sakula | 07f4bd795b0ccea1c9f2e29b9460b5d93c66af11ceca3fd880580f656d4c690c

General

Target

07f4bd795b0ccea1c9f2e29b9460b5d93c66af11ceca3fd880580f656d4c690c.exe
Size

92KB
MD5

041751e064912a021e025e141e1ce1bd
SHA1

738a27708d6e6231980c73f61ac841b8d57fb438
SHA256

07f4bd795b0ccea1c9f2e29b9460b5d93c66af11ceca3fd880580f656d4c690c
SHA512

2293e7516e2602e4a3a9da3adf4e86f3e74371fd06e0ee5796f041519859cd4f3bd0f16052914e433815da751dd97ebab6724596b240a3d24090aa77f9cccb0c

Score

10^/10

sakula persistence rat trojan

Malware Config

Signatures

Sakula
Sakula is a remote access trojan with various capabilities.
trojan rat sakula

Sakula Payload 2 IoCs

Processes:

resource	yara_rule
\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe	family_sakula
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe	family_sakula

Executes dropped EXE 1 IoCs

Processes:

MediaCenter.exe

pid process

736 MediaCenter.exe
Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

284 cmd.exe
Loads dropped DLL 1 IoCs

Processes:

07f4bd795b0ccea1c9f2e29b9460b5d93c66af11ceca3fd880580f656d4c690c.exe

pid process

1612 07f4bd795b0ccea1c9f2e29b9460b5d93c66af11ceca3fd880580f656d4c690c.exe

pid	process
736	MediaCenter.exe

pid	process
284	cmd.exe

pid	process
1612	07f4bd795b0ccea1c9f2e29b9460b5d93c66af11ceca3fd880580f656d4c690c.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

07f4bd795b0ccea1c9f2e29b9460b5d93c66af11ceca3fd880580f656d4c690c.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe"	07f4bd795b0ccea1c9f2e29b9460b5d93c66af11ceca3fd880580f656d4c690c.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

1052 PING.EXE
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

07f4bd795b0ccea1c9f2e29b9460b5d93c66af11ceca3fd880580f656d4c690c.exe

description pid process

Token: SeIncBasePriorityPrivilege 1612 07f4bd795b0ccea1c9f2e29b9460b5d93c66af11ceca3fd880580f656d4c690c.exe

pid	process
1052	PING.EXE

description	pid	process
Token: SeIncBasePriorityPrivilege	1612	07f4bd795b0ccea1c9f2e29b9460b5d93c66af11ceca3fd880580f656d4c690c.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

07f4bd795b0ccea1c9f2e29b9460b5d93c66af11ceca3fd880580f656d4c690c.execmd.exe

description	pid	process	target process
PID 1612 wrote to memory of 736	1612	07f4bd795b0ccea1c9f2e29b9460b5d93c66af11ceca3fd880580f656d4c690c.exe	MediaCenter.exe
PID 1612 wrote to memory of 736	1612	07f4bd795b0ccea1c9f2e29b9460b5d93c66af11ceca3fd880580f656d4c690c.exe	MediaCenter.exe
PID 1612 wrote to memory of 736	1612	07f4bd795b0ccea1c9f2e29b9460b5d93c66af11ceca3fd880580f656d4c690c.exe	MediaCenter.exe
PID 1612 wrote to memory of 736	1612	07f4bd795b0ccea1c9f2e29b9460b5d93c66af11ceca3fd880580f656d4c690c.exe	MediaCenter.exe
PID 1612 wrote to memory of 284	1612	07f4bd795b0ccea1c9f2e29b9460b5d93c66af11ceca3fd880580f656d4c690c.exe	cmd.exe
PID 1612 wrote to memory of 284	1612	07f4bd795b0ccea1c9f2e29b9460b5d93c66af11ceca3fd880580f656d4c690c.exe	cmd.exe
PID 1612 wrote to memory of 284	1612	07f4bd795b0ccea1c9f2e29b9460b5d93c66af11ceca3fd880580f656d4c690c.exe	cmd.exe
PID 1612 wrote to memory of 284	1612	07f4bd795b0ccea1c9f2e29b9460b5d93c66af11ceca3fd880580f656d4c690c.exe	cmd.exe
PID 284 wrote to memory of 1052	284	cmd.exe	PING.EXE
PID 284 wrote to memory of 1052	284	cmd.exe	PING.EXE
PID 284 wrote to memory of 1052	284	cmd.exe	PING.EXE
PID 284 wrote to memory of 1052	284	cmd.exe	PING.EXE

C:\Users\Admin\AppData\Local\Temp\07f4bd795b0ccea1c9f2e29b9460b5d93c66af11ceca3fd880580f656d4c690c.exe
"C:\Users\Admin\AppData\Local\Temp\07f4bd795b0ccea1c9f2e29b9460b5d93c66af11ceca3fd880580f656d4c690c.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1612

C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
2⤵
- Executes dropped EXE
PID:736

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\07f4bd795b0ccea1c9f2e29b9460b5d93c66af11ceca3fd880580f656d4c690c.exe"
2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:284

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1
3⤵
- Runs ping.exe
PID:1052

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Remote System Discovery

1

T1018

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
MD5
4788fb89bb8b7b1d7b8772cc2d3243dc

SHA1
517e218f3a3395d6b89e776b8bf6fc3a506820dd

SHA256
3fd9363931f317c7d38d2d20b15e63ccdca919331d2483c9b2b55fdc52b1abac

SHA512
f717a315d3e24335b0773c43bdf61335d9b85eb03d972485dbe1cd4d975b93a847e92f743034672e59051a688d3d4dc724e0f87bd7ea42bb6fb87d24a1e3248d

Download Submit
\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
MD5
4788fb89bb8b7b1d7b8772cc2d3243dc

SHA1
517e218f3a3395d6b89e776b8bf6fc3a506820dd

SHA256
3fd9363931f317c7d38d2d20b15e63ccdca919331d2483c9b2b55fdc52b1abac

SHA512
f717a315d3e24335b0773c43bdf61335d9b85eb03d972485dbe1cd4d975b93a847e92f743034672e59051a688d3d4dc724e0f87bd7ea42bb6fb87d24a1e3248d

Download Submit
memory/1612-55-0x0000000075B11000-0x0000000075B13000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads