sakula | 0a01b97d1eef9c4e6ee069b0960189626eab417f013524d58d268dd13d5614e1

General

Target

0a01b97d1eef9c4e6ee069b0960189626eab417f013524d58d268dd13d5614e1.exe
Size

101KB
MD5

f54dff0b267641bbdfa6875095a59098
SHA1

bd0111a35630b4aa27de5ecf2f7d7f8d5132a25c
SHA256

0a01b97d1eef9c4e6ee069b0960189626eab417f013524d58d268dd13d5614e1
SHA512

09b447dbd1f3564795d08312532fde482eb8a2b5b951fe17901dd0e9e228bb53300e3beffb69906f013d52fc7eb3ede439e3a79c54d405e1366eb2abdf0d4ec9

Score

10^/10

sakula persistence rat trojan

Malware Config

Signatures

Sakula
Sakula is a remote access trojan with various capabilities.
trojan rat sakula

Sakula Payload 3 IoCs

Processes:

resource	yara_rule
\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe	family_sakula
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe	family_sakula
\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe	family_sakula

Executes dropped EXE 1 IoCs

Processes:

MediaCenter.exe

pid process

368 MediaCenter.exe
Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

1056 cmd.exe

pid	process
368	MediaCenter.exe

pid	process
1056	cmd.exe

Loads dropped DLL 2 IoCs

Processes:

0a01b97d1eef9c4e6ee069b0960189626eab417f013524d58d268dd13d5614e1.exe

pid	process
1824	0a01b97d1eef9c4e6ee069b0960189626eab417f013524d58d268dd13d5614e1.exe
1824	0a01b97d1eef9c4e6ee069b0960189626eab417f013524d58d268dd13d5614e1.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

0a01b97d1eef9c4e6ee069b0960189626eab417f013524d58d268dd13d5614e1.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe"	0a01b97d1eef9c4e6ee069b0960189626eab417f013524d58d268dd13d5614e1.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

1820 PING.EXE
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

0a01b97d1eef9c4e6ee069b0960189626eab417f013524d58d268dd13d5614e1.exe

description pid process

Token: SeIncBasePriorityPrivilege 1824 0a01b97d1eef9c4e6ee069b0960189626eab417f013524d58d268dd13d5614e1.exe

pid	process
1820	PING.EXE

description	pid	process
Token: SeIncBasePriorityPrivilege	1824	0a01b97d1eef9c4e6ee069b0960189626eab417f013524d58d268dd13d5614e1.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

0a01b97d1eef9c4e6ee069b0960189626eab417f013524d58d268dd13d5614e1.execmd.exe

description	pid	process	target process
PID 1824 wrote to memory of 368	1824	0a01b97d1eef9c4e6ee069b0960189626eab417f013524d58d268dd13d5614e1.exe	MediaCenter.exe
PID 1824 wrote to memory of 368	1824	0a01b97d1eef9c4e6ee069b0960189626eab417f013524d58d268dd13d5614e1.exe	MediaCenter.exe
PID 1824 wrote to memory of 368	1824	0a01b97d1eef9c4e6ee069b0960189626eab417f013524d58d268dd13d5614e1.exe	MediaCenter.exe
PID 1824 wrote to memory of 368	1824	0a01b97d1eef9c4e6ee069b0960189626eab417f013524d58d268dd13d5614e1.exe	MediaCenter.exe
PID 1824 wrote to memory of 1056	1824	0a01b97d1eef9c4e6ee069b0960189626eab417f013524d58d268dd13d5614e1.exe	cmd.exe
PID 1824 wrote to memory of 1056	1824	0a01b97d1eef9c4e6ee069b0960189626eab417f013524d58d268dd13d5614e1.exe	cmd.exe
PID 1824 wrote to memory of 1056	1824	0a01b97d1eef9c4e6ee069b0960189626eab417f013524d58d268dd13d5614e1.exe	cmd.exe
PID 1824 wrote to memory of 1056	1824	0a01b97d1eef9c4e6ee069b0960189626eab417f013524d58d268dd13d5614e1.exe	cmd.exe
PID 1056 wrote to memory of 1820	1056	cmd.exe	PING.EXE
PID 1056 wrote to memory of 1820	1056	cmd.exe	PING.EXE
PID 1056 wrote to memory of 1820	1056	cmd.exe	PING.EXE
PID 1056 wrote to memory of 1820	1056	cmd.exe	PING.EXE

C:\Users\Admin\AppData\Local\Temp\0a01b97d1eef9c4e6ee069b0960189626eab417f013524d58d268dd13d5614e1.exe
"C:\Users\Admin\AppData\Local\Temp\0a01b97d1eef9c4e6ee069b0960189626eab417f013524d58d268dd13d5614e1.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1824

C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
2⤵
- Executes dropped EXE
PID:368

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\0a01b97d1eef9c4e6ee069b0960189626eab417f013524d58d268dd13d5614e1.exe"
2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:1056

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1
3⤵
- Runs ping.exe
PID:1820

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Remote System Discovery

1

T1018

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
MD5
dd2c4e96de219b7fa03fac7bf7517e80

SHA1
6844020a87b3bb57756c53e664b71ba96b748d41

SHA256
7af82f1ed7d1f5db79388a6aaecf78ac5d06ac1ee5f8d763a8e52a1021895785

SHA512
d8509d3568c738496f61f1d7bde4380f92063f2f8efd27f013f4895cd3adcb1254293d4f65cbb0b48351b2450f050fe303007750b61fd152eaa796eca7a9a30e

Download Submit
\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
MD5
dd2c4e96de219b7fa03fac7bf7517e80

SHA1
6844020a87b3bb57756c53e664b71ba96b748d41

SHA256
7af82f1ed7d1f5db79388a6aaecf78ac5d06ac1ee5f8d763a8e52a1021895785

SHA512
d8509d3568c738496f61f1d7bde4380f92063f2f8efd27f013f4895cd3adcb1254293d4f65cbb0b48351b2450f050fe303007750b61fd152eaa796eca7a9a30e

Download Submit
\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
MD5
dd2c4e96de219b7fa03fac7bf7517e80

SHA1
6844020a87b3bb57756c53e664b71ba96b748d41

SHA256
7af82f1ed7d1f5db79388a6aaecf78ac5d06ac1ee5f8d763a8e52a1021895785

SHA512
d8509d3568c738496f61f1d7bde4380f92063f2f8efd27f013f4895cd3adcb1254293d4f65cbb0b48351b2450f050fe303007750b61fd152eaa796eca7a9a30e

Download Submit
memory/1824-55-0x0000000075421000-0x0000000075423000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads