sakula | 02b4f6afa145a6f1b65e2d35db1b0ed674cbcb15900a58f7eeffbbb48e98e097

General

Target

02b4f6afa145a6f1b65e2d35db1b0ed674cbcb15900a58f7eeffbbb48e98e097.exe
Size

99KB
MD5

9cbac2fec1ad1dcb349734acf6debb29
SHA1

a5a17a6155f836a177bad5ae216e01bccb561f9b
SHA256

02b4f6afa145a6f1b65e2d35db1b0ed674cbcb15900a58f7eeffbbb48e98e097
SHA512

fedef63c447dfd0b97e240de124116dfd0b376033824a20dd97959dfcc13c1772128afe215bfab8c8f259b674ba12ba781c71f4e1d662edf1bb06234269a38dd

Score

10^/10

sakula persistence rat trojan

Malware Config

Signatures

Sakula
Sakula is a remote access trojan with various capabilities.
trojan rat sakula

Sakula Payload 2 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe	family_sakula
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe	family_sakula

Executes dropped EXE 1 IoCs

Processes:

MediaCenter.exe

pid process

4348 MediaCenter.exe

pid	process
4348	MediaCenter.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

02b4f6afa145a6f1b65e2d35db1b0ed674cbcb15900a58f7eeffbbb48e98e097.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation	02b4f6afa145a6f1b65e2d35db1b0ed674cbcb15900a58f7eeffbbb48e98e097.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

02b4f6afa145a6f1b65e2d35db1b0ed674cbcb15900a58f7eeffbbb48e98e097.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe"	02b4f6afa145a6f1b65e2d35db1b0ed674cbcb15900a58f7eeffbbb48e98e097.exe

Drops file in Windows directory 8 IoCs

Processes:

svchost.exeTiWorker.exe

description	ioc	process
File opened for modification	C:\Windows\SoftwareDistribution\ReportingEvents.log	svchost.exe
File opened for modification	C:\Windows\Logs\CBS\CBS.log	TiWorker.exe
File opened for modification	C:\Windows\WinSxS\pending.xml	TiWorker.exe
File opened for modification	C:\Windows\WindowsUpdate.log	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\DataStore\Logs\edb.chk	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\DataStore\Logs\edb.log	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\DataStore\DataStore.edb	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\DataStore\DataStore.jfm	svchost.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

4744 PING.EXE

pid	process
4744	PING.EXE

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

svchost.exe02b4f6afa145a6f1b65e2d35db1b0ed674cbcb15900a58f7eeffbbb48e98e097.exeTiWorker.exe

description	pid	process
Token: SeShutdownPrivilege	3540	svchost.exe
Token: SeCreatePagefilePrivilege	3540	svchost.exe
Token: SeShutdownPrivilege	3540	svchost.exe
Token: SeCreatePagefilePrivilege	3540	svchost.exe
Token: SeShutdownPrivilege	3540	svchost.exe
Token: SeCreatePagefilePrivilege	3540	svchost.exe
Token: SeIncBasePriorityPrivilege	4240	02b4f6afa145a6f1b65e2d35db1b0ed674cbcb15900a58f7eeffbbb48e98e097.exe
Token: SeSecurityPrivilege	1816	TiWorker.exe
Token: SeRestorePrivilege	1816	TiWorker.exe
Token: SeBackupPrivilege	1816	TiWorker.exe
Token: SeBackupPrivilege	1816	TiWorker.exe
Token: SeRestorePrivilege	1816	TiWorker.exe
Token: SeSecurityPrivilege	1816	TiWorker.exe
Token: SeBackupPrivilege	1816	TiWorker.exe
Token: SeRestorePrivilege	1816	TiWorker.exe
Token: SeSecurityPrivilege	1816	TiWorker.exe
Token: SeBackupPrivilege	1816	TiWorker.exe
Token: SeRestorePrivilege	1816	TiWorker.exe
Token: SeSecurityPrivilege	1816	TiWorker.exe
Token: SeBackupPrivilege	1816	TiWorker.exe
Token: SeRestorePrivilege	1816	TiWorker.exe
Token: SeSecurityPrivilege	1816	TiWorker.exe
Token: SeBackupPrivilege	1816	TiWorker.exe
Token: SeRestorePrivilege	1816	TiWorker.exe
Token: SeSecurityPrivilege	1816	TiWorker.exe
Token: SeBackupPrivilege	1816	TiWorker.exe
Token: SeRestorePrivilege	1816	TiWorker.exe
Token: SeSecurityPrivilege	1816	TiWorker.exe
Token: SeBackupPrivilege	1816	TiWorker.exe
Token: SeRestorePrivilege	1816	TiWorker.exe
Token: SeSecurityPrivilege	1816	TiWorker.exe
Token: SeBackupPrivilege	1816	TiWorker.exe
Token: SeRestorePrivilege	1816	TiWorker.exe
Token: SeSecurityPrivilege	1816	TiWorker.exe
Token: SeBackupPrivilege	1816	TiWorker.exe
Token: SeRestorePrivilege	1816	TiWorker.exe
Token: SeSecurityPrivilege	1816	TiWorker.exe
Token: SeBackupPrivilege	1816	TiWorker.exe
Token: SeRestorePrivilege	1816	TiWorker.exe
Token: SeSecurityPrivilege	1816	TiWorker.exe
Token: SeBackupPrivilege	1816	TiWorker.exe
Token: SeRestorePrivilege	1816	TiWorker.exe
Token: SeSecurityPrivilege	1816	TiWorker.exe
Token: SeBackupPrivilege	1816	TiWorker.exe
Token: SeRestorePrivilege	1816	TiWorker.exe
Token: SeSecurityPrivilege	1816	TiWorker.exe
Token: SeBackupPrivilege	1816	TiWorker.exe
Token: SeRestorePrivilege	1816	TiWorker.exe
Token: SeSecurityPrivilege	1816	TiWorker.exe
Token: SeBackupPrivilege	1816	TiWorker.exe
Token: SeRestorePrivilege	1816	TiWorker.exe
Token: SeSecurityPrivilege	1816	TiWorker.exe
Token: SeBackupPrivilege	1816	TiWorker.exe
Token: SeRestorePrivilege	1816	TiWorker.exe
Token: SeSecurityPrivilege	1816	TiWorker.exe
Token: SeBackupPrivilege	1816	TiWorker.exe
Token: SeRestorePrivilege	1816	TiWorker.exe
Token: SeSecurityPrivilege	1816	TiWorker.exe
Token: SeBackupPrivilege	1816	TiWorker.exe
Token: SeRestorePrivilege	1816	TiWorker.exe
Token: SeSecurityPrivilege	1816	TiWorker.exe
Token: SeBackupPrivilege	1816	TiWorker.exe
Token: SeRestorePrivilege	1816	TiWorker.exe
Token: SeSecurityPrivilege	1816	TiWorker.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

02b4f6afa145a6f1b65e2d35db1b0ed674cbcb15900a58f7eeffbbb48e98e097.execmd.exe

description	pid	process	target process
PID 4240 wrote to memory of 4348	4240	02b4f6afa145a6f1b65e2d35db1b0ed674cbcb15900a58f7eeffbbb48e98e097.exe	MediaCenter.exe
PID 4240 wrote to memory of 4348	4240	02b4f6afa145a6f1b65e2d35db1b0ed674cbcb15900a58f7eeffbbb48e98e097.exe	MediaCenter.exe
PID 4240 wrote to memory of 4348	4240	02b4f6afa145a6f1b65e2d35db1b0ed674cbcb15900a58f7eeffbbb48e98e097.exe	MediaCenter.exe
PID 4240 wrote to memory of 728	4240	02b4f6afa145a6f1b65e2d35db1b0ed674cbcb15900a58f7eeffbbb48e98e097.exe	cmd.exe
PID 4240 wrote to memory of 728	4240	02b4f6afa145a6f1b65e2d35db1b0ed674cbcb15900a58f7eeffbbb48e98e097.exe	cmd.exe
PID 4240 wrote to memory of 728	4240	02b4f6afa145a6f1b65e2d35db1b0ed674cbcb15900a58f7eeffbbb48e98e097.exe	cmd.exe
PID 728 wrote to memory of 4744	728	cmd.exe	PING.EXE
PID 728 wrote to memory of 4744	728	cmd.exe	PING.EXE
PID 728 wrote to memory of 4744	728	cmd.exe	PING.EXE

C:\Users\Admin\AppData\Local\Temp\02b4f6afa145a6f1b65e2d35db1b0ed674cbcb15900a58f7eeffbbb48e98e097.exe
"C:\Users\Admin\AppData\Local\Temp\02b4f6afa145a6f1b65e2d35db1b0ed674cbcb15900a58f7eeffbbb48e98e097.exe"
1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4240

C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
2⤵
- Executes dropped EXE
PID:4348

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\02b4f6afa145a6f1b65e2d35db1b0ed674cbcb15900a58f7eeffbbb48e98e097.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:728

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1
3⤵
- Runs ping.exe
PID:4744

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:3540

C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:1816

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

Remote System Discovery

1

T1018

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
MD5
5701b43a0fe0787ad13b6860f0a50d4f

SHA1
fdd9898c348b070418394cd016eb6593c234b960

SHA256
649db09c263d3a41b50c1cb6edb61b81d5178707b36f7cb88d75e2d79c2ae40f

SHA512
961a28868d5166fcdb82e2db69db42b8a78bef1a302373567e77fdf0a82d1fd380443d8f5286118c8731a04e01516d9f0427392a3eddc273e2d492b954d1c324

Download Submit
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
MD5
5701b43a0fe0787ad13b6860f0a50d4f

SHA1
fdd9898c348b070418394cd016eb6593c234b960

SHA256
649db09c263d3a41b50c1cb6edb61b81d5178707b36f7cb88d75e2d79c2ae40f

SHA512
961a28868d5166fcdb82e2db69db42b8a78bef1a302373567e77fdf0a82d1fd380443d8f5286118c8731a04e01516d9f0427392a3eddc273e2d492b954d1c324

Download Submit
memory/3540-132-0x0000019EB9F20000-0x0000019EB9F30000-memory.dmp

Filesize
64KB

Download
memory/3540-133-0x0000019EB9F80000-0x0000019EB9F90000-memory.dmp

Filesize
64KB

Download
memory/3540-134-0x0000019EBC640000-0x0000019EBC644000-memory.dmp

Filesize
16KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads