sakula | 07c888c27edeafc9b3fba98eb30620b81dcb3a904f178e2fcfa1a7881d93f5fb

General

Target

07c888c27edeafc9b3fba98eb30620b81dcb3a904f178e2fcfa1a7881d93f5fb.exe
Size

60KB
MD5

7c53376faeaa9f2b0e1ff98b5d6867e2
SHA1

dc7749eebbcd5943913436d5cab1d1afffae23ce
SHA256

07c888c27edeafc9b3fba98eb30620b81dcb3a904f178e2fcfa1a7881d93f5fb
SHA512

0a94f36e7a9df284eea67aa897e4944b682ad4e162a85ba36d4e6811f2c610398c6af63f1b4b8a97e24dcba7d1abcb2d867697404d91ee3de0c6bd7a9dc74ff2

Score

10^/10

sakula persistence rat trojan

Malware Config

Signatures

Sakula
Sakula is a remote access trojan with various capabilities.
trojan rat sakula
Executes dropped EXE 1 IoCs

Processes:

MediaCenter.exe

pid process

1676 MediaCenter.exe
Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

1624 cmd.exe

pid	process
1676	MediaCenter.exe

pid	process
1624	cmd.exe

Loads dropped DLL 2 IoCs

Processes:

07c888c27edeafc9b3fba98eb30620b81dcb3a904f178e2fcfa1a7881d93f5fb.exe

pid	process
740	07c888c27edeafc9b3fba98eb30620b81dcb3a904f178e2fcfa1a7881d93f5fb.exe
740	07c888c27edeafc9b3fba98eb30620b81dcb3a904f178e2fcfa1a7881d93f5fb.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

07c888c27edeafc9b3fba98eb30620b81dcb3a904f178e2fcfa1a7881d93f5fb.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe"	07c888c27edeafc9b3fba98eb30620b81dcb3a904f178e2fcfa1a7881d93f5fb.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

1268 PING.EXE
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

07c888c27edeafc9b3fba98eb30620b81dcb3a904f178e2fcfa1a7881d93f5fb.exe

description pid process

Token: SeIncBasePriorityPrivilege 740 07c888c27edeafc9b3fba98eb30620b81dcb3a904f178e2fcfa1a7881d93f5fb.exe

pid	process
1268	PING.EXE

description	pid	process
Token: SeIncBasePriorityPrivilege	740	07c888c27edeafc9b3fba98eb30620b81dcb3a904f178e2fcfa1a7881d93f5fb.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

07c888c27edeafc9b3fba98eb30620b81dcb3a904f178e2fcfa1a7881d93f5fb.execmd.exe

description	pid	process	target process
PID 740 wrote to memory of 1676	740	07c888c27edeafc9b3fba98eb30620b81dcb3a904f178e2fcfa1a7881d93f5fb.exe	MediaCenter.exe
PID 740 wrote to memory of 1676	740	07c888c27edeafc9b3fba98eb30620b81dcb3a904f178e2fcfa1a7881d93f5fb.exe	MediaCenter.exe
PID 740 wrote to memory of 1676	740	07c888c27edeafc9b3fba98eb30620b81dcb3a904f178e2fcfa1a7881d93f5fb.exe	MediaCenter.exe
PID 740 wrote to memory of 1676	740	07c888c27edeafc9b3fba98eb30620b81dcb3a904f178e2fcfa1a7881d93f5fb.exe	MediaCenter.exe
PID 740 wrote to memory of 1624	740	07c888c27edeafc9b3fba98eb30620b81dcb3a904f178e2fcfa1a7881d93f5fb.exe	cmd.exe
PID 740 wrote to memory of 1624	740	07c888c27edeafc9b3fba98eb30620b81dcb3a904f178e2fcfa1a7881d93f5fb.exe	cmd.exe
PID 740 wrote to memory of 1624	740	07c888c27edeafc9b3fba98eb30620b81dcb3a904f178e2fcfa1a7881d93f5fb.exe	cmd.exe
PID 740 wrote to memory of 1624	740	07c888c27edeafc9b3fba98eb30620b81dcb3a904f178e2fcfa1a7881d93f5fb.exe	cmd.exe
PID 1624 wrote to memory of 1268	1624	cmd.exe	PING.EXE
PID 1624 wrote to memory of 1268	1624	cmd.exe	PING.EXE
PID 1624 wrote to memory of 1268	1624	cmd.exe	PING.EXE
PID 1624 wrote to memory of 1268	1624	cmd.exe	PING.EXE

C:\Users\Admin\AppData\Local\Temp\07c888c27edeafc9b3fba98eb30620b81dcb3a904f178e2fcfa1a7881d93f5fb.exe
"C:\Users\Admin\AppData\Local\Temp\07c888c27edeafc9b3fba98eb30620b81dcb3a904f178e2fcfa1a7881d93f5fb.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:740

C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
2⤵
- Executes dropped EXE
PID:1676

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\07c888c27edeafc9b3fba98eb30620b81dcb3a904f178e2fcfa1a7881d93f5fb.exe"
2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:1624

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1
3⤵
- Runs ping.exe
PID:1268

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Remote System Discovery

1

T1018

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
MD5
063e84049214f468b26076fc20b2efe1

SHA1
2d3991a7c0674bb1b07885c709b5a5a1a852e07b

SHA256
beeaadd153139624931ce3ea6c50de0e14b8655b5a13a5949410905d36983f24

SHA512
07f6ad9a47bd31bd0de35b70b0162dd11bc6b8d1da92aecbce924a8a9c10db98da49e43541bec80373e3f3b327e006ebbe7c6b7285d60e40da4cd728be5973c1

Download Submit
\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
MD5
063e84049214f468b26076fc20b2efe1

SHA1
2d3991a7c0674bb1b07885c709b5a5a1a852e07b

SHA256
beeaadd153139624931ce3ea6c50de0e14b8655b5a13a5949410905d36983f24

SHA512
07f6ad9a47bd31bd0de35b70b0162dd11bc6b8d1da92aecbce924a8a9c10db98da49e43541bec80373e3f3b327e006ebbe7c6b7285d60e40da4cd728be5973c1

Download Submit
\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
MD5
063e84049214f468b26076fc20b2efe1

SHA1
2d3991a7c0674bb1b07885c709b5a5a1a852e07b

SHA256
beeaadd153139624931ce3ea6c50de0e14b8655b5a13a5949410905d36983f24

SHA512
07f6ad9a47bd31bd0de35b70b0162dd11bc6b8d1da92aecbce924a8a9c10db98da49e43541bec80373e3f3b327e006ebbe7c6b7285d60e40da4cd728be5973c1

Download Submit
memory/740-55-0x0000000076141000-0x0000000076143000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads