sakula | 06be5790822db4f0e5d897e67d446d7fe91c04fdf9aeb698b4d2e21b4bb72a4b

General

Target

06be5790822db4f0e5d897e67d446d7fe91c04fdf9aeb698b4d2e21b4bb72a4b.exe
Size

60KB
MD5

98277bd1adff6b1265332dcce9ba70bd
SHA1

4cf764c6743f556ae168758b39e50266aceabc72
SHA256

06be5790822db4f0e5d897e67d446d7fe91c04fdf9aeb698b4d2e21b4bb72a4b
SHA512

3d6204c817d1007d45d4c733b03cf43890044af71113ee946c7dffa5f1e09f4f024d4eee6692552444297b7771b51c201c06200d4e73efad5b3e90554e894e79

Score

10^/10

sakula persistence rat trojan

Malware Config

Signatures

Sakula
Sakula is a remote access trojan with various capabilities.
trojan rat sakula
Executes dropped EXE 1 IoCs

Processes:

MediaCenter.exe

pid process

1224 MediaCenter.exe
Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

832 cmd.exe

pid	process
1224	MediaCenter.exe

pid	process
832	cmd.exe

Loads dropped DLL 2 IoCs

Processes:

06be5790822db4f0e5d897e67d446d7fe91c04fdf9aeb698b4d2e21b4bb72a4b.exe

pid	process
1900	06be5790822db4f0e5d897e67d446d7fe91c04fdf9aeb698b4d2e21b4bb72a4b.exe
1900	06be5790822db4f0e5d897e67d446d7fe91c04fdf9aeb698b4d2e21b4bb72a4b.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

06be5790822db4f0e5d897e67d446d7fe91c04fdf9aeb698b4d2e21b4bb72a4b.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe"	06be5790822db4f0e5d897e67d446d7fe91c04fdf9aeb698b4d2e21b4bb72a4b.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

1248 PING.EXE
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

06be5790822db4f0e5d897e67d446d7fe91c04fdf9aeb698b4d2e21b4bb72a4b.exe

description pid process

Token: SeIncBasePriorityPrivilege 1900 06be5790822db4f0e5d897e67d446d7fe91c04fdf9aeb698b4d2e21b4bb72a4b.exe

pid	process
1248	PING.EXE

description	pid	process
Token: SeIncBasePriorityPrivilege	1900	06be5790822db4f0e5d897e67d446d7fe91c04fdf9aeb698b4d2e21b4bb72a4b.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

06be5790822db4f0e5d897e67d446d7fe91c04fdf9aeb698b4d2e21b4bb72a4b.execmd.exe

description	pid	process	target process
PID 1900 wrote to memory of 1224	1900	06be5790822db4f0e5d897e67d446d7fe91c04fdf9aeb698b4d2e21b4bb72a4b.exe	MediaCenter.exe
PID 1900 wrote to memory of 1224	1900	06be5790822db4f0e5d897e67d446d7fe91c04fdf9aeb698b4d2e21b4bb72a4b.exe	MediaCenter.exe
PID 1900 wrote to memory of 1224	1900	06be5790822db4f0e5d897e67d446d7fe91c04fdf9aeb698b4d2e21b4bb72a4b.exe	MediaCenter.exe
PID 1900 wrote to memory of 1224	1900	06be5790822db4f0e5d897e67d446d7fe91c04fdf9aeb698b4d2e21b4bb72a4b.exe	MediaCenter.exe
PID 1900 wrote to memory of 832	1900	06be5790822db4f0e5d897e67d446d7fe91c04fdf9aeb698b4d2e21b4bb72a4b.exe	cmd.exe
PID 1900 wrote to memory of 832	1900	06be5790822db4f0e5d897e67d446d7fe91c04fdf9aeb698b4d2e21b4bb72a4b.exe	cmd.exe
PID 1900 wrote to memory of 832	1900	06be5790822db4f0e5d897e67d446d7fe91c04fdf9aeb698b4d2e21b4bb72a4b.exe	cmd.exe
PID 1900 wrote to memory of 832	1900	06be5790822db4f0e5d897e67d446d7fe91c04fdf9aeb698b4d2e21b4bb72a4b.exe	cmd.exe
PID 832 wrote to memory of 1248	832	cmd.exe	PING.EXE
PID 832 wrote to memory of 1248	832	cmd.exe	PING.EXE
PID 832 wrote to memory of 1248	832	cmd.exe	PING.EXE
PID 832 wrote to memory of 1248	832	cmd.exe	PING.EXE

C:\Users\Admin\AppData\Local\Temp\06be5790822db4f0e5d897e67d446d7fe91c04fdf9aeb698b4d2e21b4bb72a4b.exe
"C:\Users\Admin\AppData\Local\Temp\06be5790822db4f0e5d897e67d446d7fe91c04fdf9aeb698b4d2e21b4bb72a4b.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1900

C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
2⤵
- Executes dropped EXE
PID:1224

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\06be5790822db4f0e5d897e67d446d7fe91c04fdf9aeb698b4d2e21b4bb72a4b.exe"
2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:832

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1
3⤵
- Runs ping.exe
PID:1248

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Remote System Discovery

1

T1018

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
MD5
4057315e4aff96553bb8f44409bae90b

SHA1
4b82eda54fdee9a6a959f535c5495b8965ec274c

SHA256
da0c9c0d04af863620e7abdf496a1bb2e65f9980ac456bfc1609a33a09f1425d

SHA512
e2292d6b85dabab5f1d9bb73ba0fab61ac2526114125eb9429868b96c49e290499694106e5bcae8ddd7afb2493759ceffde95f941f3410d429784a50ff795379

Download Submit
\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
MD5
4057315e4aff96553bb8f44409bae90b

SHA1
4b82eda54fdee9a6a959f535c5495b8965ec274c

SHA256
da0c9c0d04af863620e7abdf496a1bb2e65f9980ac456bfc1609a33a09f1425d

SHA512
e2292d6b85dabab5f1d9bb73ba0fab61ac2526114125eb9429868b96c49e290499694106e5bcae8ddd7afb2493759ceffde95f941f3410d429784a50ff795379

Download Submit
\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
MD5
4057315e4aff96553bb8f44409bae90b

SHA1
4b82eda54fdee9a6a959f535c5495b8965ec274c

SHA256
da0c9c0d04af863620e7abdf496a1bb2e65f9980ac456bfc1609a33a09f1425d

SHA512
e2292d6b85dabab5f1d9bb73ba0fab61ac2526114125eb9429868b96c49e290499694106e5bcae8ddd7afb2493759ceffde95f941f3410d429784a50ff795379

Download Submit
memory/1900-55-0x00000000760F1000-0x00000000760F3000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads