sakula | 041cf3053043e1cadd9d9dbd0f9f6ee4bda63c0e7757405a75c318d72356e944

General

Target

041cf3053043e1cadd9d9dbd0f9f6ee4bda63c0e7757405a75c318d72356e944.exe
Size

36KB
MD5

537341dce163bac218c42188acc7eabf
SHA1

74a9ca405acc2475e92e0e24ed3086e445d9d24b
SHA256

041cf3053043e1cadd9d9dbd0f9f6ee4bda63c0e7757405a75c318d72356e944
SHA512

a4c4efbc4000674dbb026fb87c3db7d8f1d221437068582f37c845466707bcf9700a9bf78ce510bcce9ae972836428f09aaa4f2432370417681021aecfa007dc

Score

10^/10

sakula persistence rat trojan

Malware Config

Signatures

Sakula
Sakula is a remote access trojan with various capabilities.
trojan rat sakula
Executes dropped EXE 1 IoCs

Processes:

MediaCenter.exe

pid process

628 MediaCenter.exe
Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

300 cmd.exe

pid	process
628	MediaCenter.exe

pid	process
300	cmd.exe

Loads dropped DLL 2 IoCs

Processes:

041cf3053043e1cadd9d9dbd0f9f6ee4bda63c0e7757405a75c318d72356e944.exe

pid	process
1624	041cf3053043e1cadd9d9dbd0f9f6ee4bda63c0e7757405a75c318d72356e944.exe
1624	041cf3053043e1cadd9d9dbd0f9f6ee4bda63c0e7757405a75c318d72356e944.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

041cf3053043e1cadd9d9dbd0f9f6ee4bda63c0e7757405a75c318d72356e944.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe"	041cf3053043e1cadd9d9dbd0f9f6ee4bda63c0e7757405a75c318d72356e944.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

828 PING.EXE
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

041cf3053043e1cadd9d9dbd0f9f6ee4bda63c0e7757405a75c318d72356e944.exe

description pid process

Token: SeIncBasePriorityPrivilege 1624 041cf3053043e1cadd9d9dbd0f9f6ee4bda63c0e7757405a75c318d72356e944.exe

pid	process
828	PING.EXE

description	pid	process
Token: SeIncBasePriorityPrivilege	1624	041cf3053043e1cadd9d9dbd0f9f6ee4bda63c0e7757405a75c318d72356e944.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

041cf3053043e1cadd9d9dbd0f9f6ee4bda63c0e7757405a75c318d72356e944.execmd.exe

description	pid	process	target process
PID 1624 wrote to memory of 628	1624	041cf3053043e1cadd9d9dbd0f9f6ee4bda63c0e7757405a75c318d72356e944.exe	MediaCenter.exe
PID 1624 wrote to memory of 628	1624	041cf3053043e1cadd9d9dbd0f9f6ee4bda63c0e7757405a75c318d72356e944.exe	MediaCenter.exe
PID 1624 wrote to memory of 628	1624	041cf3053043e1cadd9d9dbd0f9f6ee4bda63c0e7757405a75c318d72356e944.exe	MediaCenter.exe
PID 1624 wrote to memory of 628	1624	041cf3053043e1cadd9d9dbd0f9f6ee4bda63c0e7757405a75c318d72356e944.exe	MediaCenter.exe
PID 1624 wrote to memory of 300	1624	041cf3053043e1cadd9d9dbd0f9f6ee4bda63c0e7757405a75c318d72356e944.exe	cmd.exe
PID 1624 wrote to memory of 300	1624	041cf3053043e1cadd9d9dbd0f9f6ee4bda63c0e7757405a75c318d72356e944.exe	cmd.exe
PID 1624 wrote to memory of 300	1624	041cf3053043e1cadd9d9dbd0f9f6ee4bda63c0e7757405a75c318d72356e944.exe	cmd.exe
PID 1624 wrote to memory of 300	1624	041cf3053043e1cadd9d9dbd0f9f6ee4bda63c0e7757405a75c318d72356e944.exe	cmd.exe
PID 300 wrote to memory of 828	300	cmd.exe	PING.EXE
PID 300 wrote to memory of 828	300	cmd.exe	PING.EXE
PID 300 wrote to memory of 828	300	cmd.exe	PING.EXE
PID 300 wrote to memory of 828	300	cmd.exe	PING.EXE

C:\Users\Admin\AppData\Local\Temp\041cf3053043e1cadd9d9dbd0f9f6ee4bda63c0e7757405a75c318d72356e944.exe
"C:\Users\Admin\AppData\Local\Temp\041cf3053043e1cadd9d9dbd0f9f6ee4bda63c0e7757405a75c318d72356e944.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1624

C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
2⤵
- Executes dropped EXE
PID:628

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\041cf3053043e1cadd9d9dbd0f9f6ee4bda63c0e7757405a75c318d72356e944.exe"
2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:300

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1
3⤵
- Runs ping.exe
PID:828

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Remote System Discovery

1

T1018

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
MD5
6f3089b2ac9bb74142e32de7e81f9da8

SHA1
514f774e238abf73d0cba51860f0ca9dfaed0d14

SHA256
7da2b5849bc89f19c01738dc15cc1e4d9c2cfb197ea2e1464f4c8b162f8ce66a

SHA512
53a8e789377b7a529563d927b7265567dcb3d3d3663a02ff20999c1c559cd3dfa4f0c51b722e490824e1e330328559ccb1e121551d7476f424b1d5c32dbb8a60

Download Submit
\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
MD5
6f3089b2ac9bb74142e32de7e81f9da8

SHA1
514f774e238abf73d0cba51860f0ca9dfaed0d14

SHA256
7da2b5849bc89f19c01738dc15cc1e4d9c2cfb197ea2e1464f4c8b162f8ce66a

SHA512
53a8e789377b7a529563d927b7265567dcb3d3d3663a02ff20999c1c559cd3dfa4f0c51b722e490824e1e330328559ccb1e121551d7476f424b1d5c32dbb8a60

Download Submit
\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
MD5
6f3089b2ac9bb74142e32de7e81f9da8

SHA1
514f774e238abf73d0cba51860f0ca9dfaed0d14

SHA256
7da2b5849bc89f19c01738dc15cc1e4d9c2cfb197ea2e1464f4c8b162f8ce66a

SHA512
53a8e789377b7a529563d927b7265567dcb3d3d3663a02ff20999c1c559cd3dfa4f0c51b722e490824e1e330328559ccb1e121551d7476f424b1d5c32dbb8a60

Download Submit
memory/1624-54-0x0000000075761000-0x0000000075763000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads