sakula | 053eedd8dd3e393652046d116f2a312147be406f8c3bdf16b56bf5a4f9d4b38b

General

Target

053eedd8dd3e393652046d116f2a312147be406f8c3bdf16b56bf5a4f9d4b38b.exe
Size

150KB
MD5

4bd1cdab0745ae149ca5d643ec8ae92c
SHA1

e4b448e4514c3ea18a7b8aa7a20e11a83d54c745
SHA256

053eedd8dd3e393652046d116f2a312147be406f8c3bdf16b56bf5a4f9d4b38b
SHA512

ddce73f4c700f77d121a180bb592de64ff1481a0526dbebc1352420106074ec293bc8f30a9de211c6ee2beac63fb1f6af3c6ea077016cf7205a7ecc66ee956bc

Score

10^/10

sakula persistence rat trojan

Malware Config

Signatures

Sakula
Sakula is a remote access trojan with various capabilities.
trojan rat sakula

Sakula Payload 2 IoCs

Processes:

resource	yara_rule
\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe	family_sakula
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe	family_sakula

Executes dropped EXE 1 IoCs

Processes:

MediaCenter.exe

pid process

1112 MediaCenter.exe
Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

1148 cmd.exe
Loads dropped DLL 1 IoCs

Processes:

053eedd8dd3e393652046d116f2a312147be406f8c3bdf16b56bf5a4f9d4b38b.exe

pid process

964 053eedd8dd3e393652046d116f2a312147be406f8c3bdf16b56bf5a4f9d4b38b.exe

pid	process
1112	MediaCenter.exe

pid	process
1148	cmd.exe

pid	process
964	053eedd8dd3e393652046d116f2a312147be406f8c3bdf16b56bf5a4f9d4b38b.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

053eedd8dd3e393652046d116f2a312147be406f8c3bdf16b56bf5a4f9d4b38b.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe"	053eedd8dd3e393652046d116f2a312147be406f8c3bdf16b56bf5a4f9d4b38b.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

1796 PING.EXE
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

053eedd8dd3e393652046d116f2a312147be406f8c3bdf16b56bf5a4f9d4b38b.exe

description pid process

Token: SeIncBasePriorityPrivilege 964 053eedd8dd3e393652046d116f2a312147be406f8c3bdf16b56bf5a4f9d4b38b.exe

pid	process
1796	PING.EXE

description	pid	process
Token: SeIncBasePriorityPrivilege	964	053eedd8dd3e393652046d116f2a312147be406f8c3bdf16b56bf5a4f9d4b38b.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

053eedd8dd3e393652046d116f2a312147be406f8c3bdf16b56bf5a4f9d4b38b.execmd.exe

description	pid	process	target process
PID 964 wrote to memory of 1112	964	053eedd8dd3e393652046d116f2a312147be406f8c3bdf16b56bf5a4f9d4b38b.exe	MediaCenter.exe
PID 964 wrote to memory of 1112	964	053eedd8dd3e393652046d116f2a312147be406f8c3bdf16b56bf5a4f9d4b38b.exe	MediaCenter.exe
PID 964 wrote to memory of 1112	964	053eedd8dd3e393652046d116f2a312147be406f8c3bdf16b56bf5a4f9d4b38b.exe	MediaCenter.exe
PID 964 wrote to memory of 1112	964	053eedd8dd3e393652046d116f2a312147be406f8c3bdf16b56bf5a4f9d4b38b.exe	MediaCenter.exe
PID 964 wrote to memory of 1148	964	053eedd8dd3e393652046d116f2a312147be406f8c3bdf16b56bf5a4f9d4b38b.exe	cmd.exe
PID 964 wrote to memory of 1148	964	053eedd8dd3e393652046d116f2a312147be406f8c3bdf16b56bf5a4f9d4b38b.exe	cmd.exe
PID 964 wrote to memory of 1148	964	053eedd8dd3e393652046d116f2a312147be406f8c3bdf16b56bf5a4f9d4b38b.exe	cmd.exe
PID 964 wrote to memory of 1148	964	053eedd8dd3e393652046d116f2a312147be406f8c3bdf16b56bf5a4f9d4b38b.exe	cmd.exe
PID 1148 wrote to memory of 1796	1148	cmd.exe	PING.EXE
PID 1148 wrote to memory of 1796	1148	cmd.exe	PING.EXE
PID 1148 wrote to memory of 1796	1148	cmd.exe	PING.EXE
PID 1148 wrote to memory of 1796	1148	cmd.exe	PING.EXE

C:\Users\Admin\AppData\Local\Temp\053eedd8dd3e393652046d116f2a312147be406f8c3bdf16b56bf5a4f9d4b38b.exe
"C:\Users\Admin\AppData\Local\Temp\053eedd8dd3e393652046d116f2a312147be406f8c3bdf16b56bf5a4f9d4b38b.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:964

C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
2⤵
- Executes dropped EXE
PID:1112

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\053eedd8dd3e393652046d116f2a312147be406f8c3bdf16b56bf5a4f9d4b38b.exe"
2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:1148

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1
3⤵
- Runs ping.exe
PID:1796

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Remote System Discovery

1

T1018

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
MD5
c7028b6a5e7079252c29fc6c6de33db4

SHA1
f1b4dae549bb81aa3d2cf9d9e3324185e368664e

SHA256
76482f93d44d6c61f05109b46d888384e342544b733f678ca6c89dedf91a9add

SHA512
0e8ac8aad957aaf68953d45e01ebe4a1ed6f4db5700d7b219b6ce294e9bc978311316e7a73ac3c4cc0d1899270fc476ef446ee66bfccdad74bc1c35f54532363

Download Submit
\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
MD5
c7028b6a5e7079252c29fc6c6de33db4

SHA1
f1b4dae549bb81aa3d2cf9d9e3324185e368664e

SHA256
76482f93d44d6c61f05109b46d888384e342544b733f678ca6c89dedf91a9add

SHA512
0e8ac8aad957aaf68953d45e01ebe4a1ed6f4db5700d7b219b6ce294e9bc978311316e7a73ac3c4cc0d1899270fc476ef446ee66bfccdad74bc1c35f54532363

Download Submit
memory/964-54-0x0000000075D61000-0x0000000075D63000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads