sakula | 02b9fbe0d78c55e16267e00629f4767621a2002e4b5df376713bee32a378e891

General

Target

02b9fbe0d78c55e16267e00629f4767621a2002e4b5df376713bee32a378e891.exe
Size

150KB
MD5

2a927eb565852a9750df62d1a0154e96
SHA1

55530ef0e3622ee62a4b60f6d1f3231f82a094cc
SHA256

02b9fbe0d78c55e16267e00629f4767621a2002e4b5df376713bee32a378e891
SHA512

d94f3e613923d6799afb7ef75b6e7311dd020e5d8b0517711de89c42bc6d0a3de6379c9230ff96ca9233a27787df99b3af8bdf5178edd70311ab85c309bb2533

Score

10^/10

sakula persistence rat trojan

Malware Config

Signatures

Sakula
Sakula is a remote access trojan with various capabilities.
trojan rat sakula

Sakula Payload 2 IoCs

Processes:

resource	yara_rule
\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe	family_sakula
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe	family_sakula

Executes dropped EXE 1 IoCs

Processes:

MediaCenter.exe

pid process

1528 MediaCenter.exe
Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

1652 cmd.exe
Loads dropped DLL 1 IoCs

Processes:

02b9fbe0d78c55e16267e00629f4767621a2002e4b5df376713bee32a378e891.exe

pid process

1552 02b9fbe0d78c55e16267e00629f4767621a2002e4b5df376713bee32a378e891.exe

pid	process
1528	MediaCenter.exe

pid	process
1652	cmd.exe

pid	process
1552	02b9fbe0d78c55e16267e00629f4767621a2002e4b5df376713bee32a378e891.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

02b9fbe0d78c55e16267e00629f4767621a2002e4b5df376713bee32a378e891.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe"	02b9fbe0d78c55e16267e00629f4767621a2002e4b5df376713bee32a378e891.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

2024 PING.EXE
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

02b9fbe0d78c55e16267e00629f4767621a2002e4b5df376713bee32a378e891.exe

description pid process

Token: SeIncBasePriorityPrivilege 1552 02b9fbe0d78c55e16267e00629f4767621a2002e4b5df376713bee32a378e891.exe

pid	process
2024	PING.EXE

description	pid	process
Token: SeIncBasePriorityPrivilege	1552	02b9fbe0d78c55e16267e00629f4767621a2002e4b5df376713bee32a378e891.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

02b9fbe0d78c55e16267e00629f4767621a2002e4b5df376713bee32a378e891.execmd.exe

description	pid	process	target process
PID 1552 wrote to memory of 1528	1552	02b9fbe0d78c55e16267e00629f4767621a2002e4b5df376713bee32a378e891.exe	MediaCenter.exe
PID 1552 wrote to memory of 1528	1552	02b9fbe0d78c55e16267e00629f4767621a2002e4b5df376713bee32a378e891.exe	MediaCenter.exe
PID 1552 wrote to memory of 1528	1552	02b9fbe0d78c55e16267e00629f4767621a2002e4b5df376713bee32a378e891.exe	MediaCenter.exe
PID 1552 wrote to memory of 1528	1552	02b9fbe0d78c55e16267e00629f4767621a2002e4b5df376713bee32a378e891.exe	MediaCenter.exe
PID 1552 wrote to memory of 1652	1552	02b9fbe0d78c55e16267e00629f4767621a2002e4b5df376713bee32a378e891.exe	cmd.exe
PID 1552 wrote to memory of 1652	1552	02b9fbe0d78c55e16267e00629f4767621a2002e4b5df376713bee32a378e891.exe	cmd.exe
PID 1552 wrote to memory of 1652	1552	02b9fbe0d78c55e16267e00629f4767621a2002e4b5df376713bee32a378e891.exe	cmd.exe
PID 1552 wrote to memory of 1652	1552	02b9fbe0d78c55e16267e00629f4767621a2002e4b5df376713bee32a378e891.exe	cmd.exe
PID 1652 wrote to memory of 2024	1652	cmd.exe	PING.EXE
PID 1652 wrote to memory of 2024	1652	cmd.exe	PING.EXE
PID 1652 wrote to memory of 2024	1652	cmd.exe	PING.EXE
PID 1652 wrote to memory of 2024	1652	cmd.exe	PING.EXE

C:\Users\Admin\AppData\Local\Temp\02b9fbe0d78c55e16267e00629f4767621a2002e4b5df376713bee32a378e891.exe
"C:\Users\Admin\AppData\Local\Temp\02b9fbe0d78c55e16267e00629f4767621a2002e4b5df376713bee32a378e891.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1552

C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
2⤵
- Executes dropped EXE
PID:1528

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\02b9fbe0d78c55e16267e00629f4767621a2002e4b5df376713bee32a378e891.exe"
2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:1652

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1
3⤵
- Runs ping.exe
PID:2024

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Remote System Discovery

1

T1018

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
MD5
e3e30680754bc8fc01e3cefd98578818

SHA1
72ab564108cfe700c52992dccb219b69542cf34a

SHA256
aa27a9d0b52b484d0db3c32ca3b12ee53ed7c040fff3736e4171f0f2da762d3f

SHA512
381dc0b1c253b228196ecd6b818d496f87ec19df91480178a33939bf6a61c94e8a19c09782fc6daa29d97846c6b6ce3e4f649b21a77b6a1c3458cd5b672cce7a

Download Submit
\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
MD5
e3e30680754bc8fc01e3cefd98578818

SHA1
72ab564108cfe700c52992dccb219b69542cf34a

SHA256
aa27a9d0b52b484d0db3c32ca3b12ee53ed7c040fff3736e4171f0f2da762d3f

SHA512
381dc0b1c253b228196ecd6b818d496f87ec19df91480178a33939bf6a61c94e8a19c09782fc6daa29d97846c6b6ce3e4f649b21a77b6a1c3458cd5b672cce7a

Download Submit
memory/1552-55-0x0000000075B11000-0x0000000075B13000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads