sakula | 070fbc5c10adfb718bb30092d09f99fdbb62ec3f89dfc7c14af2ca5c19c6b9e9

General

Target

070fbc5c10adfb718bb30092d09f99fdbb62ec3f89dfc7c14af2ca5c19c6b9e9.exe
Size

58KB
MD5

a232833b1e1dfeb2eeee5662d547587a
SHA1

7165cac9418f75245859f37de3352c47905102bd
SHA256

070fbc5c10adfb718bb30092d09f99fdbb62ec3f89dfc7c14af2ca5c19c6b9e9
SHA512

9f7317fbe0b41dde42aa642ad4575f21e18888816c9a7167c71e943bb0558c5fb9eac3e90efdc63cff24a3256217ae1d8666dc9958ffb85ad245740efd1851a1

Score

10^/10

sakula persistence rat trojan

Malware Config

Signatures

Sakula
Sakula is a remote access trojan with various capabilities.
trojan rat sakula
Executes dropped EXE 1 IoCs

Processes:

MediaCenter.exe

pid process

1948 MediaCenter.exe

pid	process
1948	MediaCenter.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

070fbc5c10adfb718bb30092d09f99fdbb62ec3f89dfc7c14af2ca5c19c6b9e9.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation	070fbc5c10adfb718bb30092d09f99fdbb62ec3f89dfc7c14af2ca5c19c6b9e9.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

070fbc5c10adfb718bb30092d09f99fdbb62ec3f89dfc7c14af2ca5c19c6b9e9.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe"	070fbc5c10adfb718bb30092d09f99fdbb62ec3f89dfc7c14af2ca5c19c6b9e9.exe

Drops file in Windows directory 8 IoCs

Processes:

svchost.exeTiWorker.exe

description	ioc	process
File opened for modification	C:\Windows\SoftwareDistribution\DataStore\Logs\edb.log	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\DataStore\DataStore.edb	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\DataStore\DataStore.jfm	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\ReportingEvents.log	svchost.exe
File opened for modification	C:\Windows\Logs\CBS\CBS.log	TiWorker.exe
File opened for modification	C:\Windows\WinSxS\pending.xml	TiWorker.exe
File opened for modification	C:\Windows\WindowsUpdate.log	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\DataStore\Logs\edb.chk	svchost.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

1500 PING.EXE

pid	process
1500	PING.EXE

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

svchost.exeTiWorker.exe

description	pid	process
Token: SeShutdownPrivilege	4072	svchost.exe
Token: SeCreatePagefilePrivilege	4072	svchost.exe
Token: SeShutdownPrivilege	4072	svchost.exe
Token: SeCreatePagefilePrivilege	4072	svchost.exe
Token: SeShutdownPrivilege	4072	svchost.exe
Token: SeCreatePagefilePrivilege	4072	svchost.exe
Token: SeSecurityPrivilege	1812	TiWorker.exe
Token: SeRestorePrivilege	1812	TiWorker.exe
Token: SeBackupPrivilege	1812	TiWorker.exe
Token: SeBackupPrivilege	1812	TiWorker.exe
Token: SeRestorePrivilege	1812	TiWorker.exe
Token: SeSecurityPrivilege	1812	TiWorker.exe
Token: SeBackupPrivilege	1812	TiWorker.exe
Token: SeRestorePrivilege	1812	TiWorker.exe
Token: SeSecurityPrivilege	1812	TiWorker.exe
Token: SeBackupPrivilege	1812	TiWorker.exe
Token: SeRestorePrivilege	1812	TiWorker.exe
Token: SeSecurityPrivilege	1812	TiWorker.exe
Token: SeBackupPrivilege	1812	TiWorker.exe
Token: SeRestorePrivilege	1812	TiWorker.exe
Token: SeSecurityPrivilege	1812	TiWorker.exe
Token: SeBackupPrivilege	1812	TiWorker.exe
Token: SeRestorePrivilege	1812	TiWorker.exe
Token: SeSecurityPrivilege	1812	TiWorker.exe
Token: SeBackupPrivilege	1812	TiWorker.exe
Token: SeRestorePrivilege	1812	TiWorker.exe
Token: SeSecurityPrivilege	1812	TiWorker.exe
Token: SeBackupPrivilege	1812	TiWorker.exe
Token: SeRestorePrivilege	1812	TiWorker.exe
Token: SeSecurityPrivilege	1812	TiWorker.exe
Token: SeBackupPrivilege	1812	TiWorker.exe
Token: SeRestorePrivilege	1812	TiWorker.exe
Token: SeSecurityPrivilege	1812	TiWorker.exe
Token: SeBackupPrivilege	1812	TiWorker.exe
Token: SeRestorePrivilege	1812	TiWorker.exe
Token: SeSecurityPrivilege	1812	TiWorker.exe
Token: SeBackupPrivilege	1812	TiWorker.exe
Token: SeRestorePrivilege	1812	TiWorker.exe
Token: SeSecurityPrivilege	1812	TiWorker.exe
Token: SeBackupPrivilege	1812	TiWorker.exe
Token: SeRestorePrivilege	1812	TiWorker.exe
Token: SeSecurityPrivilege	1812	TiWorker.exe
Token: SeBackupPrivilege	1812	TiWorker.exe
Token: SeRestorePrivilege	1812	TiWorker.exe
Token: SeSecurityPrivilege	1812	TiWorker.exe
Token: SeBackupPrivilege	1812	TiWorker.exe
Token: SeRestorePrivilege	1812	TiWorker.exe
Token: SeSecurityPrivilege	1812	TiWorker.exe
Token: SeBackupPrivilege	1812	TiWorker.exe
Token: SeRestorePrivilege	1812	TiWorker.exe
Token: SeSecurityPrivilege	1812	TiWorker.exe
Token: SeBackupPrivilege	1812	TiWorker.exe
Token: SeRestorePrivilege	1812	TiWorker.exe
Token: SeSecurityPrivilege	1812	TiWorker.exe
Token: SeBackupPrivilege	1812	TiWorker.exe
Token: SeRestorePrivilege	1812	TiWorker.exe
Token: SeSecurityPrivilege	1812	TiWorker.exe
Token: SeBackupPrivilege	1812	TiWorker.exe
Token: SeRestorePrivilege	1812	TiWorker.exe
Token: SeSecurityPrivilege	1812	TiWorker.exe
Token: SeBackupPrivilege	1812	TiWorker.exe
Token: SeRestorePrivilege	1812	TiWorker.exe
Token: SeSecurityPrivilege	1812	TiWorker.exe
Token: SeBackupPrivilege	1812	TiWorker.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

070fbc5c10adfb718bb30092d09f99fdbb62ec3f89dfc7c14af2ca5c19c6b9e9.execmd.exe

description	pid	process	target process
PID 2712 wrote to memory of 1948	2712	070fbc5c10adfb718bb30092d09f99fdbb62ec3f89dfc7c14af2ca5c19c6b9e9.exe	MediaCenter.exe
PID 2712 wrote to memory of 1948	2712	070fbc5c10adfb718bb30092d09f99fdbb62ec3f89dfc7c14af2ca5c19c6b9e9.exe	MediaCenter.exe
PID 2712 wrote to memory of 1948	2712	070fbc5c10adfb718bb30092d09f99fdbb62ec3f89dfc7c14af2ca5c19c6b9e9.exe	MediaCenter.exe
PID 2712 wrote to memory of 4616	2712	070fbc5c10adfb718bb30092d09f99fdbb62ec3f89dfc7c14af2ca5c19c6b9e9.exe	cmd.exe
PID 2712 wrote to memory of 4616	2712	070fbc5c10adfb718bb30092d09f99fdbb62ec3f89dfc7c14af2ca5c19c6b9e9.exe	cmd.exe
PID 2712 wrote to memory of 4616	2712	070fbc5c10adfb718bb30092d09f99fdbb62ec3f89dfc7c14af2ca5c19c6b9e9.exe	cmd.exe
PID 4616 wrote to memory of 1500	4616	cmd.exe	PING.EXE
PID 4616 wrote to memory of 1500	4616	cmd.exe	PING.EXE
PID 4616 wrote to memory of 1500	4616	cmd.exe	PING.EXE

C:\Users\Admin\AppData\Local\Temp\070fbc5c10adfb718bb30092d09f99fdbb62ec3f89dfc7c14af2ca5c19c6b9e9.exe
"C:\Users\Admin\AppData\Local\Temp\070fbc5c10adfb718bb30092d09f99fdbb62ec3f89dfc7c14af2ca5c19c6b9e9.exe"
1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2712

C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
2⤵
- Executes dropped EXE
PID:1948

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\070fbc5c10adfb718bb30092d09f99fdbb62ec3f89dfc7c14af2ca5c19c6b9e9.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:4616

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1
3⤵
- Runs ping.exe
PID:1500

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:4072

C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:1812

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

Remote System Discovery

1

T1018

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
MD5
b717379ffbbc5365e9b733b861db1cb4

SHA1
6c5940845882772495c50c5352262230b7eeffdf

SHA256
04b305e6890a9787185a2495adc83a4b0566afd185e48118d20d5549c68229e0

SHA512
210e167f9d49b8ab67b596e5a50d4935aeb203946b142251cde2a72fe1b740a21e12a692075da92cf39be6cc7e9971e2cd2d799399ebfe2b00c39902028737a8

Download Submit
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
MD5
b717379ffbbc5365e9b733b861db1cb4

SHA1
6c5940845882772495c50c5352262230b7eeffdf

SHA256
04b305e6890a9787185a2495adc83a4b0566afd185e48118d20d5549c68229e0

SHA512
210e167f9d49b8ab67b596e5a50d4935aeb203946b142251cde2a72fe1b740a21e12a692075da92cf39be6cc7e9971e2cd2d799399ebfe2b00c39902028737a8

Download Submit
memory/4072-132-0x0000020CE2330000-0x0000020CE2340000-memory.dmp

Filesize
64KB

Download
memory/4072-133-0x0000020CE2390000-0x0000020CE23A0000-memory.dmp

Filesize
64KB

Download
memory/4072-134-0x0000020CE50B0000-0x0000020CE50B4000-memory.dmp

Filesize
16KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads