sakula | 09e5b79d2c0bd54d55c9b53779c817b0479d811eef512d2b8efb8d3cb6d88333

General

Target

09e5b79d2c0bd54d55c9b53779c817b0479d811eef512d2b8efb8d3cb6d88333.exe
Size

216KB
MD5

99c98e88b064f33c2014dfb6c136ca66
SHA1

4010616210d9a0c2965548ce1ca76fe5e6580265
SHA256

09e5b79d2c0bd54d55c9b53779c817b0479d811eef512d2b8efb8d3cb6d88333
SHA512

c159ee34a0d3eb8e5f969cddcf1649d50970fd44f0930bc65bb6855626dbe03d1fe3857f3de755356e309998c7f5363ad30b33d4d521b0092c35a8c7b1de5fb0

Score

10^/10

sakula persistence rat suricata trojan

Malware Config

Signatures

Sakula
Sakula is a remote access trojan with various capabilities.
trojan rat sakula

Sakula Payload 4 IoCs

Processes:

resource	yara_rule
\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe	family_sakula
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe	family_sakula
behavioral1/memory/964-58-0x0000000000400000-0x0000000000420000-memory.dmp	family_sakula
behavioral1/memory/804-59-0x0000000000400000-0x0000000000420000-memory.dmp	family_sakula

suricata: ET MALWARE SUSPICIOUS UA (iexplore)
suricata: ET MALWARE SUSPICIOUS UA (iexplore)
suricata
suricata: ET MALWARE Sakula/Mivast RAT CnC Beacon 1
suricata: ET MALWARE Sakula/Mivast RAT CnC Beacon 1
suricata
Executes dropped EXE 1 IoCs

Processes:

MediaCenter.exe

pid process

804 MediaCenter.exe
Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

828 cmd.exe
Loads dropped DLL 1 IoCs

Processes:

09e5b79d2c0bd54d55c9b53779c817b0479d811eef512d2b8efb8d3cb6d88333.exe

pid process

964 09e5b79d2c0bd54d55c9b53779c817b0479d811eef512d2b8efb8d3cb6d88333.exe

pid	process
804	MediaCenter.exe

pid	process
828	cmd.exe

pid	process
964	09e5b79d2c0bd54d55c9b53779c817b0479d811eef512d2b8efb8d3cb6d88333.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

09e5b79d2c0bd54d55c9b53779c817b0479d811eef512d2b8efb8d3cb6d88333.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe"	09e5b79d2c0bd54d55c9b53779c817b0479d811eef512d2b8efb8d3cb6d88333.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

1804 PING.EXE
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

09e5b79d2c0bd54d55c9b53779c817b0479d811eef512d2b8efb8d3cb6d88333.exe

description pid process

Token: SeIncBasePriorityPrivilege 964 09e5b79d2c0bd54d55c9b53779c817b0479d811eef512d2b8efb8d3cb6d88333.exe

pid	process
1804	PING.EXE

description	pid	process
Token: SeIncBasePriorityPrivilege	964	09e5b79d2c0bd54d55c9b53779c817b0479d811eef512d2b8efb8d3cb6d88333.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

09e5b79d2c0bd54d55c9b53779c817b0479d811eef512d2b8efb8d3cb6d88333.execmd.exe

description	pid	process	target process
PID 964 wrote to memory of 804	964	09e5b79d2c0bd54d55c9b53779c817b0479d811eef512d2b8efb8d3cb6d88333.exe	MediaCenter.exe
PID 964 wrote to memory of 804	964	09e5b79d2c0bd54d55c9b53779c817b0479d811eef512d2b8efb8d3cb6d88333.exe	MediaCenter.exe
PID 964 wrote to memory of 804	964	09e5b79d2c0bd54d55c9b53779c817b0479d811eef512d2b8efb8d3cb6d88333.exe	MediaCenter.exe
PID 964 wrote to memory of 804	964	09e5b79d2c0bd54d55c9b53779c817b0479d811eef512d2b8efb8d3cb6d88333.exe	MediaCenter.exe
PID 964 wrote to memory of 828	964	09e5b79d2c0bd54d55c9b53779c817b0479d811eef512d2b8efb8d3cb6d88333.exe	cmd.exe
PID 964 wrote to memory of 828	964	09e5b79d2c0bd54d55c9b53779c817b0479d811eef512d2b8efb8d3cb6d88333.exe	cmd.exe
PID 964 wrote to memory of 828	964	09e5b79d2c0bd54d55c9b53779c817b0479d811eef512d2b8efb8d3cb6d88333.exe	cmd.exe
PID 964 wrote to memory of 828	964	09e5b79d2c0bd54d55c9b53779c817b0479d811eef512d2b8efb8d3cb6d88333.exe	cmd.exe
PID 828 wrote to memory of 1804	828	cmd.exe	PING.EXE
PID 828 wrote to memory of 1804	828	cmd.exe	PING.EXE
PID 828 wrote to memory of 1804	828	cmd.exe	PING.EXE
PID 828 wrote to memory of 1804	828	cmd.exe	PING.EXE

C:\Users\Admin\AppData\Local\Temp\09e5b79d2c0bd54d55c9b53779c817b0479d811eef512d2b8efb8d3cb6d88333.exe
"C:\Users\Admin\AppData\Local\Temp\09e5b79d2c0bd54d55c9b53779c817b0479d811eef512d2b8efb8d3cb6d88333.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:964

C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
2⤵
- Executes dropped EXE
PID:804

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\09e5b79d2c0bd54d55c9b53779c817b0479d811eef512d2b8efb8d3cb6d88333.exe"
2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:828

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1
3⤵
- Runs ping.exe
PID:1804

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Remote System Discovery

1

T1018

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
MD5
5e0343e205b87a0727928fc3792be536

SHA1
545b4290b7d978b0a9a2aac364c9c8fa6bdfcbb4

SHA256
19151fc9771dca91fbcb6a5769acfef61371d2fe8d7312f62bc4f7fa21b1f147

SHA512
5fb56bc4dec947cb18258f80e7b8dae6731cf10938ff75893c3da5396d6e944732651b72e8e640c424d9f3b51a4cdfac99e325264f69d23a0a8a95114d4b9255

Download Submit
\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
MD5
5e0343e205b87a0727928fc3792be536

SHA1
545b4290b7d978b0a9a2aac364c9c8fa6bdfcbb4

SHA256
19151fc9771dca91fbcb6a5769acfef61371d2fe8d7312f62bc4f7fa21b1f147

SHA512
5fb56bc4dec947cb18258f80e7b8dae6731cf10938ff75893c3da5396d6e944732651b72e8e640c424d9f3b51a4cdfac99e325264f69d23a0a8a95114d4b9255

Download Submit
memory/804-59-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/964-54-0x0000000075341000-0x0000000075343000-memory.dmp

Filesize
8KB

Download
memory/964-58-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads