sakula | 086e6df44323c1f0c4c990d6ae3bad0b9f13e0eee2f644c5a587019e66812471

General

Target

086e6df44323c1f0c4c990d6ae3bad0b9f13e0eee2f644c5a587019e66812471.exe
Size

60KB
MD5

32ba6334e4d25b3810ec84d329b789a4
SHA1

8bda93f43005ac865708175757ab9eb67700937d
SHA256

086e6df44323c1f0c4c990d6ae3bad0b9f13e0eee2f644c5a587019e66812471
SHA512

cfe6da311fbf6306f2798fd61214412bd2d387b387fef4a68c344c93d874bc8479743aa586c16f1c8576f17610224efe7ad66a4c791a87e558aad374187a24df

Score

10^/10

sakula persistence rat trojan

Malware Config

Signatures

Sakula
Sakula is a remote access trojan with various capabilities.
trojan rat sakula
Executes dropped EXE 1 IoCs

Processes:

MediaCenter.exe

pid process

1092 MediaCenter.exe
Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

964 cmd.exe

pid	process
1092	MediaCenter.exe

pid	process
964	cmd.exe

Loads dropped DLL 2 IoCs

Processes:

086e6df44323c1f0c4c990d6ae3bad0b9f13e0eee2f644c5a587019e66812471.exe

pid	process
1624	086e6df44323c1f0c4c990d6ae3bad0b9f13e0eee2f644c5a587019e66812471.exe
1624	086e6df44323c1f0c4c990d6ae3bad0b9f13e0eee2f644c5a587019e66812471.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

086e6df44323c1f0c4c990d6ae3bad0b9f13e0eee2f644c5a587019e66812471.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe"	086e6df44323c1f0c4c990d6ae3bad0b9f13e0eee2f644c5a587019e66812471.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

1824 PING.EXE
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

086e6df44323c1f0c4c990d6ae3bad0b9f13e0eee2f644c5a587019e66812471.exe

description pid process

Token: SeIncBasePriorityPrivilege 1624 086e6df44323c1f0c4c990d6ae3bad0b9f13e0eee2f644c5a587019e66812471.exe

pid	process
1824	PING.EXE

description	pid	process
Token: SeIncBasePriorityPrivilege	1624	086e6df44323c1f0c4c990d6ae3bad0b9f13e0eee2f644c5a587019e66812471.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

086e6df44323c1f0c4c990d6ae3bad0b9f13e0eee2f644c5a587019e66812471.execmd.exe

description	pid	process	target process
PID 1624 wrote to memory of 1092	1624	086e6df44323c1f0c4c990d6ae3bad0b9f13e0eee2f644c5a587019e66812471.exe	MediaCenter.exe
PID 1624 wrote to memory of 1092	1624	086e6df44323c1f0c4c990d6ae3bad0b9f13e0eee2f644c5a587019e66812471.exe	MediaCenter.exe
PID 1624 wrote to memory of 1092	1624	086e6df44323c1f0c4c990d6ae3bad0b9f13e0eee2f644c5a587019e66812471.exe	MediaCenter.exe
PID 1624 wrote to memory of 1092	1624	086e6df44323c1f0c4c990d6ae3bad0b9f13e0eee2f644c5a587019e66812471.exe	MediaCenter.exe
PID 1624 wrote to memory of 964	1624	086e6df44323c1f0c4c990d6ae3bad0b9f13e0eee2f644c5a587019e66812471.exe	cmd.exe
PID 1624 wrote to memory of 964	1624	086e6df44323c1f0c4c990d6ae3bad0b9f13e0eee2f644c5a587019e66812471.exe	cmd.exe
PID 1624 wrote to memory of 964	1624	086e6df44323c1f0c4c990d6ae3bad0b9f13e0eee2f644c5a587019e66812471.exe	cmd.exe
PID 1624 wrote to memory of 964	1624	086e6df44323c1f0c4c990d6ae3bad0b9f13e0eee2f644c5a587019e66812471.exe	cmd.exe
PID 964 wrote to memory of 1824	964	cmd.exe	PING.EXE
PID 964 wrote to memory of 1824	964	cmd.exe	PING.EXE
PID 964 wrote to memory of 1824	964	cmd.exe	PING.EXE
PID 964 wrote to memory of 1824	964	cmd.exe	PING.EXE

C:\Users\Admin\AppData\Local\Temp\086e6df44323c1f0c4c990d6ae3bad0b9f13e0eee2f644c5a587019e66812471.exe
"C:\Users\Admin\AppData\Local\Temp\086e6df44323c1f0c4c990d6ae3bad0b9f13e0eee2f644c5a587019e66812471.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1624

C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
2⤵
- Executes dropped EXE
PID:1092

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\086e6df44323c1f0c4c990d6ae3bad0b9f13e0eee2f644c5a587019e66812471.exe"
2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:964

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1
3⤵
- Runs ping.exe
PID:1824

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Remote System Discovery

1

T1018

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
MD5
d6dc6747f3996fe1f2755a69e09ac59c

SHA1
452476e66f6bfb97b7f662e531e3037e18a6fa9a

SHA256
c95635ab55e329c6a24a0f0d45b7b54bba728c15f5a3d813b6b90cdd410c329e

SHA512
73c73da711c3de565cb78bb105412b0c74ec93d5e111570563c8de9f2e998f15d40c5bef29f424d4eb4c29b055b09b5c06f3cd63e1bf313459e737ac3b32e2f7

Download Submit
\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
MD5
d6dc6747f3996fe1f2755a69e09ac59c

SHA1
452476e66f6bfb97b7f662e531e3037e18a6fa9a

SHA256
c95635ab55e329c6a24a0f0d45b7b54bba728c15f5a3d813b6b90cdd410c329e

SHA512
73c73da711c3de565cb78bb105412b0c74ec93d5e111570563c8de9f2e998f15d40c5bef29f424d4eb4c29b055b09b5c06f3cd63e1bf313459e737ac3b32e2f7

Download Submit
\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
MD5
d6dc6747f3996fe1f2755a69e09ac59c

SHA1
452476e66f6bfb97b7f662e531e3037e18a6fa9a

SHA256
c95635ab55e329c6a24a0f0d45b7b54bba728c15f5a3d813b6b90cdd410c329e

SHA512
73c73da711c3de565cb78bb105412b0c74ec93d5e111570563c8de9f2e998f15d40c5bef29f424d4eb4c29b055b09b5c06f3cd63e1bf313459e737ac3b32e2f7

Download Submit
memory/1624-54-0x0000000076121000-0x0000000076123000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads