sakula | 090b3da9add6f6d83435d631169da79e216b035e5e072398ff9c0d7ff0af8caa

General

Target

090b3da9add6f6d83435d631169da79e216b035e5e072398ff9c0d7ff0af8caa.exe
Size

60KB
MD5

4859a3f92749b1a723955964816838fc
SHA1

7da946d41d3f6d5386555e1fea8cbf9f604f0b7f
SHA256

090b3da9add6f6d83435d631169da79e216b035e5e072398ff9c0d7ff0af8caa
SHA512

39ec132a54aec5d3c474a45471a7adb26afa067c2faa6b772b3f4c5680bc5dfa2fb706bbfcd58b5117cd81351703994125257b7c626bd07c27f72ee5a18803f3

Score

10^/10

sakula persistence rat trojan

Malware Config

Signatures

Sakula
Sakula is a remote access trojan with various capabilities.
trojan rat sakula
Executes dropped EXE 1 IoCs

Processes:

MediaCenter.exe

pid process

1224 MediaCenter.exe
Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

1404 cmd.exe

pid	process
1224	MediaCenter.exe

pid	process
1404	cmd.exe

Loads dropped DLL 2 IoCs

Processes:

090b3da9add6f6d83435d631169da79e216b035e5e072398ff9c0d7ff0af8caa.exe

pid	process
1900	090b3da9add6f6d83435d631169da79e216b035e5e072398ff9c0d7ff0af8caa.exe
1900	090b3da9add6f6d83435d631169da79e216b035e5e072398ff9c0d7ff0af8caa.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

090b3da9add6f6d83435d631169da79e216b035e5e072398ff9c0d7ff0af8caa.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe"	090b3da9add6f6d83435d631169da79e216b035e5e072398ff9c0d7ff0af8caa.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

608 PING.EXE
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

090b3da9add6f6d83435d631169da79e216b035e5e072398ff9c0d7ff0af8caa.exe

description pid process

Token: SeIncBasePriorityPrivilege 1900 090b3da9add6f6d83435d631169da79e216b035e5e072398ff9c0d7ff0af8caa.exe

pid	process
608	PING.EXE

description	pid	process
Token: SeIncBasePriorityPrivilege	1900	090b3da9add6f6d83435d631169da79e216b035e5e072398ff9c0d7ff0af8caa.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

090b3da9add6f6d83435d631169da79e216b035e5e072398ff9c0d7ff0af8caa.execmd.exe

description	pid	process	target process
PID 1900 wrote to memory of 1224	1900	090b3da9add6f6d83435d631169da79e216b035e5e072398ff9c0d7ff0af8caa.exe	MediaCenter.exe
PID 1900 wrote to memory of 1224	1900	090b3da9add6f6d83435d631169da79e216b035e5e072398ff9c0d7ff0af8caa.exe	MediaCenter.exe
PID 1900 wrote to memory of 1224	1900	090b3da9add6f6d83435d631169da79e216b035e5e072398ff9c0d7ff0af8caa.exe	MediaCenter.exe
PID 1900 wrote to memory of 1224	1900	090b3da9add6f6d83435d631169da79e216b035e5e072398ff9c0d7ff0af8caa.exe	MediaCenter.exe
PID 1900 wrote to memory of 1404	1900	090b3da9add6f6d83435d631169da79e216b035e5e072398ff9c0d7ff0af8caa.exe	cmd.exe
PID 1900 wrote to memory of 1404	1900	090b3da9add6f6d83435d631169da79e216b035e5e072398ff9c0d7ff0af8caa.exe	cmd.exe
PID 1900 wrote to memory of 1404	1900	090b3da9add6f6d83435d631169da79e216b035e5e072398ff9c0d7ff0af8caa.exe	cmd.exe
PID 1900 wrote to memory of 1404	1900	090b3da9add6f6d83435d631169da79e216b035e5e072398ff9c0d7ff0af8caa.exe	cmd.exe
PID 1404 wrote to memory of 608	1404	cmd.exe	PING.EXE
PID 1404 wrote to memory of 608	1404	cmd.exe	PING.EXE
PID 1404 wrote to memory of 608	1404	cmd.exe	PING.EXE
PID 1404 wrote to memory of 608	1404	cmd.exe	PING.EXE

C:\Users\Admin\AppData\Local\Temp\090b3da9add6f6d83435d631169da79e216b035e5e072398ff9c0d7ff0af8caa.exe
"C:\Users\Admin\AppData\Local\Temp\090b3da9add6f6d83435d631169da79e216b035e5e072398ff9c0d7ff0af8caa.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1900

C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
2⤵
- Executes dropped EXE
PID:1224

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\090b3da9add6f6d83435d631169da79e216b035e5e072398ff9c0d7ff0af8caa.exe"
2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:1404

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1
3⤵
- Runs ping.exe
PID:608

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Remote System Discovery

1

T1018

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
MD5
f2e8ab3eb0279895ac08921819a14e46

SHA1
a874c7ef9efe95f68612d68af3dc65786a1543ae

SHA256
91b9ab50d5267e93cd23a7f6b683c37245b5da7d410372e853618d004aec946d

SHA512
b9fc5b3d47d1380761f7377181cec92e1ad924f181f49e87664df5b4ac5fa1575f03954fd7cbac575b222d00db5a5a0f8400458ff3f389cdc7e8f12d5de50d95

Download Submit
\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
MD5
f2e8ab3eb0279895ac08921819a14e46

SHA1
a874c7ef9efe95f68612d68af3dc65786a1543ae

SHA256
91b9ab50d5267e93cd23a7f6b683c37245b5da7d410372e853618d004aec946d

SHA512
b9fc5b3d47d1380761f7377181cec92e1ad924f181f49e87664df5b4ac5fa1575f03954fd7cbac575b222d00db5a5a0f8400458ff3f389cdc7e8f12d5de50d95

Download Submit
\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
MD5
f2e8ab3eb0279895ac08921819a14e46

SHA1
a874c7ef9efe95f68612d68af3dc65786a1543ae

SHA256
91b9ab50d5267e93cd23a7f6b683c37245b5da7d410372e853618d004aec946d

SHA512
b9fc5b3d47d1380761f7377181cec92e1ad924f181f49e87664df5b4ac5fa1575f03954fd7cbac575b222d00db5a5a0f8400458ff3f389cdc7e8f12d5de50d95

Download Submit
memory/1900-55-0x00000000760F1000-0x00000000760F3000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads