sakula | 09d09e19643d6db885136ad9cf67fe5f46ae9e0e4aeb0759abdcff8a033bc7b2

General

Target

09d09e19643d6db885136ad9cf67fe5f46ae9e0e4aeb0759abdcff8a033bc7b2.exe
Size

58KB
MD5

3ba33244da4de771baca5d80dba84477
SHA1

9bedc1c8f3c2571a12973f9cbb26a8ef67abf305
SHA256

09d09e19643d6db885136ad9cf67fe5f46ae9e0e4aeb0759abdcff8a033bc7b2
SHA512

9ba00480e4d087a5934857a7dd4c1832e54a496159da8071a8f8011bbc3e8378853d689a51c2afba24193d01f4e0e376d6249391983c97fc9b0f55b158cf65b4

Score

10^/10

sakula persistence rat trojan

Malware Config

Signatures

Sakula
Sakula is a remote access trojan with various capabilities.
trojan rat sakula
Executes dropped EXE 1 IoCs

Processes:

MediaCenter.exe

pid process

1620 MediaCenter.exe
Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

1448 cmd.exe

pid	process
1620	MediaCenter.exe

pid	process
1448	cmd.exe

Loads dropped DLL 2 IoCs

Processes:

09d09e19643d6db885136ad9cf67fe5f46ae9e0e4aeb0759abdcff8a033bc7b2.exe

pid	process
960	09d09e19643d6db885136ad9cf67fe5f46ae9e0e4aeb0759abdcff8a033bc7b2.exe
960	09d09e19643d6db885136ad9cf67fe5f46ae9e0e4aeb0759abdcff8a033bc7b2.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

09d09e19643d6db885136ad9cf67fe5f46ae9e0e4aeb0759abdcff8a033bc7b2.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe"	09d09e19643d6db885136ad9cf67fe5f46ae9e0e4aeb0759abdcff8a033bc7b2.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

1844 PING.EXE
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

09d09e19643d6db885136ad9cf67fe5f46ae9e0e4aeb0759abdcff8a033bc7b2.exe

description pid process

Token: SeIncBasePriorityPrivilege 960 09d09e19643d6db885136ad9cf67fe5f46ae9e0e4aeb0759abdcff8a033bc7b2.exe

pid	process
1844	PING.EXE

description	pid	process
Token: SeIncBasePriorityPrivilege	960	09d09e19643d6db885136ad9cf67fe5f46ae9e0e4aeb0759abdcff8a033bc7b2.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

09d09e19643d6db885136ad9cf67fe5f46ae9e0e4aeb0759abdcff8a033bc7b2.execmd.exe

description	pid	process	target process
PID 960 wrote to memory of 1620	960	09d09e19643d6db885136ad9cf67fe5f46ae9e0e4aeb0759abdcff8a033bc7b2.exe	MediaCenter.exe
PID 960 wrote to memory of 1620	960	09d09e19643d6db885136ad9cf67fe5f46ae9e0e4aeb0759abdcff8a033bc7b2.exe	MediaCenter.exe
PID 960 wrote to memory of 1620	960	09d09e19643d6db885136ad9cf67fe5f46ae9e0e4aeb0759abdcff8a033bc7b2.exe	MediaCenter.exe
PID 960 wrote to memory of 1620	960	09d09e19643d6db885136ad9cf67fe5f46ae9e0e4aeb0759abdcff8a033bc7b2.exe	MediaCenter.exe
PID 960 wrote to memory of 1448	960	09d09e19643d6db885136ad9cf67fe5f46ae9e0e4aeb0759abdcff8a033bc7b2.exe	cmd.exe
PID 960 wrote to memory of 1448	960	09d09e19643d6db885136ad9cf67fe5f46ae9e0e4aeb0759abdcff8a033bc7b2.exe	cmd.exe
PID 960 wrote to memory of 1448	960	09d09e19643d6db885136ad9cf67fe5f46ae9e0e4aeb0759abdcff8a033bc7b2.exe	cmd.exe
PID 960 wrote to memory of 1448	960	09d09e19643d6db885136ad9cf67fe5f46ae9e0e4aeb0759abdcff8a033bc7b2.exe	cmd.exe
PID 1448 wrote to memory of 1844	1448	cmd.exe	PING.EXE
PID 1448 wrote to memory of 1844	1448	cmd.exe	PING.EXE
PID 1448 wrote to memory of 1844	1448	cmd.exe	PING.EXE
PID 1448 wrote to memory of 1844	1448	cmd.exe	PING.EXE

C:\Users\Admin\AppData\Local\Temp\09d09e19643d6db885136ad9cf67fe5f46ae9e0e4aeb0759abdcff8a033bc7b2.exe
"C:\Users\Admin\AppData\Local\Temp\09d09e19643d6db885136ad9cf67fe5f46ae9e0e4aeb0759abdcff8a033bc7b2.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:960

C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
2⤵
- Executes dropped EXE
PID:1620

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\09d09e19643d6db885136ad9cf67fe5f46ae9e0e4aeb0759abdcff8a033bc7b2.exe"
2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:1448

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1
3⤵
- Runs ping.exe
PID:1844

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Remote System Discovery

1

T1018

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
MD5
cce446f9cc2fc85327c301ce21cc0360

SHA1
b44ea0a37a2fc9d43e2590b8f63576bc3662cc1e

SHA256
c6e1484582d6a88b53c3fd60ab3c96589fbcd2cc8e81c2535fdab5dd699c413e

SHA512
4e3c71684080b19d0da66364d2e489cd5e5bcb3d314b8a3fff6d9e0e86ad61fc0cf30ae6de60119a2990f04e30608e2f6aa47d7fd8dd584588fe6e1027fd7b8e

Download Submit
\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
MD5
cce446f9cc2fc85327c301ce21cc0360

SHA1
b44ea0a37a2fc9d43e2590b8f63576bc3662cc1e

SHA256
c6e1484582d6a88b53c3fd60ab3c96589fbcd2cc8e81c2535fdab5dd699c413e

SHA512
4e3c71684080b19d0da66364d2e489cd5e5bcb3d314b8a3fff6d9e0e86ad61fc0cf30ae6de60119a2990f04e30608e2f6aa47d7fd8dd584588fe6e1027fd7b8e

Download Submit
\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
MD5
cce446f9cc2fc85327c301ce21cc0360

SHA1
b44ea0a37a2fc9d43e2590b8f63576bc3662cc1e

SHA256
c6e1484582d6a88b53c3fd60ab3c96589fbcd2cc8e81c2535fdab5dd699c413e

SHA512
4e3c71684080b19d0da66364d2e489cd5e5bcb3d314b8a3fff6d9e0e86ad61fc0cf30ae6de60119a2990f04e30608e2f6aa47d7fd8dd584588fe6e1027fd7b8e

Download Submit
memory/960-54-0x0000000075D61000-0x0000000075D63000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads