sakula | 044d5b640f739b9833375215580d6142bed184e33b0fc14d1408eb502486f9db

General

Target

044d5b640f739b9833375215580d6142bed184e33b0fc14d1408eb502486f9db.exe
Size

60KB
MD5

9b5bec464e67b77726e7a9dc85f09c1e
SHA1

e2d5251a27a30f59f3e157a24198192fa1d9f74f
SHA256

044d5b640f739b9833375215580d6142bed184e33b0fc14d1408eb502486f9db
SHA512

302723ebcfae01f0ffdf8d9bb6462b9bf979c4b39e9c229dea6b0eebdd97930b37be34e0b19b611f3e98e141f02a8c1b4be1ce29c23955ad5379a732c4d58c29

Score

10^/10

sakula persistence rat trojan

Malware Config

Signatures

Sakula
Sakula is a remote access trojan with various capabilities.
trojan rat sakula
Executes dropped EXE 1 IoCs

Processes:

MediaCenter.exe

pid process

1344 MediaCenter.exe
Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

1140 cmd.exe

pid	process
1344	MediaCenter.exe

pid	process
1140	cmd.exe

Loads dropped DLL 2 IoCs

Processes:

044d5b640f739b9833375215580d6142bed184e33b0fc14d1408eb502486f9db.exe

pid	process
1632	044d5b640f739b9833375215580d6142bed184e33b0fc14d1408eb502486f9db.exe
1632	044d5b640f739b9833375215580d6142bed184e33b0fc14d1408eb502486f9db.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

044d5b640f739b9833375215580d6142bed184e33b0fc14d1408eb502486f9db.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe"	044d5b640f739b9833375215580d6142bed184e33b0fc14d1408eb502486f9db.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

1264 PING.EXE
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

044d5b640f739b9833375215580d6142bed184e33b0fc14d1408eb502486f9db.exe

description pid process

Token: SeIncBasePriorityPrivilege 1632 044d5b640f739b9833375215580d6142bed184e33b0fc14d1408eb502486f9db.exe

pid	process
1264	PING.EXE

description	pid	process
Token: SeIncBasePriorityPrivilege	1632	044d5b640f739b9833375215580d6142bed184e33b0fc14d1408eb502486f9db.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

044d5b640f739b9833375215580d6142bed184e33b0fc14d1408eb502486f9db.execmd.exe

description	pid	process	target process
PID 1632 wrote to memory of 1344	1632	044d5b640f739b9833375215580d6142bed184e33b0fc14d1408eb502486f9db.exe	MediaCenter.exe
PID 1632 wrote to memory of 1344	1632	044d5b640f739b9833375215580d6142bed184e33b0fc14d1408eb502486f9db.exe	MediaCenter.exe
PID 1632 wrote to memory of 1344	1632	044d5b640f739b9833375215580d6142bed184e33b0fc14d1408eb502486f9db.exe	MediaCenter.exe
PID 1632 wrote to memory of 1344	1632	044d5b640f739b9833375215580d6142bed184e33b0fc14d1408eb502486f9db.exe	MediaCenter.exe
PID 1632 wrote to memory of 1140	1632	044d5b640f739b9833375215580d6142bed184e33b0fc14d1408eb502486f9db.exe	cmd.exe
PID 1632 wrote to memory of 1140	1632	044d5b640f739b9833375215580d6142bed184e33b0fc14d1408eb502486f9db.exe	cmd.exe
PID 1632 wrote to memory of 1140	1632	044d5b640f739b9833375215580d6142bed184e33b0fc14d1408eb502486f9db.exe	cmd.exe
PID 1632 wrote to memory of 1140	1632	044d5b640f739b9833375215580d6142bed184e33b0fc14d1408eb502486f9db.exe	cmd.exe
PID 1140 wrote to memory of 1264	1140	cmd.exe	PING.EXE
PID 1140 wrote to memory of 1264	1140	cmd.exe	PING.EXE
PID 1140 wrote to memory of 1264	1140	cmd.exe	PING.EXE
PID 1140 wrote to memory of 1264	1140	cmd.exe	PING.EXE

C:\Users\Admin\AppData\Local\Temp\044d5b640f739b9833375215580d6142bed184e33b0fc14d1408eb502486f9db.exe
"C:\Users\Admin\AppData\Local\Temp\044d5b640f739b9833375215580d6142bed184e33b0fc14d1408eb502486f9db.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1632

C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
2⤵
- Executes dropped EXE
PID:1344

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\044d5b640f739b9833375215580d6142bed184e33b0fc14d1408eb502486f9db.exe"
2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:1140

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1
3⤵
- Runs ping.exe
PID:1264

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Remote System Discovery

1

T1018

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
MD5
26c1ab085802ee2e9c5b6f564281b13a

SHA1
3a2dafd0d3e4cb8cda39b56988fa4c52d62981fc

SHA256
394e99165d07b2973cbcaa1f811c23b6dcd48b66b5f6c2457bdb78571e1dea24

SHA512
fa2548a09773c84dea05c01fddd8411aff17937f12d4a46f97d7af43657a33e85da59f8bd0f899ae7a2d150b5aa416794d667288e289029fe9d0b62a67bf86bd

Download Submit
\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
MD5
26c1ab085802ee2e9c5b6f564281b13a

SHA1
3a2dafd0d3e4cb8cda39b56988fa4c52d62981fc

SHA256
394e99165d07b2973cbcaa1f811c23b6dcd48b66b5f6c2457bdb78571e1dea24

SHA512
fa2548a09773c84dea05c01fddd8411aff17937f12d4a46f97d7af43657a33e85da59f8bd0f899ae7a2d150b5aa416794d667288e289029fe9d0b62a67bf86bd

Download Submit
\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
MD5
26c1ab085802ee2e9c5b6f564281b13a

SHA1
3a2dafd0d3e4cb8cda39b56988fa4c52d62981fc

SHA256
394e99165d07b2973cbcaa1f811c23b6dcd48b66b5f6c2457bdb78571e1dea24

SHA512
fa2548a09773c84dea05c01fddd8411aff17937f12d4a46f97d7af43657a33e85da59f8bd0f899ae7a2d150b5aa416794d667288e289029fe9d0b62a67bf86bd

Download Submit
memory/1632-55-0x00000000763F1000-0x00000000763F3000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads