sakula | 02b6e3861548832f7abd986eaf19bfe5bfac3d76d2093b11d914e2d36f5b9c56

General

Target

02b6e3861548832f7abd986eaf19bfe5bfac3d76d2093b11d914e2d36f5b9c56.exe
Size

35KB
MD5

27e4e50882757b307e72b2f0f9932597
SHA1

7f40ee24411d0d5bd6fc638135e35cfb7199edcc
SHA256

02b6e3861548832f7abd986eaf19bfe5bfac3d76d2093b11d914e2d36f5b9c56
SHA512

3cd18038af9aaadb3fcc61413239394a729bd978601125a277100eb9f0413550b8b168443ba70ca616bb46277d5f0f7007f318cde43580f9c3ce0945128a10b4

Score

10^/10

sakula persistence rat trojan

Malware Config

Signatures

Sakula
Sakula is a remote access trojan with various capabilities.
trojan rat sakula
Executes dropped EXE 1 IoCs

Processes:

MediaCenter.exe

pid process

316 MediaCenter.exe
Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

1944 cmd.exe

pid	process
316	MediaCenter.exe

pid	process
1944	cmd.exe

Loads dropped DLL 2 IoCs

Processes:

02b6e3861548832f7abd986eaf19bfe5bfac3d76d2093b11d914e2d36f5b9c56.exe

pid	process
1696	02b6e3861548832f7abd986eaf19bfe5bfac3d76d2093b11d914e2d36f5b9c56.exe
1696	02b6e3861548832f7abd986eaf19bfe5bfac3d76d2093b11d914e2d36f5b9c56.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

02b6e3861548832f7abd986eaf19bfe5bfac3d76d2093b11d914e2d36f5b9c56.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe"	02b6e3861548832f7abd986eaf19bfe5bfac3d76d2093b11d914e2d36f5b9c56.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

1088 PING.EXE
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

02b6e3861548832f7abd986eaf19bfe5bfac3d76d2093b11d914e2d36f5b9c56.exe

description pid process

Token: SeIncBasePriorityPrivilege 1696 02b6e3861548832f7abd986eaf19bfe5bfac3d76d2093b11d914e2d36f5b9c56.exe

pid	process
1088	PING.EXE

description	pid	process
Token: SeIncBasePriorityPrivilege	1696	02b6e3861548832f7abd986eaf19bfe5bfac3d76d2093b11d914e2d36f5b9c56.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

02b6e3861548832f7abd986eaf19bfe5bfac3d76d2093b11d914e2d36f5b9c56.execmd.exe

description	pid	process	target process
PID 1696 wrote to memory of 316	1696	02b6e3861548832f7abd986eaf19bfe5bfac3d76d2093b11d914e2d36f5b9c56.exe	MediaCenter.exe
PID 1696 wrote to memory of 316	1696	02b6e3861548832f7abd986eaf19bfe5bfac3d76d2093b11d914e2d36f5b9c56.exe	MediaCenter.exe
PID 1696 wrote to memory of 316	1696	02b6e3861548832f7abd986eaf19bfe5bfac3d76d2093b11d914e2d36f5b9c56.exe	MediaCenter.exe
PID 1696 wrote to memory of 316	1696	02b6e3861548832f7abd986eaf19bfe5bfac3d76d2093b11d914e2d36f5b9c56.exe	MediaCenter.exe
PID 1696 wrote to memory of 1944	1696	02b6e3861548832f7abd986eaf19bfe5bfac3d76d2093b11d914e2d36f5b9c56.exe	cmd.exe
PID 1696 wrote to memory of 1944	1696	02b6e3861548832f7abd986eaf19bfe5bfac3d76d2093b11d914e2d36f5b9c56.exe	cmd.exe
PID 1696 wrote to memory of 1944	1696	02b6e3861548832f7abd986eaf19bfe5bfac3d76d2093b11d914e2d36f5b9c56.exe	cmd.exe
PID 1696 wrote to memory of 1944	1696	02b6e3861548832f7abd986eaf19bfe5bfac3d76d2093b11d914e2d36f5b9c56.exe	cmd.exe
PID 1944 wrote to memory of 1088	1944	cmd.exe	PING.EXE
PID 1944 wrote to memory of 1088	1944	cmd.exe	PING.EXE
PID 1944 wrote to memory of 1088	1944	cmd.exe	PING.EXE
PID 1944 wrote to memory of 1088	1944	cmd.exe	PING.EXE

C:\Users\Admin\AppData\Local\Temp\02b6e3861548832f7abd986eaf19bfe5bfac3d76d2093b11d914e2d36f5b9c56.exe
"C:\Users\Admin\AppData\Local\Temp\02b6e3861548832f7abd986eaf19bfe5bfac3d76d2093b11d914e2d36f5b9c56.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1696

C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
2⤵
- Executes dropped EXE
PID:316

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\02b6e3861548832f7abd986eaf19bfe5bfac3d76d2093b11d914e2d36f5b9c56.exe"
2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:1944

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1
3⤵
- Runs ping.exe
PID:1088

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Remote System Discovery

1

T1018

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
MD5
46a37330301a379e6d7a8bad8fde7359

SHA1
b672c074fbda4756921a38fc104d1720d0e281ac

SHA256
8f68edd37cb6cb4da6c936053c42637fd90c28c60f5a4e339158598e69350f10

SHA512
f901702e9a0d9bf52eb00e8ae961db53a4362cf2cf85a3b81154ae8b0aa47e201a2f95e1acf22f460b6af8a249bee0712f3de9b64a1442ece9c5de8c90130846

Download Submit
\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
MD5
46a37330301a379e6d7a8bad8fde7359

SHA1
b672c074fbda4756921a38fc104d1720d0e281ac

SHA256
8f68edd37cb6cb4da6c936053c42637fd90c28c60f5a4e339158598e69350f10

SHA512
f901702e9a0d9bf52eb00e8ae961db53a4362cf2cf85a3b81154ae8b0aa47e201a2f95e1acf22f460b6af8a249bee0712f3de9b64a1442ece9c5de8c90130846

Download Submit
\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
MD5
46a37330301a379e6d7a8bad8fde7359

SHA1
b672c074fbda4756921a38fc104d1720d0e281ac

SHA256
8f68edd37cb6cb4da6c936053c42637fd90c28c60f5a4e339158598e69350f10

SHA512
f901702e9a0d9bf52eb00e8ae961db53a4362cf2cf85a3b81154ae8b0aa47e201a2f95e1acf22f460b6af8a249bee0712f3de9b64a1442ece9c5de8c90130846

Download Submit
memory/1696-54-0x0000000076001000-0x0000000076003000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads