sakula | 0735f6ade0963aa1ccdcc718b462c52a14387e0465d4986e7fb673e32f87a26f

General

Target

0735f6ade0963aa1ccdcc718b462c52a14387e0465d4986e7fb673e32f87a26f.exe
Size

79KB
MD5

24f601d494ec38f0ada395f99249d05b
SHA1

e93e78d7a15d0d5572c53f41ca6a31b7df4f3ecf
SHA256

0735f6ade0963aa1ccdcc718b462c52a14387e0465d4986e7fb673e32f87a26f
SHA512

a5fedd7fe6377efc5c8078a843cf068f95ac367a725b6d590791f6a9539be1b8562fc74a8a976b3e41e224f7e118fbcb4f7f722088ab7937779a9ace134e3f3b

Score

10^/10

sakula persistence rat trojan

Malware Config

Signatures

Sakula
Sakula is a remote access trojan with various capabilities.
trojan rat sakula

Sakula Payload 2 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe	family_sakula
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe	family_sakula

Executes dropped EXE 1 IoCs

Processes:

MediaCenter.exe

pid process

4524 MediaCenter.exe

pid	process
4524	MediaCenter.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

0735f6ade0963aa1ccdcc718b462c52a14387e0465d4986e7fb673e32f87a26f.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation	0735f6ade0963aa1ccdcc718b462c52a14387e0465d4986e7fb673e32f87a26f.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

0735f6ade0963aa1ccdcc718b462c52a14387e0465d4986e7fb673e32f87a26f.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe"	0735f6ade0963aa1ccdcc718b462c52a14387e0465d4986e7fb673e32f87a26f.exe

Drops file in Windows directory 8 IoCs

Processes:

TiWorker.exesvchost.exe

description	ioc	process
File opened for modification	C:\Windows\WinSxS\pending.xml	TiWorker.exe
File opened for modification	C:\Windows\WindowsUpdate.log	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\DataStore\Logs\edb.chk	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\DataStore\Logs\edb.log	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\DataStore\DataStore.edb	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\DataStore\DataStore.jfm	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\ReportingEvents.log	svchost.exe
File opened for modification	C:\Windows\Logs\CBS\CBS.log	TiWorker.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

1080 PING.EXE

pid	process
1080	PING.EXE

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

svchost.exe0735f6ade0963aa1ccdcc718b462c52a14387e0465d4986e7fb673e32f87a26f.exeTiWorker.exe

description	pid	process
Token: SeShutdownPrivilege	1852	svchost.exe
Token: SeCreatePagefilePrivilege	1852	svchost.exe
Token: SeShutdownPrivilege	1852	svchost.exe
Token: SeCreatePagefilePrivilege	1852	svchost.exe
Token: SeShutdownPrivilege	1852	svchost.exe
Token: SeCreatePagefilePrivilege	1852	svchost.exe
Token: SeIncBasePriorityPrivilege	4976	0735f6ade0963aa1ccdcc718b462c52a14387e0465d4986e7fb673e32f87a26f.exe
Token: SeSecurityPrivilege	4264	TiWorker.exe
Token: SeRestorePrivilege	4264	TiWorker.exe
Token: SeBackupPrivilege	4264	TiWorker.exe
Token: SeBackupPrivilege	4264	TiWorker.exe
Token: SeRestorePrivilege	4264	TiWorker.exe
Token: SeSecurityPrivilege	4264	TiWorker.exe
Token: SeBackupPrivilege	4264	TiWorker.exe
Token: SeRestorePrivilege	4264	TiWorker.exe
Token: SeSecurityPrivilege	4264	TiWorker.exe
Token: SeBackupPrivilege	4264	TiWorker.exe
Token: SeRestorePrivilege	4264	TiWorker.exe
Token: SeSecurityPrivilege	4264	TiWorker.exe
Token: SeBackupPrivilege	4264	TiWorker.exe
Token: SeRestorePrivilege	4264	TiWorker.exe
Token: SeSecurityPrivilege	4264	TiWorker.exe
Token: SeBackupPrivilege	4264	TiWorker.exe
Token: SeRestorePrivilege	4264	TiWorker.exe
Token: SeSecurityPrivilege	4264	TiWorker.exe
Token: SeBackupPrivilege	4264	TiWorker.exe
Token: SeRestorePrivilege	4264	TiWorker.exe
Token: SeSecurityPrivilege	4264	TiWorker.exe
Token: SeBackupPrivilege	4264	TiWorker.exe
Token: SeRestorePrivilege	4264	TiWorker.exe
Token: SeSecurityPrivilege	4264	TiWorker.exe
Token: SeBackupPrivilege	4264	TiWorker.exe
Token: SeRestorePrivilege	4264	TiWorker.exe
Token: SeSecurityPrivilege	4264	TiWorker.exe
Token: SeBackupPrivilege	4264	TiWorker.exe
Token: SeRestorePrivilege	4264	TiWorker.exe
Token: SeSecurityPrivilege	4264	TiWorker.exe
Token: SeBackupPrivilege	4264	TiWorker.exe
Token: SeRestorePrivilege	4264	TiWorker.exe
Token: SeSecurityPrivilege	4264	TiWorker.exe
Token: SeBackupPrivilege	4264	TiWorker.exe
Token: SeRestorePrivilege	4264	TiWorker.exe
Token: SeSecurityPrivilege	4264	TiWorker.exe
Token: SeBackupPrivilege	4264	TiWorker.exe
Token: SeRestorePrivilege	4264	TiWorker.exe
Token: SeSecurityPrivilege	4264	TiWorker.exe
Token: SeBackupPrivilege	4264	TiWorker.exe
Token: SeRestorePrivilege	4264	TiWorker.exe
Token: SeSecurityPrivilege	4264	TiWorker.exe
Token: SeBackupPrivilege	4264	TiWorker.exe
Token: SeRestorePrivilege	4264	TiWorker.exe
Token: SeSecurityPrivilege	4264	TiWorker.exe
Token: SeBackupPrivilege	4264	TiWorker.exe
Token: SeRestorePrivilege	4264	TiWorker.exe
Token: SeSecurityPrivilege	4264	TiWorker.exe
Token: SeBackupPrivilege	4264	TiWorker.exe
Token: SeRestorePrivilege	4264	TiWorker.exe
Token: SeSecurityPrivilege	4264	TiWorker.exe
Token: SeBackupPrivilege	4264	TiWorker.exe
Token: SeRestorePrivilege	4264	TiWorker.exe
Token: SeSecurityPrivilege	4264	TiWorker.exe
Token: SeBackupPrivilege	4264	TiWorker.exe
Token: SeRestorePrivilege	4264	TiWorker.exe
Token: SeSecurityPrivilege	4264	TiWorker.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

0735f6ade0963aa1ccdcc718b462c52a14387e0465d4986e7fb673e32f87a26f.execmd.exe

description	pid	process	target process
PID 4976 wrote to memory of 4524	4976	0735f6ade0963aa1ccdcc718b462c52a14387e0465d4986e7fb673e32f87a26f.exe	MediaCenter.exe
PID 4976 wrote to memory of 4524	4976	0735f6ade0963aa1ccdcc718b462c52a14387e0465d4986e7fb673e32f87a26f.exe	MediaCenter.exe
PID 4976 wrote to memory of 4524	4976	0735f6ade0963aa1ccdcc718b462c52a14387e0465d4986e7fb673e32f87a26f.exe	MediaCenter.exe
PID 4976 wrote to memory of 2816	4976	0735f6ade0963aa1ccdcc718b462c52a14387e0465d4986e7fb673e32f87a26f.exe	cmd.exe
PID 4976 wrote to memory of 2816	4976	0735f6ade0963aa1ccdcc718b462c52a14387e0465d4986e7fb673e32f87a26f.exe	cmd.exe
PID 4976 wrote to memory of 2816	4976	0735f6ade0963aa1ccdcc718b462c52a14387e0465d4986e7fb673e32f87a26f.exe	cmd.exe
PID 2816 wrote to memory of 1080	2816	cmd.exe	PING.EXE
PID 2816 wrote to memory of 1080	2816	cmd.exe	PING.EXE
PID 2816 wrote to memory of 1080	2816	cmd.exe	PING.EXE

C:\Users\Admin\AppData\Local\Temp\0735f6ade0963aa1ccdcc718b462c52a14387e0465d4986e7fb673e32f87a26f.exe
"C:\Users\Admin\AppData\Local\Temp\0735f6ade0963aa1ccdcc718b462c52a14387e0465d4986e7fb673e32f87a26f.exe"
1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4976

C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
2⤵
- Executes dropped EXE
PID:4524

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\0735f6ade0963aa1ccdcc718b462c52a14387e0465d4986e7fb673e32f87a26f.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:2816

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1
3⤵
- Runs ping.exe
PID:1080

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:1852

C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:4264

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

Remote System Discovery

1

T1018

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
MD5
a3439a98f8c9c994df5d933930673292

SHA1
51271c98b0b9bb4d8fdf0208be5996498d4288bc

SHA256
3cd41e4500d412b12b181efac5b3dd02c2d0cd9c21867320400253449e0469e8

SHA512
1f0cd2b8bc170d49edbb1325eff833b3d1ee7464a669ee6c580e2877c73b5faafb149916c2b2b588636046ea4f1f55e5241ae9971935619698a3c104c42a41a3

Download Submit
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
MD5
a3439a98f8c9c994df5d933930673292

SHA1
51271c98b0b9bb4d8fdf0208be5996498d4288bc

SHA256
3cd41e4500d412b12b181efac5b3dd02c2d0cd9c21867320400253449e0469e8

SHA512
1f0cd2b8bc170d49edbb1325eff833b3d1ee7464a669ee6c580e2877c73b5faafb149916c2b2b588636046ea4f1f55e5241ae9971935619698a3c104c42a41a3

Download Submit
memory/1852-132-0x0000025D30960000-0x0000025D30970000-memory.dmp

Filesize
64KB

Download
memory/1852-133-0x0000025D30F20000-0x0000025D30F30000-memory.dmp

Filesize
64KB

Download
memory/1852-134-0x0000025D335B0000-0x0000025D335B4000-memory.dmp

Filesize
16KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads