sakula | 07ad85b6bf8148b6a3acad5df5b83d8300a2786ea5a2722d94ab564a93099b4d

General

Target

07ad85b6bf8148b6a3acad5df5b83d8300a2786ea5a2722d94ab564a93099b4d.exe
Size

35KB
MD5

3ea00914d2d50cb71f29a8e26c35fde9
SHA1

dc907c7aedab6ee77b1f307d244ad8f293801dbb
SHA256

07ad85b6bf8148b6a3acad5df5b83d8300a2786ea5a2722d94ab564a93099b4d
SHA512

7aee8083eb230e3fe10e81eca95601b55f9722dea6d379d30c9c93b445aa3dbb2e1677b0e939ee0fa66bde485d5006d6d1187867d0c96377d1702da477f1c97e

Score

10^/10

sakula persistence rat trojan

Malware Config

Signatures

Sakula
Sakula is a remote access trojan with various capabilities.
trojan rat sakula
Executes dropped EXE 1 IoCs

Processes:

MediaCenter.exe

pid process

1576 MediaCenter.exe
Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

1508 cmd.exe

pid	process
1576	MediaCenter.exe

pid	process
1508	cmd.exe

Loads dropped DLL 2 IoCs

Processes:

07ad85b6bf8148b6a3acad5df5b83d8300a2786ea5a2722d94ab564a93099b4d.exe

pid	process
1756	07ad85b6bf8148b6a3acad5df5b83d8300a2786ea5a2722d94ab564a93099b4d.exe
1756	07ad85b6bf8148b6a3acad5df5b83d8300a2786ea5a2722d94ab564a93099b4d.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

07ad85b6bf8148b6a3acad5df5b83d8300a2786ea5a2722d94ab564a93099b4d.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe"	07ad85b6bf8148b6a3acad5df5b83d8300a2786ea5a2722d94ab564a93099b4d.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

608 PING.EXE
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

07ad85b6bf8148b6a3acad5df5b83d8300a2786ea5a2722d94ab564a93099b4d.exe

description pid process

Token: SeIncBasePriorityPrivilege 1756 07ad85b6bf8148b6a3acad5df5b83d8300a2786ea5a2722d94ab564a93099b4d.exe

pid	process
608	PING.EXE

description	pid	process
Token: SeIncBasePriorityPrivilege	1756	07ad85b6bf8148b6a3acad5df5b83d8300a2786ea5a2722d94ab564a93099b4d.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

07ad85b6bf8148b6a3acad5df5b83d8300a2786ea5a2722d94ab564a93099b4d.execmd.exe

description	pid	process	target process
PID 1756 wrote to memory of 1576	1756	07ad85b6bf8148b6a3acad5df5b83d8300a2786ea5a2722d94ab564a93099b4d.exe	MediaCenter.exe
PID 1756 wrote to memory of 1576	1756	07ad85b6bf8148b6a3acad5df5b83d8300a2786ea5a2722d94ab564a93099b4d.exe	MediaCenter.exe
PID 1756 wrote to memory of 1576	1756	07ad85b6bf8148b6a3acad5df5b83d8300a2786ea5a2722d94ab564a93099b4d.exe	MediaCenter.exe
PID 1756 wrote to memory of 1576	1756	07ad85b6bf8148b6a3acad5df5b83d8300a2786ea5a2722d94ab564a93099b4d.exe	MediaCenter.exe
PID 1756 wrote to memory of 1508	1756	07ad85b6bf8148b6a3acad5df5b83d8300a2786ea5a2722d94ab564a93099b4d.exe	cmd.exe
PID 1756 wrote to memory of 1508	1756	07ad85b6bf8148b6a3acad5df5b83d8300a2786ea5a2722d94ab564a93099b4d.exe	cmd.exe
PID 1756 wrote to memory of 1508	1756	07ad85b6bf8148b6a3acad5df5b83d8300a2786ea5a2722d94ab564a93099b4d.exe	cmd.exe
PID 1756 wrote to memory of 1508	1756	07ad85b6bf8148b6a3acad5df5b83d8300a2786ea5a2722d94ab564a93099b4d.exe	cmd.exe
PID 1508 wrote to memory of 608	1508	cmd.exe	PING.EXE
PID 1508 wrote to memory of 608	1508	cmd.exe	PING.EXE
PID 1508 wrote to memory of 608	1508	cmd.exe	PING.EXE
PID 1508 wrote to memory of 608	1508	cmd.exe	PING.EXE

C:\Users\Admin\AppData\Local\Temp\07ad85b6bf8148b6a3acad5df5b83d8300a2786ea5a2722d94ab564a93099b4d.exe
"C:\Users\Admin\AppData\Local\Temp\07ad85b6bf8148b6a3acad5df5b83d8300a2786ea5a2722d94ab564a93099b4d.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1756

C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
2⤵
- Executes dropped EXE
PID:1576

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\07ad85b6bf8148b6a3acad5df5b83d8300a2786ea5a2722d94ab564a93099b4d.exe"
2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:1508

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1
3⤵
- Runs ping.exe
PID:608

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Remote System Discovery

1

T1018

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
MD5
0df21c1c4cc3c4e454e435225c98eaad

SHA1
39ca49199632c2cabebda15c3a404dfc3ad7f4a0

SHA256
bff4028a7e2db85e916496b49a5a8b2b0a737b370e26d8027975eb14f8143012

SHA512
2811b3739f35f7895020e0e5e8edcc6a3747a219419158a9fad0ea3176ed559bb94483115b9703e284fc1eed9784743d787c22dda3585e9075a5ddbbcd5116f2

Download Submit
\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
MD5
0df21c1c4cc3c4e454e435225c98eaad

SHA1
39ca49199632c2cabebda15c3a404dfc3ad7f4a0

SHA256
bff4028a7e2db85e916496b49a5a8b2b0a737b370e26d8027975eb14f8143012

SHA512
2811b3739f35f7895020e0e5e8edcc6a3747a219419158a9fad0ea3176ed559bb94483115b9703e284fc1eed9784743d787c22dda3585e9075a5ddbbcd5116f2

Download Submit
\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
MD5
0df21c1c4cc3c4e454e435225c98eaad

SHA1
39ca49199632c2cabebda15c3a404dfc3ad7f4a0

SHA256
bff4028a7e2db85e916496b49a5a8b2b0a737b370e26d8027975eb14f8143012

SHA512
2811b3739f35f7895020e0e5e8edcc6a3747a219419158a9fad0ea3176ed559bb94483115b9703e284fc1eed9784743d787c22dda3585e9075a5ddbbcd5116f2

Download Submit
memory/1756-54-0x0000000076451000-0x0000000076453000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads