sakula | 079d84abded287611392160e7d90a69d37b0f8e7f83c4baec57f3df751b33fde

General

Target

079d84abded287611392160e7d90a69d37b0f8e7f83c4baec57f3df751b33fde.exe
Size

152KB
MD5

20e41425a563a5361236b0583b0f1bba
SHA1

995e232181b047e496ca56a1326ebd2af5fbaea8
SHA256

079d84abded287611392160e7d90a69d37b0f8e7f83c4baec57f3df751b33fde
SHA512

f8f5ad46233d12bbe6e6803106b7da74fe42ccd6b28b89e963731aac33007daeb9ff69b0f0872407439188231e907d7707c59221abbbd555e7ea8025b29099b4

Score

10^/10

sakula persistence rat trojan

Malware Config

Signatures

Sakula
Sakula is a remote access trojan with various capabilities.
trojan rat sakula

Sakula Payload 2 IoCs

Processes:

resource	yara_rule
\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe	family_sakula
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe	family_sakula

Executes dropped EXE 1 IoCs

Processes:

MediaCenter.exe

pid process

1576 MediaCenter.exe
Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

800 cmd.exe
Loads dropped DLL 1 IoCs

Processes:

079d84abded287611392160e7d90a69d37b0f8e7f83c4baec57f3df751b33fde.exe

pid process

1664 079d84abded287611392160e7d90a69d37b0f8e7f83c4baec57f3df751b33fde.exe

pid	process
1576	MediaCenter.exe

pid	process
800	cmd.exe

pid	process
1664	079d84abded287611392160e7d90a69d37b0f8e7f83c4baec57f3df751b33fde.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

079d84abded287611392160e7d90a69d37b0f8e7f83c4baec57f3df751b33fde.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe"	079d84abded287611392160e7d90a69d37b0f8e7f83c4baec57f3df751b33fde.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

1832 PING.EXE
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

079d84abded287611392160e7d90a69d37b0f8e7f83c4baec57f3df751b33fde.exe

description pid process

Token: SeIncBasePriorityPrivilege 1664 079d84abded287611392160e7d90a69d37b0f8e7f83c4baec57f3df751b33fde.exe

pid	process
1832	PING.EXE

description	pid	process
Token: SeIncBasePriorityPrivilege	1664	079d84abded287611392160e7d90a69d37b0f8e7f83c4baec57f3df751b33fde.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

079d84abded287611392160e7d90a69d37b0f8e7f83c4baec57f3df751b33fde.execmd.exe

description	pid	process	target process
PID 1664 wrote to memory of 1576	1664	079d84abded287611392160e7d90a69d37b0f8e7f83c4baec57f3df751b33fde.exe	MediaCenter.exe
PID 1664 wrote to memory of 1576	1664	079d84abded287611392160e7d90a69d37b0f8e7f83c4baec57f3df751b33fde.exe	MediaCenter.exe
PID 1664 wrote to memory of 1576	1664	079d84abded287611392160e7d90a69d37b0f8e7f83c4baec57f3df751b33fde.exe	MediaCenter.exe
PID 1664 wrote to memory of 1576	1664	079d84abded287611392160e7d90a69d37b0f8e7f83c4baec57f3df751b33fde.exe	MediaCenter.exe
PID 1664 wrote to memory of 800	1664	079d84abded287611392160e7d90a69d37b0f8e7f83c4baec57f3df751b33fde.exe	cmd.exe
PID 1664 wrote to memory of 800	1664	079d84abded287611392160e7d90a69d37b0f8e7f83c4baec57f3df751b33fde.exe	cmd.exe
PID 1664 wrote to memory of 800	1664	079d84abded287611392160e7d90a69d37b0f8e7f83c4baec57f3df751b33fde.exe	cmd.exe
PID 1664 wrote to memory of 800	1664	079d84abded287611392160e7d90a69d37b0f8e7f83c4baec57f3df751b33fde.exe	cmd.exe
PID 800 wrote to memory of 1832	800	cmd.exe	PING.EXE
PID 800 wrote to memory of 1832	800	cmd.exe	PING.EXE
PID 800 wrote to memory of 1832	800	cmd.exe	PING.EXE
PID 800 wrote to memory of 1832	800	cmd.exe	PING.EXE

C:\Users\Admin\AppData\Local\Temp\079d84abded287611392160e7d90a69d37b0f8e7f83c4baec57f3df751b33fde.exe
"C:\Users\Admin\AppData\Local\Temp\079d84abded287611392160e7d90a69d37b0f8e7f83c4baec57f3df751b33fde.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1664

C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
2⤵
- Executes dropped EXE
PID:1576

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\079d84abded287611392160e7d90a69d37b0f8e7f83c4baec57f3df751b33fde.exe"
2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:800

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1
3⤵
- Runs ping.exe
PID:1832

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Remote System Discovery

1

T1018

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
MD5
5d1747ff4da945e32eb32260421cad1e

SHA1
6a9db2c319a4ed6252aa279f55e9bbbc0363e15d

SHA256
1b9233dce835446bf4108c2aaf3f3ca5bda3af2f67f2600eeace774a2c37aded

SHA512
880364db8171d42856001afb3331111586090ce0b2ac2db753ffc3462f8c6d7c60c7fdda163cb9289ddfd876c23d688bea2d9880ac5ddd166d63b4383d39b700

Download Submit
\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
MD5
5d1747ff4da945e32eb32260421cad1e

SHA1
6a9db2c319a4ed6252aa279f55e9bbbc0363e15d

SHA256
1b9233dce835446bf4108c2aaf3f3ca5bda3af2f67f2600eeace774a2c37aded

SHA512
880364db8171d42856001afb3331111586090ce0b2ac2db753ffc3462f8c6d7c60c7fdda163cb9289ddfd876c23d688bea2d9880ac5ddd166d63b4383d39b700

Download Submit
memory/1664-54-0x00000000754B1000-0x00000000754B3000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads