sakula | 075e4f0e696c00c4877a040b221588d7913203a284f2a4e846a5a64e072ae4c1

General

Target

075e4f0e696c00c4877a040b221588d7913203a284f2a4e846a5a64e072ae4c1.exe
Size

58KB
MD5

72cafac074e38c5ede12be6a7f3d4f95
SHA1

12a0bca45e48c923b3ba62dab469ffad4f908f14
SHA256

075e4f0e696c00c4877a040b221588d7913203a284f2a4e846a5a64e072ae4c1
SHA512

b09b909a00a7128e5a5db4c3cc0fd80f49d5c4449418324ea22154a26e4287940a98ab9b6fb13d1a4f5f2284b6779698cd438b5d879ec07b338ef75770833f28

Score

10^/10

sakula persistence rat trojan

Malware Config

Signatures

Sakula
Sakula is a remote access trojan with various capabilities.
trojan rat sakula
Executes dropped EXE 1 IoCs

Processes:

MediaCenter.exe

pid process

544 MediaCenter.exe

pid	process
544	MediaCenter.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

075e4f0e696c00c4877a040b221588d7913203a284f2a4e846a5a64e072ae4c1.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation	075e4f0e696c00c4877a040b221588d7913203a284f2a4e846a5a64e072ae4c1.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

075e4f0e696c00c4877a040b221588d7913203a284f2a4e846a5a64e072ae4c1.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe"	075e4f0e696c00c4877a040b221588d7913203a284f2a4e846a5a64e072ae4c1.exe

Drops file in Windows directory 8 IoCs

Processes:

svchost.exeTiWorker.exe

description	ioc	process
File opened for modification	C:\Windows\SoftwareDistribution\DataStore\DataStore.jfm	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\ReportingEvents.log	svchost.exe
File opened for modification	C:\Windows\Logs\CBS\CBS.log	TiWorker.exe
File opened for modification	C:\Windows\WinSxS\pending.xml	TiWorker.exe
File opened for modification	C:\Windows\WindowsUpdate.log	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\DataStore\Logs\edb.chk	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\DataStore\Logs\edb.log	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\DataStore\DataStore.edb	svchost.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

2068 PING.EXE

pid	process
2068	PING.EXE

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

075e4f0e696c00c4877a040b221588d7913203a284f2a4e846a5a64e072ae4c1.exesvchost.exeTiWorker.exe

description	pid	process
Token: SeIncBasePriorityPrivilege	4456	075e4f0e696c00c4877a040b221588d7913203a284f2a4e846a5a64e072ae4c1.exe
Token: SeShutdownPrivilege	2836	svchost.exe
Token: SeCreatePagefilePrivilege	2836	svchost.exe
Token: SeShutdownPrivilege	2836	svchost.exe
Token: SeCreatePagefilePrivilege	2836	svchost.exe
Token: SeShutdownPrivilege	2836	svchost.exe
Token: SeCreatePagefilePrivilege	2836	svchost.exe
Token: SeSecurityPrivilege	4208	TiWorker.exe
Token: SeRestorePrivilege	4208	TiWorker.exe
Token: SeBackupPrivilege	4208	TiWorker.exe
Token: SeBackupPrivilege	4208	TiWorker.exe
Token: SeRestorePrivilege	4208	TiWorker.exe
Token: SeSecurityPrivilege	4208	TiWorker.exe
Token: SeBackupPrivilege	4208	TiWorker.exe
Token: SeRestorePrivilege	4208	TiWorker.exe
Token: SeSecurityPrivilege	4208	TiWorker.exe
Token: SeBackupPrivilege	4208	TiWorker.exe
Token: SeRestorePrivilege	4208	TiWorker.exe
Token: SeSecurityPrivilege	4208	TiWorker.exe
Token: SeBackupPrivilege	4208	TiWorker.exe
Token: SeRestorePrivilege	4208	TiWorker.exe
Token: SeSecurityPrivilege	4208	TiWorker.exe
Token: SeBackupPrivilege	4208	TiWorker.exe
Token: SeRestorePrivilege	4208	TiWorker.exe
Token: SeSecurityPrivilege	4208	TiWorker.exe
Token: SeBackupPrivilege	4208	TiWorker.exe
Token: SeRestorePrivilege	4208	TiWorker.exe
Token: SeSecurityPrivilege	4208	TiWorker.exe
Token: SeBackupPrivilege	4208	TiWorker.exe
Token: SeRestorePrivilege	4208	TiWorker.exe
Token: SeSecurityPrivilege	4208	TiWorker.exe
Token: SeBackupPrivilege	4208	TiWorker.exe
Token: SeRestorePrivilege	4208	TiWorker.exe
Token: SeSecurityPrivilege	4208	TiWorker.exe
Token: SeBackupPrivilege	4208	TiWorker.exe
Token: SeRestorePrivilege	4208	TiWorker.exe
Token: SeSecurityPrivilege	4208	TiWorker.exe
Token: SeBackupPrivilege	4208	TiWorker.exe
Token: SeRestorePrivilege	4208	TiWorker.exe
Token: SeSecurityPrivilege	4208	TiWorker.exe
Token: SeBackupPrivilege	4208	TiWorker.exe
Token: SeRestorePrivilege	4208	TiWorker.exe
Token: SeSecurityPrivilege	4208	TiWorker.exe
Token: SeBackupPrivilege	4208	TiWorker.exe
Token: SeRestorePrivilege	4208	TiWorker.exe
Token: SeSecurityPrivilege	4208	TiWorker.exe
Token: SeBackupPrivilege	4208	TiWorker.exe
Token: SeRestorePrivilege	4208	TiWorker.exe
Token: SeSecurityPrivilege	4208	TiWorker.exe
Token: SeBackupPrivilege	4208	TiWorker.exe
Token: SeRestorePrivilege	4208	TiWorker.exe
Token: SeSecurityPrivilege	4208	TiWorker.exe
Token: SeBackupPrivilege	4208	TiWorker.exe
Token: SeRestorePrivilege	4208	TiWorker.exe
Token: SeSecurityPrivilege	4208	TiWorker.exe
Token: SeBackupPrivilege	4208	TiWorker.exe
Token: SeRestorePrivilege	4208	TiWorker.exe
Token: SeSecurityPrivilege	4208	TiWorker.exe
Token: SeBackupPrivilege	4208	TiWorker.exe
Token: SeRestorePrivilege	4208	TiWorker.exe
Token: SeSecurityPrivilege	4208	TiWorker.exe
Token: SeBackupPrivilege	4208	TiWorker.exe
Token: SeRestorePrivilege	4208	TiWorker.exe
Token: SeSecurityPrivilege	4208	TiWorker.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

075e4f0e696c00c4877a040b221588d7913203a284f2a4e846a5a64e072ae4c1.execmd.exe

description	pid	process	target process
PID 4456 wrote to memory of 544	4456	075e4f0e696c00c4877a040b221588d7913203a284f2a4e846a5a64e072ae4c1.exe	MediaCenter.exe
PID 4456 wrote to memory of 544	4456	075e4f0e696c00c4877a040b221588d7913203a284f2a4e846a5a64e072ae4c1.exe	MediaCenter.exe
PID 4456 wrote to memory of 544	4456	075e4f0e696c00c4877a040b221588d7913203a284f2a4e846a5a64e072ae4c1.exe	MediaCenter.exe
PID 4456 wrote to memory of 4468	4456	075e4f0e696c00c4877a040b221588d7913203a284f2a4e846a5a64e072ae4c1.exe	cmd.exe
PID 4456 wrote to memory of 4468	4456	075e4f0e696c00c4877a040b221588d7913203a284f2a4e846a5a64e072ae4c1.exe	cmd.exe
PID 4456 wrote to memory of 4468	4456	075e4f0e696c00c4877a040b221588d7913203a284f2a4e846a5a64e072ae4c1.exe	cmd.exe
PID 4468 wrote to memory of 2068	4468	cmd.exe	PING.EXE
PID 4468 wrote to memory of 2068	4468	cmd.exe	PING.EXE
PID 4468 wrote to memory of 2068	4468	cmd.exe	PING.EXE

C:\Users\Admin\AppData\Local\Temp\075e4f0e696c00c4877a040b221588d7913203a284f2a4e846a5a64e072ae4c1.exe
"C:\Users\Admin\AppData\Local\Temp\075e4f0e696c00c4877a040b221588d7913203a284f2a4e846a5a64e072ae4c1.exe"
1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4456

C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
2⤵
- Executes dropped EXE
PID:544

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\075e4f0e696c00c4877a040b221588d7913203a284f2a4e846a5a64e072ae4c1.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:4468

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1
3⤵
- Runs ping.exe
PID:2068

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2836

C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:4208

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

Remote System Discovery

1

T1018

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
MD5
d0faf8461afb933a99c4fe2fbc33170d

SHA1
b7763bb33be37d73026f6914dfc4d1a432fb8906

SHA256
b2b892027006d121ab5c179cc7b2b8004efc05366d08c835a5bad3bd2e3c10e4

SHA512
e6bf85fe575c5679555f98497a523849c6bee33e94395deef91eb3e415cc9b4a42b82a843dfdc8057ef4d80d01c54ec14dbd32fa31f31cc0835109cec7ea3e66

Download Submit
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
MD5
d0faf8461afb933a99c4fe2fbc33170d

SHA1
b7763bb33be37d73026f6914dfc4d1a432fb8906

SHA256
b2b892027006d121ab5c179cc7b2b8004efc05366d08c835a5bad3bd2e3c10e4

SHA512
e6bf85fe575c5679555f98497a523849c6bee33e94395deef91eb3e415cc9b4a42b82a843dfdc8057ef4d80d01c54ec14dbd32fa31f31cc0835109cec7ea3e66

Download Submit
memory/2836-132-0x000001E617F60000-0x000001E617F70000-memory.dmp

Filesize
64KB

Download
memory/2836-133-0x000001E618520000-0x000001E618530000-memory.dmp

Filesize
64KB

Download
memory/2836-134-0x000001E61ABA0000-0x000001E61ABA4000-memory.dmp

Filesize
16KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads