sakula | 04987294b5882639c61eb1b7e0101c4ecd6c0e781649bca8752d4cd48efb9c8c

General

Target

04987294b5882639c61eb1b7e0101c4ecd6c0e781649bca8752d4cd48efb9c8c.exe
Size

101KB
MD5

dc6f9a9b83bfff258ba040f7e2f3501c
SHA1

bc0428d0bfe2b5be1f4a09fdf5c2b6dbe6250e39
SHA256

04987294b5882639c61eb1b7e0101c4ecd6c0e781649bca8752d4cd48efb9c8c
SHA512

f5cad8dba123a21cb6f75ef1c646f7d8f01f0a004dca7e58f4c51d1873ed8ef809edc3c8c2cf36589e2f5e81f67907abe08ff2c9d820eb2b19d7a4c44e9211a7

Score

10^/10

sakula persistence rat trojan

Malware Config

Signatures

Sakula
Sakula is a remote access trojan with various capabilities.
trojan rat sakula

Sakula Payload 3 IoCs

Processes:

resource	yara_rule
\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe	family_sakula
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe	family_sakula
\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe	family_sakula

Executes dropped EXE 1 IoCs

Processes:

MediaCenter.exe

pid process

948 MediaCenter.exe
Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

1380 cmd.exe

pid	process
948	MediaCenter.exe

pid	process
1380	cmd.exe

Loads dropped DLL 2 IoCs

Processes:

04987294b5882639c61eb1b7e0101c4ecd6c0e781649bca8752d4cd48efb9c8c.exe

pid	process
732	04987294b5882639c61eb1b7e0101c4ecd6c0e781649bca8752d4cd48efb9c8c.exe
732	04987294b5882639c61eb1b7e0101c4ecd6c0e781649bca8752d4cd48efb9c8c.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

04987294b5882639c61eb1b7e0101c4ecd6c0e781649bca8752d4cd48efb9c8c.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe"	04987294b5882639c61eb1b7e0101c4ecd6c0e781649bca8752d4cd48efb9c8c.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

420 PING.EXE
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

04987294b5882639c61eb1b7e0101c4ecd6c0e781649bca8752d4cd48efb9c8c.exe

description pid process

Token: SeIncBasePriorityPrivilege 732 04987294b5882639c61eb1b7e0101c4ecd6c0e781649bca8752d4cd48efb9c8c.exe

pid	process
420	PING.EXE

description	pid	process
Token: SeIncBasePriorityPrivilege	732	04987294b5882639c61eb1b7e0101c4ecd6c0e781649bca8752d4cd48efb9c8c.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

04987294b5882639c61eb1b7e0101c4ecd6c0e781649bca8752d4cd48efb9c8c.execmd.exe

description	pid	process	target process
PID 732 wrote to memory of 948	732	04987294b5882639c61eb1b7e0101c4ecd6c0e781649bca8752d4cd48efb9c8c.exe	MediaCenter.exe
PID 732 wrote to memory of 948	732	04987294b5882639c61eb1b7e0101c4ecd6c0e781649bca8752d4cd48efb9c8c.exe	MediaCenter.exe
PID 732 wrote to memory of 948	732	04987294b5882639c61eb1b7e0101c4ecd6c0e781649bca8752d4cd48efb9c8c.exe	MediaCenter.exe
PID 732 wrote to memory of 948	732	04987294b5882639c61eb1b7e0101c4ecd6c0e781649bca8752d4cd48efb9c8c.exe	MediaCenter.exe
PID 732 wrote to memory of 1380	732	04987294b5882639c61eb1b7e0101c4ecd6c0e781649bca8752d4cd48efb9c8c.exe	cmd.exe
PID 732 wrote to memory of 1380	732	04987294b5882639c61eb1b7e0101c4ecd6c0e781649bca8752d4cd48efb9c8c.exe	cmd.exe
PID 732 wrote to memory of 1380	732	04987294b5882639c61eb1b7e0101c4ecd6c0e781649bca8752d4cd48efb9c8c.exe	cmd.exe
PID 732 wrote to memory of 1380	732	04987294b5882639c61eb1b7e0101c4ecd6c0e781649bca8752d4cd48efb9c8c.exe	cmd.exe
PID 1380 wrote to memory of 420	1380	cmd.exe	PING.EXE
PID 1380 wrote to memory of 420	1380	cmd.exe	PING.EXE
PID 1380 wrote to memory of 420	1380	cmd.exe	PING.EXE
PID 1380 wrote to memory of 420	1380	cmd.exe	PING.EXE

C:\Users\Admin\AppData\Local\Temp\04987294b5882639c61eb1b7e0101c4ecd6c0e781649bca8752d4cd48efb9c8c.exe
"C:\Users\Admin\AppData\Local\Temp\04987294b5882639c61eb1b7e0101c4ecd6c0e781649bca8752d4cd48efb9c8c.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:732

C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
2⤵
- Executes dropped EXE
PID:948

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\04987294b5882639c61eb1b7e0101c4ecd6c0e781649bca8752d4cd48efb9c8c.exe"
2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:1380

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1
3⤵
- Runs ping.exe
PID:420

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Remote System Discovery

1

T1018

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
MD5
7f34adda9af0837d654985d65e14b1b2

SHA1
8844f4e4f014289d159d0c9676ff1be41c75f178

SHA256
ebcbbf9c173e95e7950e927db95bda177cb4f4613e93e2aacf6f27e92deaf3d9

SHA512
51d99038bf2fe654431a08645e5e9e4cd19e06c566e07c8bbad94aaf2c3f75469c3be126c50581b2f2ac12a1e39d5788b9c2e971b0b5d17d3186eb1711d985b4

Download Submit
\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
MD5
7f34adda9af0837d654985d65e14b1b2

SHA1
8844f4e4f014289d159d0c9676ff1be41c75f178

SHA256
ebcbbf9c173e95e7950e927db95bda177cb4f4613e93e2aacf6f27e92deaf3d9

SHA512
51d99038bf2fe654431a08645e5e9e4cd19e06c566e07c8bbad94aaf2c3f75469c3be126c50581b2f2ac12a1e39d5788b9c2e971b0b5d17d3186eb1711d985b4

Download Submit
\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
MD5
7f34adda9af0837d654985d65e14b1b2

SHA1
8844f4e4f014289d159d0c9676ff1be41c75f178

SHA256
ebcbbf9c173e95e7950e927db95bda177cb4f4613e93e2aacf6f27e92deaf3d9

SHA512
51d99038bf2fe654431a08645e5e9e4cd19e06c566e07c8bbad94aaf2c3f75469c3be126c50581b2f2ac12a1e39d5788b9c2e971b0b5d17d3186eb1711d985b4

Download Submit
memory/732-55-0x0000000076B81000-0x0000000076B83000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads