sakula | 064b5a02f0f87e44766e115d50e77c69dd889ffe122a568fab48ec76dbb5eef0

General

Target

064b5a02f0f87e44766e115d50e77c69dd889ffe122a568fab48ec76dbb5eef0.exe
Size

35KB
MD5

ca3eb031f52fdb3ee35a0b2ac18d69bd
SHA1

8807a0f624d4d9340c57e71686972ddeceeb4ff6
SHA256

064b5a02f0f87e44766e115d50e77c69dd889ffe122a568fab48ec76dbb5eef0
SHA512

e38df41b2d4ed94776e76c6ea722d5142aa1f7c67c33ecea75d6ddddee7eceafd648827dc677736e21a06892267900e3c6d9d910134931027cce443f6764fa6e

Score

10^/10

sakula persistence rat trojan

Malware Config

Signatures

Sakula
Sakula is a remote access trojan with various capabilities.
trojan rat sakula
Executes dropped EXE 1 IoCs

Processes:

MediaCenter.exe

pid process

1620 MediaCenter.exe
Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

1064 cmd.exe

pid	process
1620	MediaCenter.exe

pid	process
1064	cmd.exe

Loads dropped DLL 2 IoCs

Processes:

064b5a02f0f87e44766e115d50e77c69dd889ffe122a568fab48ec76dbb5eef0.exe

pid	process
960	064b5a02f0f87e44766e115d50e77c69dd889ffe122a568fab48ec76dbb5eef0.exe
960	064b5a02f0f87e44766e115d50e77c69dd889ffe122a568fab48ec76dbb5eef0.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

064b5a02f0f87e44766e115d50e77c69dd889ffe122a568fab48ec76dbb5eef0.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe"	064b5a02f0f87e44766e115d50e77c69dd889ffe122a568fab48ec76dbb5eef0.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

1944 PING.EXE
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

064b5a02f0f87e44766e115d50e77c69dd889ffe122a568fab48ec76dbb5eef0.exe

description pid process

Token: SeIncBasePriorityPrivilege 960 064b5a02f0f87e44766e115d50e77c69dd889ffe122a568fab48ec76dbb5eef0.exe

pid	process
1944	PING.EXE

description	pid	process
Token: SeIncBasePriorityPrivilege	960	064b5a02f0f87e44766e115d50e77c69dd889ffe122a568fab48ec76dbb5eef0.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

064b5a02f0f87e44766e115d50e77c69dd889ffe122a568fab48ec76dbb5eef0.execmd.exe

description	pid	process	target process
PID 960 wrote to memory of 1620	960	064b5a02f0f87e44766e115d50e77c69dd889ffe122a568fab48ec76dbb5eef0.exe	MediaCenter.exe
PID 960 wrote to memory of 1620	960	064b5a02f0f87e44766e115d50e77c69dd889ffe122a568fab48ec76dbb5eef0.exe	MediaCenter.exe
PID 960 wrote to memory of 1620	960	064b5a02f0f87e44766e115d50e77c69dd889ffe122a568fab48ec76dbb5eef0.exe	MediaCenter.exe
PID 960 wrote to memory of 1620	960	064b5a02f0f87e44766e115d50e77c69dd889ffe122a568fab48ec76dbb5eef0.exe	MediaCenter.exe
PID 960 wrote to memory of 1064	960	064b5a02f0f87e44766e115d50e77c69dd889ffe122a568fab48ec76dbb5eef0.exe	cmd.exe
PID 960 wrote to memory of 1064	960	064b5a02f0f87e44766e115d50e77c69dd889ffe122a568fab48ec76dbb5eef0.exe	cmd.exe
PID 960 wrote to memory of 1064	960	064b5a02f0f87e44766e115d50e77c69dd889ffe122a568fab48ec76dbb5eef0.exe	cmd.exe
PID 960 wrote to memory of 1064	960	064b5a02f0f87e44766e115d50e77c69dd889ffe122a568fab48ec76dbb5eef0.exe	cmd.exe
PID 1064 wrote to memory of 1944	1064	cmd.exe	PING.EXE
PID 1064 wrote to memory of 1944	1064	cmd.exe	PING.EXE
PID 1064 wrote to memory of 1944	1064	cmd.exe	PING.EXE
PID 1064 wrote to memory of 1944	1064	cmd.exe	PING.EXE

C:\Users\Admin\AppData\Local\Temp\064b5a02f0f87e44766e115d50e77c69dd889ffe122a568fab48ec76dbb5eef0.exe
"C:\Users\Admin\AppData\Local\Temp\064b5a02f0f87e44766e115d50e77c69dd889ffe122a568fab48ec76dbb5eef0.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:960

C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
2⤵
- Executes dropped EXE
PID:1620

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\064b5a02f0f87e44766e115d50e77c69dd889ffe122a568fab48ec76dbb5eef0.exe"
2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:1064

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1
3⤵
- Runs ping.exe
PID:1944

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Remote System Discovery

1

T1018

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
MD5
1210adf533a5eba59e4718cf15254bef

SHA1
1eb0941a280fec0e61b43ff185d11fd2d61185a9

SHA256
d308bc94341b9acbd5c4da7289527cdc141d6d2559eefc4a50156b2707a4a352

SHA512
090bfdda847bb6b748127c55b1b6a42c97018f16b4d8018bf3159706a7c5aad152097f43435e790feebcbbb6f4d6a88201fecded0d5674639ffb4640161cf470

Download Submit
\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
MD5
1210adf533a5eba59e4718cf15254bef

SHA1
1eb0941a280fec0e61b43ff185d11fd2d61185a9

SHA256
d308bc94341b9acbd5c4da7289527cdc141d6d2559eefc4a50156b2707a4a352

SHA512
090bfdda847bb6b748127c55b1b6a42c97018f16b4d8018bf3159706a7c5aad152097f43435e790feebcbbb6f4d6a88201fecded0d5674639ffb4640161cf470

Download Submit
\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
MD5
1210adf533a5eba59e4718cf15254bef

SHA1
1eb0941a280fec0e61b43ff185d11fd2d61185a9

SHA256
d308bc94341b9acbd5c4da7289527cdc141d6d2559eefc4a50156b2707a4a352

SHA512
090bfdda847bb6b748127c55b1b6a42c97018f16b4d8018bf3159706a7c5aad152097f43435e790feebcbbb6f4d6a88201fecded0d5674639ffb4640161cf470

Download Submit
memory/960-54-0x0000000075D61000-0x0000000075D63000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads