sakula | 04c89ed64019e3835b44157a97e63c614744527bfe294c7d0c775551c7b99441

General

Target

04c89ed64019e3835b44157a97e63c614744527bfe294c7d0c775551c7b99441.exe
Size

216KB
MD5

302d599e42b91c11e2be761923e2a619
SHA1

c4e3f91cd0e3b2a94ac25769a1a182e850615444
SHA256

04c89ed64019e3835b44157a97e63c614744527bfe294c7d0c775551c7b99441
SHA512

300bc552240a70de253f0309230453b604b2268facf22d5f955c9f0298c7171e5e57eb5e8d97a9f6fb90de7ea2425aad286ba70724e9d0fe779a618855005b70

Score

10^/10

sakula persistence rat suricata trojan

Malware Config

Signatures

Sakula
Sakula is a remote access trojan with various capabilities.
trojan rat sakula

Sakula Payload 4 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe	family_sakula
\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe	family_sakula
behavioral1/memory/1864-58-0x0000000000400000-0x0000000000420000-memory.dmp	family_sakula
behavioral1/memory/1816-59-0x0000000000400000-0x0000000000420000-memory.dmp	family_sakula

suricata: ET MALWARE SUSPICIOUS UA (iexplore)
suricata: ET MALWARE SUSPICIOUS UA (iexplore)
suricata
suricata: ET MALWARE Sakula/Mivast RAT CnC Beacon 1
suricata: ET MALWARE Sakula/Mivast RAT CnC Beacon 1
suricata
Executes dropped EXE 1 IoCs

Processes:

MediaCenter.exe

pid process

1816 MediaCenter.exe
Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

812 cmd.exe
Loads dropped DLL 1 IoCs

Processes:

04c89ed64019e3835b44157a97e63c614744527bfe294c7d0c775551c7b99441.exe

pid process

1864 04c89ed64019e3835b44157a97e63c614744527bfe294c7d0c775551c7b99441.exe

pid	process
1816	MediaCenter.exe

pid	process
812	cmd.exe

pid	process
1864	04c89ed64019e3835b44157a97e63c614744527bfe294c7d0c775551c7b99441.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

04c89ed64019e3835b44157a97e63c614744527bfe294c7d0c775551c7b99441.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe"	04c89ed64019e3835b44157a97e63c614744527bfe294c7d0c775551c7b99441.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

1980 PING.EXE
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

04c89ed64019e3835b44157a97e63c614744527bfe294c7d0c775551c7b99441.exe

description pid process

Token: SeIncBasePriorityPrivilege 1864 04c89ed64019e3835b44157a97e63c614744527bfe294c7d0c775551c7b99441.exe

pid	process
1980	PING.EXE

description	pid	process
Token: SeIncBasePriorityPrivilege	1864	04c89ed64019e3835b44157a97e63c614744527bfe294c7d0c775551c7b99441.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

04c89ed64019e3835b44157a97e63c614744527bfe294c7d0c775551c7b99441.execmd.exe

description	pid	process	target process
PID 1864 wrote to memory of 1816	1864	04c89ed64019e3835b44157a97e63c614744527bfe294c7d0c775551c7b99441.exe	MediaCenter.exe
PID 1864 wrote to memory of 1816	1864	04c89ed64019e3835b44157a97e63c614744527bfe294c7d0c775551c7b99441.exe	MediaCenter.exe
PID 1864 wrote to memory of 1816	1864	04c89ed64019e3835b44157a97e63c614744527bfe294c7d0c775551c7b99441.exe	MediaCenter.exe
PID 1864 wrote to memory of 1816	1864	04c89ed64019e3835b44157a97e63c614744527bfe294c7d0c775551c7b99441.exe	MediaCenter.exe
PID 1864 wrote to memory of 812	1864	04c89ed64019e3835b44157a97e63c614744527bfe294c7d0c775551c7b99441.exe	cmd.exe
PID 1864 wrote to memory of 812	1864	04c89ed64019e3835b44157a97e63c614744527bfe294c7d0c775551c7b99441.exe	cmd.exe
PID 1864 wrote to memory of 812	1864	04c89ed64019e3835b44157a97e63c614744527bfe294c7d0c775551c7b99441.exe	cmd.exe
PID 1864 wrote to memory of 812	1864	04c89ed64019e3835b44157a97e63c614744527bfe294c7d0c775551c7b99441.exe	cmd.exe
PID 812 wrote to memory of 1980	812	cmd.exe	PING.EXE
PID 812 wrote to memory of 1980	812	cmd.exe	PING.EXE
PID 812 wrote to memory of 1980	812	cmd.exe	PING.EXE
PID 812 wrote to memory of 1980	812	cmd.exe	PING.EXE

C:\Users\Admin\AppData\Local\Temp\04c89ed64019e3835b44157a97e63c614744527bfe294c7d0c775551c7b99441.exe
"C:\Users\Admin\AppData\Local\Temp\04c89ed64019e3835b44157a97e63c614744527bfe294c7d0c775551c7b99441.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1864

C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
2⤵
- Executes dropped EXE
PID:1816

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\04c89ed64019e3835b44157a97e63c614744527bfe294c7d0c775551c7b99441.exe"
2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:812

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1
3⤵
- Runs ping.exe
PID:1980

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Remote System Discovery

1

T1018

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
MD5
32bd2c4d3e339acc56593a765197e658

SHA1
ef318041243a08b1a9ad1a1cb0b5ced0032d0b7f

SHA256
da13de54ecf4d3b973c59e46e17b514076059691f32345b4e5445458a62eaf01

SHA512
0ada0e741f2cda24b3d6756a87096e8dc7d5bcbd0bdd935b1db38082ab9c89d2937d380d1ac6fa02a80596b7ce2b3ca8549aafe3cce048c61392bc0e3cf43efc

Download Submit
\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
MD5
32bd2c4d3e339acc56593a765197e658

SHA1
ef318041243a08b1a9ad1a1cb0b5ced0032d0b7f

SHA256
da13de54ecf4d3b973c59e46e17b514076059691f32345b4e5445458a62eaf01

SHA512
0ada0e741f2cda24b3d6756a87096e8dc7d5bcbd0bdd935b1db38082ab9c89d2937d380d1ac6fa02a80596b7ce2b3ca8549aafe3cce048c61392bc0e3cf43efc

Download Submit
memory/1816-59-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/1864-54-0x0000000076041000-0x0000000076043000-memory.dmp

Filesize
8KB

Download
memory/1864-58-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads