sakula | 07a74a742cb6674df953e24579afb68ca1a4a35d510a0751fcaff6c4b71471d3

General

Target

07a74a742cb6674df953e24579afb68ca1a4a35d510a0751fcaff6c4b71471d3.exe
Size

35KB
MD5

9aea83059ffb3762a8efc9ff59983744
SHA1

49a2dcdfd963b23460846f7ca6f0a421e24261ea
SHA256

07a74a742cb6674df953e24579afb68ca1a4a35d510a0751fcaff6c4b71471d3
SHA512

30d25cf7aece2343c8c2aaaad726cd028847cbf788e691b35008e0df525ee5ce164d120052a0c168428d2348a0cb0f67f3b05639f63da6236e04fbcb816f6000

Score

10^/10

sakula persistence rat trojan

Malware Config

Signatures

Sakula
Sakula is a remote access trojan with various capabilities.
trojan rat sakula
Executes dropped EXE 1 IoCs

Processes:

MediaCenter.exe

pid process

1148 MediaCenter.exe
Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

1088 cmd.exe

pid	process
1148	MediaCenter.exe

pid	process
1088	cmd.exe

Loads dropped DLL 2 IoCs

Processes:

07a74a742cb6674df953e24579afb68ca1a4a35d510a0751fcaff6c4b71471d3.exe

pid	process
1768	07a74a742cb6674df953e24579afb68ca1a4a35d510a0751fcaff6c4b71471d3.exe
1768	07a74a742cb6674df953e24579afb68ca1a4a35d510a0751fcaff6c4b71471d3.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

07a74a742cb6674df953e24579afb68ca1a4a35d510a0751fcaff6c4b71471d3.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe"	07a74a742cb6674df953e24579afb68ca1a4a35d510a0751fcaff6c4b71471d3.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

1164 PING.EXE
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

07a74a742cb6674df953e24579afb68ca1a4a35d510a0751fcaff6c4b71471d3.exe

description pid process

Token: SeIncBasePriorityPrivilege 1768 07a74a742cb6674df953e24579afb68ca1a4a35d510a0751fcaff6c4b71471d3.exe

pid	process
1164	PING.EXE

description	pid	process
Token: SeIncBasePriorityPrivilege	1768	07a74a742cb6674df953e24579afb68ca1a4a35d510a0751fcaff6c4b71471d3.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

07a74a742cb6674df953e24579afb68ca1a4a35d510a0751fcaff6c4b71471d3.execmd.exe

description	pid	process	target process
PID 1768 wrote to memory of 1148	1768	07a74a742cb6674df953e24579afb68ca1a4a35d510a0751fcaff6c4b71471d3.exe	MediaCenter.exe
PID 1768 wrote to memory of 1148	1768	07a74a742cb6674df953e24579afb68ca1a4a35d510a0751fcaff6c4b71471d3.exe	MediaCenter.exe
PID 1768 wrote to memory of 1148	1768	07a74a742cb6674df953e24579afb68ca1a4a35d510a0751fcaff6c4b71471d3.exe	MediaCenter.exe
PID 1768 wrote to memory of 1148	1768	07a74a742cb6674df953e24579afb68ca1a4a35d510a0751fcaff6c4b71471d3.exe	MediaCenter.exe
PID 1768 wrote to memory of 1088	1768	07a74a742cb6674df953e24579afb68ca1a4a35d510a0751fcaff6c4b71471d3.exe	cmd.exe
PID 1768 wrote to memory of 1088	1768	07a74a742cb6674df953e24579afb68ca1a4a35d510a0751fcaff6c4b71471d3.exe	cmd.exe
PID 1768 wrote to memory of 1088	1768	07a74a742cb6674df953e24579afb68ca1a4a35d510a0751fcaff6c4b71471d3.exe	cmd.exe
PID 1768 wrote to memory of 1088	1768	07a74a742cb6674df953e24579afb68ca1a4a35d510a0751fcaff6c4b71471d3.exe	cmd.exe
PID 1088 wrote to memory of 1164	1088	cmd.exe	PING.EXE
PID 1088 wrote to memory of 1164	1088	cmd.exe	PING.EXE
PID 1088 wrote to memory of 1164	1088	cmd.exe	PING.EXE
PID 1088 wrote to memory of 1164	1088	cmd.exe	PING.EXE

C:\Users\Admin\AppData\Local\Temp\07a74a742cb6674df953e24579afb68ca1a4a35d510a0751fcaff6c4b71471d3.exe
"C:\Users\Admin\AppData\Local\Temp\07a74a742cb6674df953e24579afb68ca1a4a35d510a0751fcaff6c4b71471d3.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1768

C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
2⤵
- Executes dropped EXE
PID:1148

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\07a74a742cb6674df953e24579afb68ca1a4a35d510a0751fcaff6c4b71471d3.exe"
2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:1088

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1
3⤵
- Runs ping.exe
PID:1164

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Remote System Discovery

1

T1018

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
MD5
51c8f86091c968537f49b793c853d007

SHA1
3643dfccc2c77cd113c7de79a08ca4d2556a47fe

SHA256
b477c31be8e99c92ffb511a91fb1f52f2d7ca00e57db98296a4e23509c4bd4e6

SHA512
3591fd7dcf9f4dd2ac7a8db355d2ce9e2b703de9256a5e5ac38512fe8e7a5bee9cfc1a307b852158ca072e87fd86bca4a32c6c0b0257ca34343b0c1f25a5c485

Download Submit
\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
MD5
51c8f86091c968537f49b793c853d007

SHA1
3643dfccc2c77cd113c7de79a08ca4d2556a47fe

SHA256
b477c31be8e99c92ffb511a91fb1f52f2d7ca00e57db98296a4e23509c4bd4e6

SHA512
3591fd7dcf9f4dd2ac7a8db355d2ce9e2b703de9256a5e5ac38512fe8e7a5bee9cfc1a307b852158ca072e87fd86bca4a32c6c0b0257ca34343b0c1f25a5c485

Download Submit
\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
MD5
51c8f86091c968537f49b793c853d007

SHA1
3643dfccc2c77cd113c7de79a08ca4d2556a47fe

SHA256
b477c31be8e99c92ffb511a91fb1f52f2d7ca00e57db98296a4e23509c4bd4e6

SHA512
3591fd7dcf9f4dd2ac7a8db355d2ce9e2b703de9256a5e5ac38512fe8e7a5bee9cfc1a307b852158ca072e87fd86bca4a32c6c0b0257ca34343b0c1f25a5c485

Download Submit
memory/1768-55-0x00000000758A1000-0x00000000758A3000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads