sakula | 0ae8ebf489320c31495d36d0bb5c22ae27a175aeb1e7619e677e682f288f2cef

General

Target

0ae8ebf489320c31495d36d0bb5c22ae27a175aeb1e7619e677e682f288f2cef.exe
Size

89KB
MD5

0e28f089c4b3a35f557b2451c7dfa51f
SHA1

ecd8b322635e4f05408085d7f987d1342c97f39a
SHA256

0ae8ebf489320c31495d36d0bb5c22ae27a175aeb1e7619e677e682f288f2cef
SHA512

deaea20b44d9be8f6d998691d686a5a885c728acfa2948b08599e3a31dcf24aab0ae14c093de5f8078bc6a27cce9f1bc91b25faec6f077061989f0b75758b5ef

Score

10^/10

sakula persistence rat suricata trojan

Malware Config

Signatures

Sakula
Sakula is a remote access trojan with various capabilities.
trojan rat sakula

Sakula Payload 2 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe	family_sakula
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe	family_sakula

suricata: ET MALWARE SUSPICIOUS UA (iexplore)
suricata: ET MALWARE SUSPICIOUS UA (iexplore)
suricata
suricata: ET MALWARE Sakula/Mivast RAT CnC Beacon 1
suricata: ET MALWARE Sakula/Mivast RAT CnC Beacon 1
suricata
Executes dropped EXE 1 IoCs

Processes:

MediaCenter.exe

pid process

452 MediaCenter.exe

pid	process
452	MediaCenter.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

0ae8ebf489320c31495d36d0bb5c22ae27a175aeb1e7619e677e682f288f2cef.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Control Panel\International\Geo\Nation	0ae8ebf489320c31495d36d0bb5c22ae27a175aeb1e7619e677e682f288f2cef.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

0ae8ebf489320c31495d36d0bb5c22ae27a175aeb1e7619e677e682f288f2cef.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe"	0ae8ebf489320c31495d36d0bb5c22ae27a175aeb1e7619e677e682f288f2cef.exe

Drops file in Windows directory 3 IoCs

Processes:

TiWorker.exesvchost.exe

description	ioc	process
File opened for modification	C:\Windows\Logs\CBS\CBS.log	TiWorker.exe
File opened for modification	C:\Windows\WinSxS\pending.xml	TiWorker.exe
File opened for modification	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\DeliveryOptimization\State\keyValueLKG.dat	svchost.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies data under HKEY_USERS 49 IoCs

Processes:

svchost.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyCdnBytes = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\LinkLocalConnectionCount = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\GroupConnectionCount = "0"	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\LANConnectionCount = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\PriorityDownloadPendingCount = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MonthID = "2"	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\Geo_EndpointFullUri = "https://geo.prod.do.dsp.mp.microsoft.com/geo"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CacheSizeBytes = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\PeerInfoCount = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MonthlyUploadRestriction = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateFrBps = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateBkCnt = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\KVFileExpirationTime = "132893049196653256"	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyInternetBytes = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyLanBytes = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyGroupBytes = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UploadRatePct = "100"	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CPUpct = "0.493272"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MemoryUsageKB = "4200"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\SwarmCount = "1"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CDNConnectionCount = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\InternetConnectionCount = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UplinkBps = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\FrDownloadRatePct = "90"	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CPUpct = "0.000000"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UploadCount = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\PriorityDownloadCount = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\NormalDownloadCount = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\DownloadMode_BackCompat = "1"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\DODownloadMode = "1"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyLinkLocalBytes = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateBkBps = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateFrCnt = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\SwarmCount = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UploadMonthlyLanBytes = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyCacheHostBytes = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\NormalDownloadPendingCount = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MemoryUsageKB = "4080"	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CPUpct = "1.442370"	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Settings	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UploadMonthlyInternetBytes = "0"	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\GeoVersion_EndpointFullUri = "https://geover.prod.do.dsp.mp.microsoft.com/geoversion"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownlinkUsageBps = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownlinkBps = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UplinkUsageBps = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\BkDownloadRatePct = "45"	svchost.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

1904 PING.EXE

pid	process
1904	PING.EXE

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

TiWorker.exe0ae8ebf489320c31495d36d0bb5c22ae27a175aeb1e7619e677e682f288f2cef.exe

description	pid	process
Token: SeSecurityPrivilege	3580	TiWorker.exe
Token: SeRestorePrivilege	3580	TiWorker.exe
Token: SeBackupPrivilege	3580	TiWorker.exe
Token: SeBackupPrivilege	3580	TiWorker.exe
Token: SeRestorePrivilege	3580	TiWorker.exe
Token: SeSecurityPrivilege	3580	TiWorker.exe
Token: SeBackupPrivilege	3580	TiWorker.exe
Token: SeRestorePrivilege	3580	TiWorker.exe
Token: SeSecurityPrivilege	3580	TiWorker.exe
Token: SeBackupPrivilege	3580	TiWorker.exe
Token: SeRestorePrivilege	3580	TiWorker.exe
Token: SeSecurityPrivilege	3580	TiWorker.exe
Token: SeBackupPrivilege	3580	TiWorker.exe
Token: SeRestorePrivilege	3580	TiWorker.exe
Token: SeSecurityPrivilege	3580	TiWorker.exe
Token: SeBackupPrivilege	3580	TiWorker.exe
Token: SeRestorePrivilege	3580	TiWorker.exe
Token: SeSecurityPrivilege	3580	TiWorker.exe
Token: SeBackupPrivilege	3580	TiWorker.exe
Token: SeRestorePrivilege	3580	TiWorker.exe
Token: SeSecurityPrivilege	3580	TiWorker.exe
Token: SeBackupPrivilege	3580	TiWorker.exe
Token: SeRestorePrivilege	3580	TiWorker.exe
Token: SeSecurityPrivilege	3580	TiWorker.exe
Token: SeBackupPrivilege	3580	TiWorker.exe
Token: SeRestorePrivilege	3580	TiWorker.exe
Token: SeSecurityPrivilege	3580	TiWorker.exe
Token: SeBackupPrivilege	3580	TiWorker.exe
Token: SeRestorePrivilege	3580	TiWorker.exe
Token: SeSecurityPrivilege	3580	TiWorker.exe
Token: SeBackupPrivilege	3580	TiWorker.exe
Token: SeRestorePrivilege	3580	TiWorker.exe
Token: SeSecurityPrivilege	3580	TiWorker.exe
Token: SeIncBasePriorityPrivilege	3640	0ae8ebf489320c31495d36d0bb5c22ae27a175aeb1e7619e677e682f288f2cef.exe
Token: SeBackupPrivilege	3580	TiWorker.exe
Token: SeRestorePrivilege	3580	TiWorker.exe
Token: SeSecurityPrivilege	3580	TiWorker.exe
Token: SeBackupPrivilege	3580	TiWorker.exe
Token: SeRestorePrivilege	3580	TiWorker.exe
Token: SeSecurityPrivilege	3580	TiWorker.exe
Token: SeBackupPrivilege	3580	TiWorker.exe
Token: SeRestorePrivilege	3580	TiWorker.exe
Token: SeSecurityPrivilege	3580	TiWorker.exe
Token: SeBackupPrivilege	3580	TiWorker.exe
Token: SeRestorePrivilege	3580	TiWorker.exe
Token: SeSecurityPrivilege	3580	TiWorker.exe
Token: SeBackupPrivilege	3580	TiWorker.exe
Token: SeRestorePrivilege	3580	TiWorker.exe
Token: SeSecurityPrivilege	3580	TiWorker.exe
Token: SeBackupPrivilege	3580	TiWorker.exe
Token: SeRestorePrivilege	3580	TiWorker.exe
Token: SeSecurityPrivilege	3580	TiWorker.exe
Token: SeBackupPrivilege	3580	TiWorker.exe
Token: SeRestorePrivilege	3580	TiWorker.exe
Token: SeSecurityPrivilege	3580	TiWorker.exe
Token: SeBackupPrivilege	3580	TiWorker.exe
Token: SeRestorePrivilege	3580	TiWorker.exe
Token: SeSecurityPrivilege	3580	TiWorker.exe
Token: SeBackupPrivilege	3580	TiWorker.exe
Token: SeRestorePrivilege	3580	TiWorker.exe
Token: SeSecurityPrivilege	3580	TiWorker.exe
Token: SeBackupPrivilege	3580	TiWorker.exe
Token: SeRestorePrivilege	3580	TiWorker.exe
Token: SeSecurityPrivilege	3580	TiWorker.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

0ae8ebf489320c31495d36d0bb5c22ae27a175aeb1e7619e677e682f288f2cef.execmd.exe

description	pid	process	target process
PID 3640 wrote to memory of 452	3640	0ae8ebf489320c31495d36d0bb5c22ae27a175aeb1e7619e677e682f288f2cef.exe	MediaCenter.exe
PID 3640 wrote to memory of 452	3640	0ae8ebf489320c31495d36d0bb5c22ae27a175aeb1e7619e677e682f288f2cef.exe	MediaCenter.exe
PID 3640 wrote to memory of 452	3640	0ae8ebf489320c31495d36d0bb5c22ae27a175aeb1e7619e677e682f288f2cef.exe	MediaCenter.exe
PID 3640 wrote to memory of 1828	3640	0ae8ebf489320c31495d36d0bb5c22ae27a175aeb1e7619e677e682f288f2cef.exe	cmd.exe
PID 3640 wrote to memory of 1828	3640	0ae8ebf489320c31495d36d0bb5c22ae27a175aeb1e7619e677e682f288f2cef.exe	cmd.exe
PID 3640 wrote to memory of 1828	3640	0ae8ebf489320c31495d36d0bb5c22ae27a175aeb1e7619e677e682f288f2cef.exe	cmd.exe
PID 1828 wrote to memory of 1904	1828	cmd.exe	PING.EXE
PID 1828 wrote to memory of 1904	1828	cmd.exe	PING.EXE
PID 1828 wrote to memory of 1904	1828	cmd.exe	PING.EXE

C:\Users\Admin\AppData\Local\Temp\0ae8ebf489320c31495d36d0bb5c22ae27a175aeb1e7619e677e682f288f2cef.exe
"C:\Users\Admin\AppData\Local\Temp\0ae8ebf489320c31495d36d0bb5c22ae27a175aeb1e7619e677e682f288f2cef.exe"
1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3640

C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
2⤵
- Executes dropped EXE
PID:452

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\0ae8ebf489320c31495d36d0bb5c22ae27a175aeb1e7619e677e682f288f2cef.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:1828

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1
3⤵
- Runs ping.exe
PID:1904

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p
1⤵
- Drops file in Windows directory
- Modifies data under HKEY_USERS
PID:516

C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:3580

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

Remote System Discovery

1

T1018

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
MD5
8f51a6a4285edd13111e76227cccf059

SHA1
15b15591b741904d86176abdb79e16848df5943b

SHA256
bedd34b1d2d1809a5b0056790c58b7fe63e631f906271bb155b994068577fc9c

SHA512
44617abf435486be9975fd728759fe4d80251a79940e89059abaadbaeac04c2a60169c656783bd3eb517becf6ec14f8ef7c9c4f71b0bee2d36c46cc654002b8d

Download Submit
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
MD5
8f51a6a4285edd13111e76227cccf059

SHA1
15b15591b741904d86176abdb79e16848df5943b

SHA256
bedd34b1d2d1809a5b0056790c58b7fe63e631f906271bb155b994068577fc9c

SHA512
44617abf435486be9975fd728759fe4d80251a79940e89059abaadbaeac04c2a60169c656783bd3eb517becf6ec14f8ef7c9c4f71b0bee2d36c46cc654002b8d

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads