sakula | 06a00459856234d5a0d62331701c13e3ecabce618fa3e8fb7a9d5e3f0bdee7d3

General

Target

06a00459856234d5a0d62331701c13e3ecabce618fa3e8fb7a9d5e3f0bdee7d3.exe
Size

216KB
MD5

a3ca021350034de47209827352310697
SHA1

28647851ab6458e0cbad03053c481863006eada0
SHA256

06a00459856234d5a0d62331701c13e3ecabce618fa3e8fb7a9d5e3f0bdee7d3
SHA512

5a227c360d72ba1bcc5c88f111aeac2732292641a7e33bed885c5c8ce9f105e4a877378b1bab6b4ea1d295cfe4a290c817433065c37503d0daabaec24516efd9

Score

10^/10

sakula persistence rat trojan

Malware Config

Signatures

Sakula
Sakula is a remote access trojan with various capabilities.
trojan rat sakula

Sakula Payload 4 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe	family_sakula
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe	family_sakula
behavioral2/memory/1152-135-0x0000000000400000-0x0000000000420000-memory.dmp	family_sakula
behavioral2/memory/1392-136-0x0000000000400000-0x0000000000420000-memory.dmp	family_sakula

Executes dropped EXE 1 IoCs

Processes:

MediaCenter.exe

pid process

1392 MediaCenter.exe

pid	process
1392	MediaCenter.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

06a00459856234d5a0d62331701c13e3ecabce618fa3e8fb7a9d5e3f0bdee7d3.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation	06a00459856234d5a0d62331701c13e3ecabce618fa3e8fb7a9d5e3f0bdee7d3.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

06a00459856234d5a0d62331701c13e3ecabce618fa3e8fb7a9d5e3f0bdee7d3.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe"	06a00459856234d5a0d62331701c13e3ecabce618fa3e8fb7a9d5e3f0bdee7d3.exe

Drops file in Windows directory 8 IoCs

Processes:

svchost.exeTiWorker.exe

description	ioc	process
File opened for modification	C:\Windows\SoftwareDistribution\ReportingEvents.log	svchost.exe
File opened for modification	C:\Windows\Logs\CBS\CBS.log	TiWorker.exe
File opened for modification	C:\Windows\WinSxS\pending.xml	TiWorker.exe
File opened for modification	C:\Windows\WindowsUpdate.log	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\DataStore\Logs\edb.chk	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\DataStore\Logs\edb.log	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\DataStore\DataStore.edb	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\DataStore\DataStore.jfm	svchost.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

4828 PING.EXE

pid	process
4828	PING.EXE

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

svchost.exe06a00459856234d5a0d62331701c13e3ecabce618fa3e8fb7a9d5e3f0bdee7d3.exeTiWorker.exe

description	pid	process
Token: SeShutdownPrivilege	1984	svchost.exe
Token: SeCreatePagefilePrivilege	1984	svchost.exe
Token: SeShutdownPrivilege	1984	svchost.exe
Token: SeCreatePagefilePrivilege	1984	svchost.exe
Token: SeShutdownPrivilege	1984	svchost.exe
Token: SeCreatePagefilePrivilege	1984	svchost.exe
Token: SeIncBasePriorityPrivilege	1152	06a00459856234d5a0d62331701c13e3ecabce618fa3e8fb7a9d5e3f0bdee7d3.exe
Token: SeSecurityPrivilege	4516	TiWorker.exe
Token: SeRestorePrivilege	4516	TiWorker.exe
Token: SeBackupPrivilege	4516	TiWorker.exe
Token: SeBackupPrivilege	4516	TiWorker.exe
Token: SeRestorePrivilege	4516	TiWorker.exe
Token: SeSecurityPrivilege	4516	TiWorker.exe
Token: SeBackupPrivilege	4516	TiWorker.exe
Token: SeRestorePrivilege	4516	TiWorker.exe
Token: SeSecurityPrivilege	4516	TiWorker.exe
Token: SeBackupPrivilege	4516	TiWorker.exe
Token: SeRestorePrivilege	4516	TiWorker.exe
Token: SeSecurityPrivilege	4516	TiWorker.exe
Token: SeBackupPrivilege	4516	TiWorker.exe
Token: SeRestorePrivilege	4516	TiWorker.exe
Token: SeSecurityPrivilege	4516	TiWorker.exe
Token: SeBackupPrivilege	4516	TiWorker.exe
Token: SeRestorePrivilege	4516	TiWorker.exe
Token: SeSecurityPrivilege	4516	TiWorker.exe
Token: SeBackupPrivilege	4516	TiWorker.exe
Token: SeRestorePrivilege	4516	TiWorker.exe
Token: SeSecurityPrivilege	4516	TiWorker.exe
Token: SeBackupPrivilege	4516	TiWorker.exe
Token: SeRestorePrivilege	4516	TiWorker.exe
Token: SeSecurityPrivilege	4516	TiWorker.exe
Token: SeBackupPrivilege	4516	TiWorker.exe
Token: SeRestorePrivilege	4516	TiWorker.exe
Token: SeSecurityPrivilege	4516	TiWorker.exe
Token: SeBackupPrivilege	4516	TiWorker.exe
Token: SeRestorePrivilege	4516	TiWorker.exe
Token: SeSecurityPrivilege	4516	TiWorker.exe
Token: SeBackupPrivilege	4516	TiWorker.exe
Token: SeRestorePrivilege	4516	TiWorker.exe
Token: SeSecurityPrivilege	4516	TiWorker.exe
Token: SeBackupPrivilege	4516	TiWorker.exe
Token: SeRestorePrivilege	4516	TiWorker.exe
Token: SeSecurityPrivilege	4516	TiWorker.exe
Token: SeBackupPrivilege	4516	TiWorker.exe
Token: SeRestorePrivilege	4516	TiWorker.exe
Token: SeSecurityPrivilege	4516	TiWorker.exe
Token: SeBackupPrivilege	4516	TiWorker.exe
Token: SeRestorePrivilege	4516	TiWorker.exe
Token: SeSecurityPrivilege	4516	TiWorker.exe
Token: SeBackupPrivilege	4516	TiWorker.exe
Token: SeRestorePrivilege	4516	TiWorker.exe
Token: SeSecurityPrivilege	4516	TiWorker.exe
Token: SeBackupPrivilege	4516	TiWorker.exe
Token: SeRestorePrivilege	4516	TiWorker.exe
Token: SeSecurityPrivilege	4516	TiWorker.exe
Token: SeBackupPrivilege	4516	TiWorker.exe
Token: SeRestorePrivilege	4516	TiWorker.exe
Token: SeSecurityPrivilege	4516	TiWorker.exe
Token: SeBackupPrivilege	4516	TiWorker.exe
Token: SeRestorePrivilege	4516	TiWorker.exe
Token: SeSecurityPrivilege	4516	TiWorker.exe
Token: SeBackupPrivilege	4516	TiWorker.exe
Token: SeRestorePrivilege	4516	TiWorker.exe
Token: SeSecurityPrivilege	4516	TiWorker.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

06a00459856234d5a0d62331701c13e3ecabce618fa3e8fb7a9d5e3f0bdee7d3.execmd.exe

description	pid	process	target process
PID 1152 wrote to memory of 1392	1152	06a00459856234d5a0d62331701c13e3ecabce618fa3e8fb7a9d5e3f0bdee7d3.exe	MediaCenter.exe
PID 1152 wrote to memory of 1392	1152	06a00459856234d5a0d62331701c13e3ecabce618fa3e8fb7a9d5e3f0bdee7d3.exe	MediaCenter.exe
PID 1152 wrote to memory of 1392	1152	06a00459856234d5a0d62331701c13e3ecabce618fa3e8fb7a9d5e3f0bdee7d3.exe	MediaCenter.exe
PID 1152 wrote to memory of 4456	1152	06a00459856234d5a0d62331701c13e3ecabce618fa3e8fb7a9d5e3f0bdee7d3.exe	cmd.exe
PID 1152 wrote to memory of 4456	1152	06a00459856234d5a0d62331701c13e3ecabce618fa3e8fb7a9d5e3f0bdee7d3.exe	cmd.exe
PID 1152 wrote to memory of 4456	1152	06a00459856234d5a0d62331701c13e3ecabce618fa3e8fb7a9d5e3f0bdee7d3.exe	cmd.exe
PID 4456 wrote to memory of 4828	4456	cmd.exe	PING.EXE
PID 4456 wrote to memory of 4828	4456	cmd.exe	PING.EXE
PID 4456 wrote to memory of 4828	4456	cmd.exe	PING.EXE

C:\Users\Admin\AppData\Local\Temp\06a00459856234d5a0d62331701c13e3ecabce618fa3e8fb7a9d5e3f0bdee7d3.exe
"C:\Users\Admin\AppData\Local\Temp\06a00459856234d5a0d62331701c13e3ecabce618fa3e8fb7a9d5e3f0bdee7d3.exe"
1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1152

C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
2⤵
- Executes dropped EXE
PID:1392

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\06a00459856234d5a0d62331701c13e3ecabce618fa3e8fb7a9d5e3f0bdee7d3.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:4456

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1
3⤵
- Runs ping.exe
PID:4828

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:1984

C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:4516

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

Remote System Discovery

1

T1018

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
MD5
4912a9680f016c119358663399524dc2

SHA1
82ecc9657e525c4aa2cd85018593d25727afee35

SHA256
55cd1c335a2de5188606bde57cfba2821bdfb35dd5685770c9d9236fc7ee3ca9

SHA512
9d80b2ea56e3b3d53e736a62d9e68c6ace0e3619bbf6d405bfdfefec5a3fdc56758df83b216448789eb02c45c828514ba99ee80ba35520fe8f83f0321c8eb303

Download Submit
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
MD5
4912a9680f016c119358663399524dc2

SHA1
82ecc9657e525c4aa2cd85018593d25727afee35

SHA256
55cd1c335a2de5188606bde57cfba2821bdfb35dd5685770c9d9236fc7ee3ca9

SHA512
9d80b2ea56e3b3d53e736a62d9e68c6ace0e3619bbf6d405bfdfefec5a3fdc56758df83b216448789eb02c45c828514ba99ee80ba35520fe8f83f0321c8eb303

Download Submit
memory/1152-135-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/1392-136-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/1984-132-0x000002D155B80000-0x000002D155B90000-memory.dmp

Filesize
64KB

Download
memory/1984-133-0x000002D156220000-0x000002D156230000-memory.dmp

Filesize
64KB

Download
memory/1984-134-0x000002D158900000-0x000002D158904000-memory.dmp

Filesize
16KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads