sakula | 06d9823d7392ec00f01ebf27fcd8cd72efccb9a2436fd5ebc278f378763e751f

General

Target

06d9823d7392ec00f01ebf27fcd8cd72efccb9a2436fd5ebc278f378763e751f.exe
Size

60KB
MD5

328dbbe5e12f97f4d9ad1699a8f1acab
SHA1

a73b30bd40c731bc69ae79159e26ca0b68115661
SHA256

06d9823d7392ec00f01ebf27fcd8cd72efccb9a2436fd5ebc278f378763e751f
SHA512

5430210b7d6e01f8d980be4ee749b45470e6e98c4124aab5aafbd9632cdeab3d5d40a7546cf58082a5d5a0c1fa5db42bb8a1d8bfbfa49349c51ea445cf7ecb8a

Score

10^/10

sakula persistence rat trojan

Malware Config

Signatures

Sakula
Sakula is a remote access trojan with various capabilities.
trojan rat sakula
Executes dropped EXE 1 IoCs

Processes:

MediaCenter.exe

pid process

1712 MediaCenter.exe
Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

804 cmd.exe

pid	process
1712	MediaCenter.exe

pid	process
804	cmd.exe

Loads dropped DLL 2 IoCs

Processes:

06d9823d7392ec00f01ebf27fcd8cd72efccb9a2436fd5ebc278f378763e751f.exe

pid	process
948	06d9823d7392ec00f01ebf27fcd8cd72efccb9a2436fd5ebc278f378763e751f.exe
948	06d9823d7392ec00f01ebf27fcd8cd72efccb9a2436fd5ebc278f378763e751f.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

06d9823d7392ec00f01ebf27fcd8cd72efccb9a2436fd5ebc278f378763e751f.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe"	06d9823d7392ec00f01ebf27fcd8cd72efccb9a2436fd5ebc278f378763e751f.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

296 PING.EXE
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

06d9823d7392ec00f01ebf27fcd8cd72efccb9a2436fd5ebc278f378763e751f.exe

description pid process

Token: SeIncBasePriorityPrivilege 948 06d9823d7392ec00f01ebf27fcd8cd72efccb9a2436fd5ebc278f378763e751f.exe

pid	process
296	PING.EXE

description	pid	process
Token: SeIncBasePriorityPrivilege	948	06d9823d7392ec00f01ebf27fcd8cd72efccb9a2436fd5ebc278f378763e751f.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

06d9823d7392ec00f01ebf27fcd8cd72efccb9a2436fd5ebc278f378763e751f.execmd.exe

description	pid	process	target process
PID 948 wrote to memory of 1712	948	06d9823d7392ec00f01ebf27fcd8cd72efccb9a2436fd5ebc278f378763e751f.exe	MediaCenter.exe
PID 948 wrote to memory of 1712	948	06d9823d7392ec00f01ebf27fcd8cd72efccb9a2436fd5ebc278f378763e751f.exe	MediaCenter.exe
PID 948 wrote to memory of 1712	948	06d9823d7392ec00f01ebf27fcd8cd72efccb9a2436fd5ebc278f378763e751f.exe	MediaCenter.exe
PID 948 wrote to memory of 1712	948	06d9823d7392ec00f01ebf27fcd8cd72efccb9a2436fd5ebc278f378763e751f.exe	MediaCenter.exe
PID 948 wrote to memory of 804	948	06d9823d7392ec00f01ebf27fcd8cd72efccb9a2436fd5ebc278f378763e751f.exe	cmd.exe
PID 948 wrote to memory of 804	948	06d9823d7392ec00f01ebf27fcd8cd72efccb9a2436fd5ebc278f378763e751f.exe	cmd.exe
PID 948 wrote to memory of 804	948	06d9823d7392ec00f01ebf27fcd8cd72efccb9a2436fd5ebc278f378763e751f.exe	cmd.exe
PID 948 wrote to memory of 804	948	06d9823d7392ec00f01ebf27fcd8cd72efccb9a2436fd5ebc278f378763e751f.exe	cmd.exe
PID 804 wrote to memory of 296	804	cmd.exe	PING.EXE
PID 804 wrote to memory of 296	804	cmd.exe	PING.EXE
PID 804 wrote to memory of 296	804	cmd.exe	PING.EXE
PID 804 wrote to memory of 296	804	cmd.exe	PING.EXE

C:\Users\Admin\AppData\Local\Temp\06d9823d7392ec00f01ebf27fcd8cd72efccb9a2436fd5ebc278f378763e751f.exe
"C:\Users\Admin\AppData\Local\Temp\06d9823d7392ec00f01ebf27fcd8cd72efccb9a2436fd5ebc278f378763e751f.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:948

C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
2⤵
- Executes dropped EXE
PID:1712

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\06d9823d7392ec00f01ebf27fcd8cd72efccb9a2436fd5ebc278f378763e751f.exe"
2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:804

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1
3⤵
- Runs ping.exe
PID:296

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Remote System Discovery

1

T1018

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
MD5
5964cdddc061b691582cb76ecf658003

SHA1
be1cc7803d5974d37a65255ac0e418e02d45b594

SHA256
dc17452b38f23365e25148d316e44956cb8551eb97e33b4a82496d25248302be

SHA512
ff68a9524f4053e4c9a760315ee10dbf6f9a1b5be87f888aa8eb8ee5fc378fd6f01d797c03775f6672db441e75d20ae7b80bdb599247239832b83738965e6c29

Download Submit
\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
MD5
5964cdddc061b691582cb76ecf658003

SHA1
be1cc7803d5974d37a65255ac0e418e02d45b594

SHA256
dc17452b38f23365e25148d316e44956cb8551eb97e33b4a82496d25248302be

SHA512
ff68a9524f4053e4c9a760315ee10dbf6f9a1b5be87f888aa8eb8ee5fc378fd6f01d797c03775f6672db441e75d20ae7b80bdb599247239832b83738965e6c29

Download Submit
\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
MD5
5964cdddc061b691582cb76ecf658003

SHA1
be1cc7803d5974d37a65255ac0e418e02d45b594

SHA256
dc17452b38f23365e25148d316e44956cb8551eb97e33b4a82496d25248302be

SHA512
ff68a9524f4053e4c9a760315ee10dbf6f9a1b5be87f888aa8eb8ee5fc378fd6f01d797c03775f6672db441e75d20ae7b80bdb599247239832b83738965e6c29

Download Submit
memory/948-54-0x0000000076911000-0x0000000076913000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads