa4df703b6759490f0e86556340bf.exe
800	0af826337a8565cd2f5751e591656d586adaa4df703b6759490f0e86556340bf.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

0af826337a8565cd2f5751e591656d586adaa4df703b6759490f0e86556340bf.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe"	0af826337a8565cd2f5751e591656d586adaa4df703b6759490f0e86556340bf.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

1220 PING.EXE
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

0af826337a8565cd2f5751e591656d586adaa4df703b6759490f0e86556340bf.exe

description pid process

Token: SeIncBasePriorityPrivilege 800 0af826337a8565cd2f5751e591656d586adaa4df703b6759490f0e86556340bf.exe

pid	process
1220	PING.EXE

description	pid	process
Token: SeIncBasePriorityPrivilege	800	0af826337a8565cd2f5751e591656d586adaa4df703b6759490f0e86556340bf.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

0af826337a8565cd2f5751e591656d586adaa4df703b6759490f0e86556340bf.execmd.exe

description	pid	process	target process
PID 800 wrote to memory of 1180	800	0af826337a8565cd2f5751e591656d586adaa4df703b6759490f0e86556340bf.exe	MediaCenter.exe
PID 800 wrote to memory of 1180	800	0af826337a8565cd2f5751e591656d586adaa4df703b6759490f0e86556340bf.exe	MediaCenter.exe
PID 800 wrote to memory of 1180	800	0af826337a8565cd2f5751e591656d586adaa4df703b6759490f0e86556340bf.exe	MediaCenter.exe
PID 800 wrote to memory of 1180	800	0af826337a8565cd2f5751e591656d586adaa4df703b6759490f0e86556340bf.exe	MediaCenter.exe
PID 800 wrote to memory of 1316	800	0af826337a8565cd2f5751e591656d586adaa4df703b6759490f0e86556340bf.exe	cmd.exe
PID 800 wrote to memory of 1316	800	0af826337a8565cd2f5751e591656d586adaa4df703b6759490f0e86556340bf.exe	cmd.exe
PID 800 wrote to memory of 1316	800	0af826337a8565cd2f5751e591656d586adaa4df703b6759490f0e86556340bf.exe	cmd.exe
PID 800 wrote to memory of 1316	800	0af826337a8565cd2f5751e591656d586adaa4df703b6759490f0e86556340bf.exe	cmd.exe
PID 1316 wrote to memory of 1220	1316	cmd.exe	PING.EXE
PID 1316 wrote to memory of 1220	1316	cmd.exe	PING.EXE
PID 1316 wrote to memory of 1220	1316	cmd.exe	PING.EXE
PID 1316 wrote to memory of 1220	1316	cmd.exe	PING.EXE

C:\Users\Admin\AppData\Local\Temp\0af826337a8565cd2f5751e591656d586adaa4df703b6759490f0e86556340bf.exe
"C:\Users\Admin\AppData\Local\Temp\0af826337a8565cd2f5751e591656d586adaa4df703b6759490f0e86556340bf.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:800

C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
2⤵
- Executes dropped EXE
PID:1180

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\0af826337a8565cd2f5751e591656d586adaa4df703b6759490f0e86556340bf.exe"
2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:1316

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1
3⤵
- Runs ping.exe
PID:1220

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Remote System Discovery

1

T1018

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
MD5
0f71ed89031fb98fa92575ba54653d5c

SHA1
c2131e57804f77859a9e66599e7d2f287d40af64

SHA256
8bae5cdd71fd63fc54c1e28d5f5fc15daae826cb7584bdd71a3495ab51d54243

SHA512
c2658044584dbec681d3697d5834a1a323cee5bf24bfd3af164fb99d3396c580bf97f9b01fa5d8f389a9fde272003a7078b35b8a4241078e2182565f5e02cdc2

Download Submit
\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
MD5
0f71ed89031fb98fa92575ba54653d5c

SHA1
c2131e57804f77859a9e66599e7d2f287d40af64

SHA256
8bae5cdd71fd63fc54c1e28d5f5fc15daae826cb7584bdd71a3495ab51d54243

SHA512
c2658044584dbec681d3697d5834a1a323cee5bf24bfd3af164fb99d3396c580bf97f9b01fa5d8f389a9fde272003a7078b35b8a4241078e2182565f5e02cdc2

Download Submit
\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
MD5
0f71ed89031fb98fa92575ba54653d5c

SHA1
c2131e57804f77859a9e66599e7d2f287d40af64

SHA256
8bae5cdd71fd63fc54c1e28d5f5fc15daae826cb7584bdd71a3495ab51d54243

SHA512
c2658044584dbec681d3697d5834a1a323cee5bf24bfd3af164fb99d3396c580bf97f9b01fa5d8f389a9fde272003a7078b35b8a4241078e2182565f5e02cdc2

Download Submit
memory/800-0-0x0000000075F21000-0x0000000075F23000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads