sakula | 09738d5beace1c5526842d456a3f542baa6933c0e49cd45ddd2ad7717dc98a88

General

Target

09738d5beace1c5526842d456a3f542baa6933c0e49cd45ddd2ad7717dc98a88.exe
Size

60KB
MD5

78fddc5dd46a5b4b4e3f7a129cb00b11
SHA1

f540a2c7d689532991222ddc2018e70853dd8fc1
SHA256

09738d5beace1c5526842d456a3f542baa6933c0e49cd45ddd2ad7717dc98a88
SHA512

0f46d028795b4cb4bdd4e9ed1c38f662af0d860652922a91510ea0ce3db7506f7c77bf8847780037268e2916ec8188532bf80ab8454fb5a04dfc140c338143b6

Score

10^/10

sakula persistence rat trojan

Malware Config

Signatures

Sakula
Sakula is a remote access trojan with various capabilities.
trojan rat sakula
Executes dropped EXE 1 IoCs

Processes:

MediaCenter.exe

pid process

1548 MediaCenter.exe
Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

1796 cmd.exe

pid	process
1548	MediaCenter.exe

pid	process
1796	cmd.exe

Loads dropped DLL 2 IoCs

Processes:

09738d5beace1c5526842d456a3f542baa6933c0e49cd45ddd2ad7717dc98a88.exe

pid	process
1732	09738d5beace1c5526842d456a3f542baa6933c0e49cd45ddd2ad7717dc98a88.exe
1732	09738d5beace1c5526842d456a3f542baa6933c0e49cd45ddd2ad7717dc98a88.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

09738d5beace1c5526842d456a3f542baa6933c0e49cd45ddd2ad7717dc98a88.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe"	09738d5beace1c5526842d456a3f542baa6933c0e49cd45ddd2ad7717dc98a88.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

1560 PING.EXE
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

09738d5beace1c5526842d456a3f542baa6933c0e49cd45ddd2ad7717dc98a88.exe

description pid process

Token: SeIncBasePriorityPrivilege 1732 09738d5beace1c5526842d456a3f542baa6933c0e49cd45ddd2ad7717dc98a88.exe

pid	process
1560	PING.EXE

description	pid	process
Token: SeIncBasePriorityPrivilege	1732	09738d5beace1c5526842d456a3f542baa6933c0e49cd45ddd2ad7717dc98a88.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

09738d5beace1c5526842d456a3f542baa6933c0e49cd45ddd2ad7717dc98a88.execmd.exe

description	pid	process	target process
PID 1732 wrote to memory of 1548	1732	09738d5beace1c5526842d456a3f542baa6933c0e49cd45ddd2ad7717dc98a88.exe	MediaCenter.exe
PID 1732 wrote to memory of 1548	1732	09738d5beace1c5526842d456a3f542baa6933c0e49cd45ddd2ad7717dc98a88.exe	MediaCenter.exe
PID 1732 wrote to memory of 1548	1732	09738d5beace1c5526842d456a3f542baa6933c0e49cd45ddd2ad7717dc98a88.exe	MediaCenter.exe
PID 1732 wrote to memory of 1548	1732	09738d5beace1c5526842d456a3f542baa6933c0e49cd45ddd2ad7717dc98a88.exe	MediaCenter.exe
PID 1732 wrote to memory of 1796	1732	09738d5beace1c5526842d456a3f542baa6933c0e49cd45ddd2ad7717dc98a88.exe	cmd.exe
PID 1732 wrote to memory of 1796	1732	09738d5beace1c5526842d456a3f542baa6933c0e49cd45ddd2ad7717dc98a88.exe	cmd.exe
PID 1732 wrote to memory of 1796	1732	09738d5beace1c5526842d456a3f542baa6933c0e49cd45ddd2ad7717dc98a88.exe	cmd.exe
PID 1732 wrote to memory of 1796	1732	09738d5beace1c5526842d456a3f542baa6933c0e49cd45ddd2ad7717dc98a88.exe	cmd.exe
PID 1796 wrote to memory of 1560	1796	cmd.exe	PING.EXE
PID 1796 wrote to memory of 1560	1796	cmd.exe	PING.EXE
PID 1796 wrote to memory of 1560	1796	cmd.exe	PING.EXE
PID 1796 wrote to memory of 1560	1796	cmd.exe	PING.EXE

C:\Users\Admin\AppData\Local\Temp\09738d5beace1c5526842d456a3f542baa6933c0e49cd45ddd2ad7717dc98a88.exe
"C:\Users\Admin\AppData\Local\Temp\09738d5beace1c5526842d456a3f542baa6933c0e49cd45ddd2ad7717dc98a88.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1732

C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
2⤵
- Executes dropped EXE
PID:1548

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\09738d5beace1c5526842d456a3f542baa6933c0e49cd45ddd2ad7717dc98a88.exe"
2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:1796

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1
3⤵
- Runs ping.exe
PID:1560

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Remote System Discovery

1

T1018

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
MD5
682e2bec03f4a23ff081497c1b413d3b

SHA1
73f80ffd3167e8a2bd122353930f13021794a01f

SHA256
19b9b6626aca23761c3335e79720576e842e9931fa2b2098dfdf18848b15333a

SHA512
a72e7588bad1482fa317f3542dd418a25aff84b99b02e5c0701a43142188b0156faa5213ef7a2471394739dd313c0ff4527a5c2d7814d672959df123868f3b59

Download Submit
\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
MD5
682e2bec03f4a23ff081497c1b413d3b

SHA1
73f80ffd3167e8a2bd122353930f13021794a01f

SHA256
19b9b6626aca23761c3335e79720576e842e9931fa2b2098dfdf18848b15333a

SHA512
a72e7588bad1482fa317f3542dd418a25aff84b99b02e5c0701a43142188b0156faa5213ef7a2471394739dd313c0ff4527a5c2d7814d672959df123868f3b59

Download Submit
\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
MD5
682e2bec03f4a23ff081497c1b413d3b

SHA1
73f80ffd3167e8a2bd122353930f13021794a01f

SHA256
19b9b6626aca23761c3335e79720576e842e9931fa2b2098dfdf18848b15333a

SHA512
a72e7588bad1482fa317f3542dd418a25aff84b99b02e5c0701a43142188b0156faa5213ef7a2471394739dd313c0ff4527a5c2d7814d672959df123868f3b59

Download Submit
memory/1732-55-0x0000000074F11000-0x0000000074F13000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads