sakula | 03d669078ea96f840ccdcc4be283a13fc627dd1cd593d34e2a20c52128a9ea8a

General

Target

03d669078ea96f840ccdcc4be283a13fc627dd1cd593d34e2a20c52128a9ea8a.exe
Size

58KB
MD5

1a728a8b44e3b94047fc128fe1d54800
SHA1

61de11cc7e74c412e2f89f505cb55fa312fd9330
SHA256

03d669078ea96f840ccdcc4be283a13fc627dd1cd593d34e2a20c52128a9ea8a
SHA512

0b3861b70fcc844ca2d7af00b2a67650aa52dd53dc8709d2b9b950221bb69853c2ba7d251d2ad5fb5b860fb8624ba0af3bf429d21f53c359d7cad2602a9062cd

Score

10^/10

sakula persistence rat trojan

Malware Config

Signatures

Sakula
Sakula is a remote access trojan with various capabilities.
trojan rat sakula
Executes dropped EXE 1 IoCs

Processes:

MediaCenter.exe

pid process

528 MediaCenter.exe
Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

1176 cmd.exe

pid	process
528	MediaCenter.exe

pid	process
1176	cmd.exe

Loads dropped DLL 2 IoCs

Processes:

03d669078ea96f840ccdcc4be283a13fc627dd1cd593d34e2a20c52128a9ea8a.exe

pid	process
972	03d669078ea96f840ccdcc4be283a13fc627dd1cd593d34e2a20c52128a9ea8a.exe
972	03d669078ea96f840ccdcc4be283a13fc627dd1cd593d34e2a20c52128a9ea8a.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

03d669078ea96f840ccdcc4be283a13fc627dd1cd593d34e2a20c52128a9ea8a.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe"	03d669078ea96f840ccdcc4be283a13fc627dd1cd593d34e2a20c52128a9ea8a.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

1560 PING.EXE
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

03d669078ea96f840ccdcc4be283a13fc627dd1cd593d34e2a20c52128a9ea8a.exe

description pid process

Token: SeIncBasePriorityPrivilege 972 03d669078ea96f840ccdcc4be283a13fc627dd1cd593d34e2a20c52128a9ea8a.exe

pid	process
1560	PING.EXE

description	pid	process
Token: SeIncBasePriorityPrivilege	972	03d669078ea96f840ccdcc4be283a13fc627dd1cd593d34e2a20c52128a9ea8a.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

03d669078ea96f840ccdcc4be283a13fc627dd1cd593d34e2a20c52128a9ea8a.execmd.exe

description	pid	process	target process
PID 972 wrote to memory of 528	972	03d669078ea96f840ccdcc4be283a13fc627dd1cd593d34e2a20c52128a9ea8a.exe	MediaCenter.exe
PID 972 wrote to memory of 528	972	03d669078ea96f840ccdcc4be283a13fc627dd1cd593d34e2a20c52128a9ea8a.exe	MediaCenter.exe
PID 972 wrote to memory of 528	972	03d669078ea96f840ccdcc4be283a13fc627dd1cd593d34e2a20c52128a9ea8a.exe	MediaCenter.exe
PID 972 wrote to memory of 528	972	03d669078ea96f840ccdcc4be283a13fc627dd1cd593d34e2a20c52128a9ea8a.exe	MediaCenter.exe
PID 972 wrote to memory of 1176	972	03d669078ea96f840ccdcc4be283a13fc627dd1cd593d34e2a20c52128a9ea8a.exe	cmd.exe
PID 972 wrote to memory of 1176	972	03d669078ea96f840ccdcc4be283a13fc627dd1cd593d34e2a20c52128a9ea8a.exe	cmd.exe
PID 972 wrote to memory of 1176	972	03d669078ea96f840ccdcc4be283a13fc627dd1cd593d34e2a20c52128a9ea8a.exe	cmd.exe
PID 972 wrote to memory of 1176	972	03d669078ea96f840ccdcc4be283a13fc627dd1cd593d34e2a20c52128a9ea8a.exe	cmd.exe
PID 1176 wrote to memory of 1560	1176	cmd.exe	PING.EXE
PID 1176 wrote to memory of 1560	1176	cmd.exe	PING.EXE
PID 1176 wrote to memory of 1560	1176	cmd.exe	PING.EXE
PID 1176 wrote to memory of 1560	1176	cmd.exe	PING.EXE

C:\Users\Admin\AppData\Local\Temp\03d669078ea96f840ccdcc4be283a13fc627dd1cd593d34e2a20c52128a9ea8a.exe
"C:\Users\Admin\AppData\Local\Temp\03d669078ea96f840ccdcc4be283a13fc627dd1cd593d34e2a20c52128a9ea8a.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:972

C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
2⤵
- Executes dropped EXE
PID:528

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\03d669078ea96f840ccdcc4be283a13fc627dd1cd593d34e2a20c52128a9ea8a.exe"
2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:1176

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1
3⤵
- Runs ping.exe
PID:1560

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Remote System Discovery

1

T1018

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
MD5
41bae8271d40bc122941c4fbc1ac0ece

SHA1
d45a96580647adfe61da774a336ffb3fad9dbbc4

SHA256
4f1aebf4936aeb58e5dcc82154f899188aca428f6cffc2e34f4e849596ed1e3b

SHA512
1c6fa7f9674087e02e8a1cb07d9b37bed48dd57f18239a39e6a4a8908f6f0e9d34cdb649c29906fda17d7ed634bfec71421d350873d3277159674f50408e30d9

Download Submit
\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
MD5
41bae8271d40bc122941c4fbc1ac0ece

SHA1
d45a96580647adfe61da774a336ffb3fad9dbbc4

SHA256
4f1aebf4936aeb58e5dcc82154f899188aca428f6cffc2e34f4e849596ed1e3b

SHA512
1c6fa7f9674087e02e8a1cb07d9b37bed48dd57f18239a39e6a4a8908f6f0e9d34cdb649c29906fda17d7ed634bfec71421d350873d3277159674f50408e30d9

Download Submit
\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
MD5
41bae8271d40bc122941c4fbc1ac0ece

SHA1
d45a96580647adfe61da774a336ffb3fad9dbbc4

SHA256
4f1aebf4936aeb58e5dcc82154f899188aca428f6cffc2e34f4e849596ed1e3b

SHA512
1c6fa7f9674087e02e8a1cb07d9b37bed48dd57f18239a39e6a4a8908f6f0e9d34cdb649c29906fda17d7ed634bfec71421d350873d3277159674f50408e30d9

Download Submit
memory/972-55-0x0000000076071000-0x0000000076073000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads