sakula | 0999af8658a0e9e9d615aaef147dbc3ba7fbcfa5bb04b68b7cb7b09324e2a871

General

Target

0999af8658a0e9e9d615aaef147dbc3ba7fbcfa5bb04b68b7cb7b09324e2a871.exe
Size

58KB
MD5

cbccf3ae80d0b397ff0c9d0083ccad68
SHA1

528f885ff4dbaebeb0de0ad9763585dce4a5657d
SHA256

0999af8658a0e9e9d615aaef147dbc3ba7fbcfa5bb04b68b7cb7b09324e2a871
SHA512

42d4e5dc4a6f53cabe1800deb470a04f211ee6174a3cf833063acb74b9c58b3f31d4510c4c3c6b0101c2cd78befcd604ded7e9d743d35d43f799bf8e5a89791b

Score

10^/10

sakula persistence rat trojan

Malware Config

Signatures

Sakula
Sakula is a remote access trojan with various capabilities.
trojan rat sakula
Executes dropped EXE 1 IoCs

Processes:

MediaCenter.exe

pid process

1632 MediaCenter.exe
Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

788 cmd.exe

pid	process
1632	MediaCenter.exe

pid	process
788	cmd.exe

Loads dropped DLL 2 IoCs

Processes:

0999af8658a0e9e9d615aaef147dbc3ba7fbcfa5bb04b68b7cb7b09324e2a871.exe

pid	process
1628	0999af8658a0e9e9d615aaef147dbc3ba7fbcfa5bb04b68b7cb7b09324e2a871.exe
1628	0999af8658a0e9e9d615aaef147dbc3ba7fbcfa5bb04b68b7cb7b09324e2a871.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

0999af8658a0e9e9d615aaef147dbc3ba7fbcfa5bb04b68b7cb7b09324e2a871.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe"	0999af8658a0e9e9d615aaef147dbc3ba7fbcfa5bb04b68b7cb7b09324e2a871.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

1948 PING.EXE
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

0999af8658a0e9e9d615aaef147dbc3ba7fbcfa5bb04b68b7cb7b09324e2a871.exe

description pid process

Token: SeIncBasePriorityPrivilege 1628 0999af8658a0e9e9d615aaef147dbc3ba7fbcfa5bb04b68b7cb7b09324e2a871.exe

pid	process
1948	PING.EXE

description	pid	process
Token: SeIncBasePriorityPrivilege	1628	0999af8658a0e9e9d615aaef147dbc3ba7fbcfa5bb04b68b7cb7b09324e2a871.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

0999af8658a0e9e9d615aaef147dbc3ba7fbcfa5bb04b68b7cb7b09324e2a871.execmd.exe

description	pid	process	target process
PID 1628 wrote to memory of 1632	1628	0999af8658a0e9e9d615aaef147dbc3ba7fbcfa5bb04b68b7cb7b09324e2a871.exe	MediaCenter.exe
PID 1628 wrote to memory of 1632	1628	0999af8658a0e9e9d615aaef147dbc3ba7fbcfa5bb04b68b7cb7b09324e2a871.exe	MediaCenter.exe
PID 1628 wrote to memory of 1632	1628	0999af8658a0e9e9d615aaef147dbc3ba7fbcfa5bb04b68b7cb7b09324e2a871.exe	MediaCenter.exe
PID 1628 wrote to memory of 1632	1628	0999af8658a0e9e9d615aaef147dbc3ba7fbcfa5bb04b68b7cb7b09324e2a871.exe	MediaCenter.exe
PID 1628 wrote to memory of 788	1628	0999af8658a0e9e9d615aaef147dbc3ba7fbcfa5bb04b68b7cb7b09324e2a871.exe	cmd.exe
PID 1628 wrote to memory of 788	1628	0999af8658a0e9e9d615aaef147dbc3ba7fbcfa5bb04b68b7cb7b09324e2a871.exe	cmd.exe
PID 1628 wrote to memory of 788	1628	0999af8658a0e9e9d615aaef147dbc3ba7fbcfa5bb04b68b7cb7b09324e2a871.exe	cmd.exe
PID 1628 wrote to memory of 788	1628	0999af8658a0e9e9d615aaef147dbc3ba7fbcfa5bb04b68b7cb7b09324e2a871.exe	cmd.exe
PID 788 wrote to memory of 1948	788	cmd.exe	PING.EXE
PID 788 wrote to memory of 1948	788	cmd.exe	PING.EXE
PID 788 wrote to memory of 1948	788	cmd.exe	PING.EXE
PID 788 wrote to memory of 1948	788	cmd.exe	PING.EXE

C:\Users\Admin\AppData\Local\Temp\0999af8658a0e9e9d615aaef147dbc3ba7fbcfa5bb04b68b7cb7b09324e2a871.exe
"C:\Users\Admin\AppData\Local\Temp\0999af8658a0e9e9d615aaef147dbc3ba7fbcfa5bb04b68b7cb7b09324e2a871.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1628

C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
2⤵
- Executes dropped EXE
PID:1632

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\0999af8658a0e9e9d615aaef147dbc3ba7fbcfa5bb04b68b7cb7b09324e2a871.exe"
2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:788

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1
3⤵
- Runs ping.exe
PID:1948

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Remote System Discovery

1

T1018

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
MD5
7ff72ad785d5fc47afd1970795d9554f

SHA1
6c0a97a4bb71f646a5e6557c336678f73071e15c

SHA256
84534b84638650952f2f43b261102f2120af201d9ba489b525b8ed5786e20ac4

SHA512
7004a7ba1e7551988c1068656450dde9dc10f4483c25af633132fe2a8447a56970e214ff9fafee618e97c33abd7ee06a38eb19b76379563a3bd91d267adf7697

Download Submit
\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
MD5
7ff72ad785d5fc47afd1970795d9554f

SHA1
6c0a97a4bb71f646a5e6557c336678f73071e15c

SHA256
84534b84638650952f2f43b261102f2120af201d9ba489b525b8ed5786e20ac4

SHA512
7004a7ba1e7551988c1068656450dde9dc10f4483c25af633132fe2a8447a56970e214ff9fafee618e97c33abd7ee06a38eb19b76379563a3bd91d267adf7697

Download Submit
\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
MD5
7ff72ad785d5fc47afd1970795d9554f

SHA1
6c0a97a4bb71f646a5e6557c336678f73071e15c

SHA256
84534b84638650952f2f43b261102f2120af201d9ba489b525b8ed5786e20ac4

SHA512
7004a7ba1e7551988c1068656450dde9dc10f4483c25af633132fe2a8447a56970e214ff9fafee618e97c33abd7ee06a38eb19b76379563a3bd91d267adf7697

Download Submit
memory/1628-55-0x0000000075021000-0x0000000075023000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads