sakula | 060be812b970b16c9f0a60fd6090055abbc00f4e3279aaeb806e337652c568f2

General

Target

060be812b970b16c9f0a60fd6090055abbc00f4e3279aaeb806e337652c568f2.exe
Size

80KB
MD5

86f36cd392a8c5ec211750c14a1c01f5
SHA1

dc3c94eb8d49a4fff0490730ba1fa3985b64cf45
SHA256

060be812b970b16c9f0a60fd6090055abbc00f4e3279aaeb806e337652c568f2
SHA512

919c0bedce3a47cbdc659c958e2414a1deed690b35c86c91b342e694c4340ef707ddb8c9785a869135d2dc716d0705288b818eb299a76d6185687fc3a967003e

Score

10^/10

sakula persistence rat trojan

Malware Config

Signatures

Sakula
Sakula is a remote access trojan with various capabilities.
trojan rat sakula

Sakula Payload 3 IoCs

Processes:

resource	yara_rule
\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe	family_sakula
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe	family_sakula
\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe	family_sakula

Executes dropped EXE 1 IoCs

Processes:

MediaCenter.exe

pid process

656 MediaCenter.exe
Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

764 cmd.exe

pid	process
656	MediaCenter.exe

pid	process
764	cmd.exe

Loads dropped DLL 2 IoCs

Processes:

060be812b970b16c9f0a60fd6090055abbc00f4e3279aaeb806e337652c568f2.exe

pid	process
1500	060be812b970b16c9f0a60fd6090055abbc00f4e3279aaeb806e337652c568f2.exe
1500	060be812b970b16c9f0a60fd6090055abbc00f4e3279aaeb806e337652c568f2.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

060be812b970b16c9f0a60fd6090055abbc00f4e3279aaeb806e337652c568f2.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe"	060be812b970b16c9f0a60fd6090055abbc00f4e3279aaeb806e337652c568f2.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

1596 PING.EXE
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

060be812b970b16c9f0a60fd6090055abbc00f4e3279aaeb806e337652c568f2.exe

description pid process

Token: SeIncBasePriorityPrivilege 1500 060be812b970b16c9f0a60fd6090055abbc00f4e3279aaeb806e337652c568f2.exe

pid	process
1596	PING.EXE

description	pid	process
Token: SeIncBasePriorityPrivilege	1500	060be812b970b16c9f0a60fd6090055abbc00f4e3279aaeb806e337652c568f2.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

060be812b970b16c9f0a60fd6090055abbc00f4e3279aaeb806e337652c568f2.execmd.exe

description	pid	process	target process
PID 1500 wrote to memory of 656	1500	060be812b970b16c9f0a60fd6090055abbc00f4e3279aaeb806e337652c568f2.exe	MediaCenter.exe
PID 1500 wrote to memory of 656	1500	060be812b970b16c9f0a60fd6090055abbc00f4e3279aaeb806e337652c568f2.exe	MediaCenter.exe
PID 1500 wrote to memory of 656	1500	060be812b970b16c9f0a60fd6090055abbc00f4e3279aaeb806e337652c568f2.exe	MediaCenter.exe
PID 1500 wrote to memory of 656	1500	060be812b970b16c9f0a60fd6090055abbc00f4e3279aaeb806e337652c568f2.exe	MediaCenter.exe
PID 1500 wrote to memory of 764	1500	060be812b970b16c9f0a60fd6090055abbc00f4e3279aaeb806e337652c568f2.exe	cmd.exe
PID 1500 wrote to memory of 764	1500	060be812b970b16c9f0a60fd6090055abbc00f4e3279aaeb806e337652c568f2.exe	cmd.exe
PID 1500 wrote to memory of 764	1500	060be812b970b16c9f0a60fd6090055abbc00f4e3279aaeb806e337652c568f2.exe	cmd.exe
PID 1500 wrote to memory of 764	1500	060be812b970b16c9f0a60fd6090055abbc00f4e3279aaeb806e337652c568f2.exe	cmd.exe
PID 764 wrote to memory of 1596	764	cmd.exe	PING.EXE
PID 764 wrote to memory of 1596	764	cmd.exe	PING.EXE
PID 764 wrote to memory of 1596	764	cmd.exe	PING.EXE
PID 764 wrote to memory of 1596	764	cmd.exe	PING.EXE

C:\Users\Admin\AppData\Local\Temp\060be812b970b16c9f0a60fd6090055abbc00f4e3279aaeb806e337652c568f2.exe
"C:\Users\Admin\AppData\Local\Temp\060be812b970b16c9f0a60fd6090055abbc00f4e3279aaeb806e337652c568f2.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1500

C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
2⤵
- Executes dropped EXE
PID:656

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\060be812b970b16c9f0a60fd6090055abbc00f4e3279aaeb806e337652c568f2.exe"
2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:764

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1
3⤵
- Runs ping.exe
PID:1596

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Remote System Discovery

1

T1018

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
MD5
4c8ffc72b3b828619e0a5863ed08027b

SHA1
dede23bce25babe6039d3efcf63640ff5898c4e5

SHA256
361140f48430e5120b0467d9349b49253ef00fc93eb15bd541535052a0501152

SHA512
58a551b44387f830d01eb4d18378ed9e44d1191baab1fdd3778ab5e70885c057cf9debc4c843b1494aeca74f9503687559f1739100a18ccbe7442830d5529603

Download Submit
\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
MD5
4c8ffc72b3b828619e0a5863ed08027b

SHA1
dede23bce25babe6039d3efcf63640ff5898c4e5

SHA256
361140f48430e5120b0467d9349b49253ef00fc93eb15bd541535052a0501152

SHA512
58a551b44387f830d01eb4d18378ed9e44d1191baab1fdd3778ab5e70885c057cf9debc4c843b1494aeca74f9503687559f1739100a18ccbe7442830d5529603

Download Submit
\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
MD5
4c8ffc72b3b828619e0a5863ed08027b

SHA1
dede23bce25babe6039d3efcf63640ff5898c4e5

SHA256
361140f48430e5120b0467d9349b49253ef00fc93eb15bd541535052a0501152

SHA512
58a551b44387f830d01eb4d18378ed9e44d1191baab1fdd3778ab5e70885c057cf9debc4c843b1494aeca74f9503687559f1739100a18ccbe7442830d5529603

Download Submit
memory/1500-54-0x0000000074F01000-0x0000000074F03000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads