sakula | 03e2a822055cdcc288d98d88974fd24cd278c0afd2522bc8b3dd65363f23c81a

General

Target

03e2a822055cdcc288d98d88974fd24cd278c0afd2522bc8b3dd65363f23c81a.exe
Size

216KB
MD5

ad986b0ddfc4e6e52b02f95093affc49
SHA1

5731643bf3e4dce4e581ba29b2686e6db156b6cd
SHA256

03e2a822055cdcc288d98d88974fd24cd278c0afd2522bc8b3dd65363f23c81a
SHA512

6a095b3f548d8b2f14cd50b6c7ca8389276767017affc86ded6e39966fbe4cdcb2e4b34fe27514c0d0342cd075aee028d24240c598ffdadaf0453cad86e40a86

Score

10^/10

sakula persistence rat suricata trojan

Malware Config

Signatures

Sakula
Sakula is a remote access trojan with various capabilities.
trojan rat sakula

Sakula Payload 4 IoCs

Processes:

resource	yara_rule
\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe	family_sakula
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe	family_sakula
behavioral1/memory/1532-59-0x0000000000400000-0x0000000000420000-memory.dmp	family_sakula
behavioral1/memory/1540-60-0x0000000000400000-0x0000000000420000-memory.dmp	family_sakula

suricata: ET MALWARE SUSPICIOUS UA (iexplore)
suricata: ET MALWARE SUSPICIOUS UA (iexplore)
suricata
suricata: ET MALWARE Sakula/Mivast RAT CnC Beacon 1
suricata: ET MALWARE Sakula/Mivast RAT CnC Beacon 1
suricata
Executes dropped EXE 1 IoCs

Processes:

MediaCenter.exe

pid process

1540 MediaCenter.exe
Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

1560 cmd.exe
Loads dropped DLL 1 IoCs

Processes:

03e2a822055cdcc288d98d88974fd24cd278c0afd2522bc8b3dd65363f23c81a.exe

pid process

1532 03e2a822055cdcc288d98d88974fd24cd278c0afd2522bc8b3dd65363f23c81a.exe

pid	process
1540	MediaCenter.exe

pid	process
1560	cmd.exe

pid	process
1532	03e2a822055cdcc288d98d88974fd24cd278c0afd2522bc8b3dd65363f23c81a.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

03e2a822055cdcc288d98d88974fd24cd278c0afd2522bc8b3dd65363f23c81a.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe"	03e2a822055cdcc288d98d88974fd24cd278c0afd2522bc8b3dd65363f23c81a.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

1556 PING.EXE
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

03e2a822055cdcc288d98d88974fd24cd278c0afd2522bc8b3dd65363f23c81a.exe

description pid process

Token: SeIncBasePriorityPrivilege 1532 03e2a822055cdcc288d98d88974fd24cd278c0afd2522bc8b3dd65363f23c81a.exe

pid	process
1556	PING.EXE

description	pid	process
Token: SeIncBasePriorityPrivilege	1532	03e2a822055cdcc288d98d88974fd24cd278c0afd2522bc8b3dd65363f23c81a.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

03e2a822055cdcc288d98d88974fd24cd278c0afd2522bc8b3dd65363f23c81a.execmd.exe

description	pid	process	target process
PID 1532 wrote to memory of 1540	1532	03e2a822055cdcc288d98d88974fd24cd278c0afd2522bc8b3dd65363f23c81a.exe	MediaCenter.exe
PID 1532 wrote to memory of 1540	1532	03e2a822055cdcc288d98d88974fd24cd278c0afd2522bc8b3dd65363f23c81a.exe	MediaCenter.exe
PID 1532 wrote to memory of 1540	1532	03e2a822055cdcc288d98d88974fd24cd278c0afd2522bc8b3dd65363f23c81a.exe	MediaCenter.exe
PID 1532 wrote to memory of 1540	1532	03e2a822055cdcc288d98d88974fd24cd278c0afd2522bc8b3dd65363f23c81a.exe	MediaCenter.exe
PID 1532 wrote to memory of 1560	1532	03e2a822055cdcc288d98d88974fd24cd278c0afd2522bc8b3dd65363f23c81a.exe	cmd.exe
PID 1532 wrote to memory of 1560	1532	03e2a822055cdcc288d98d88974fd24cd278c0afd2522bc8b3dd65363f23c81a.exe	cmd.exe
PID 1532 wrote to memory of 1560	1532	03e2a822055cdcc288d98d88974fd24cd278c0afd2522bc8b3dd65363f23c81a.exe	cmd.exe
PID 1532 wrote to memory of 1560	1532	03e2a822055cdcc288d98d88974fd24cd278c0afd2522bc8b3dd65363f23c81a.exe	cmd.exe
PID 1560 wrote to memory of 1556	1560	cmd.exe	PING.EXE
PID 1560 wrote to memory of 1556	1560	cmd.exe	PING.EXE
PID 1560 wrote to memory of 1556	1560	cmd.exe	PING.EXE
PID 1560 wrote to memory of 1556	1560	cmd.exe	PING.EXE

C:\Users\Admin\AppData\Local\Temp\03e2a822055cdcc288d98d88974fd24cd278c0afd2522bc8b3dd65363f23c81a.exe
"C:\Users\Admin\AppData\Local\Temp\03e2a822055cdcc288d98d88974fd24cd278c0afd2522bc8b3dd65363f23c81a.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1532

C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
2⤵
- Executes dropped EXE
PID:1540

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\03e2a822055cdcc288d98d88974fd24cd278c0afd2522bc8b3dd65363f23c81a.exe"
2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:1560

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1
3⤵
- Runs ping.exe
PID:1556

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Remote System Discovery

1

T1018

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
MD5
c9cfaff2765db7426646aa93260c1c97

SHA1
51e3ed113c271eb3d396db7e2ba54b79d1647520

SHA256
6ccd28411560bc7ea58e031c4482c3a128f53061741926aa3a9e5311a4121fda

SHA512
be0c9ffde84b9c418281f16ab6049dc838fecab19f52516ea09481995e44b1b395bafc653070b907bccd37cac09fa8601e19b6073551cd5504575dcc58d18f4a

Download Submit
\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
MD5
c9cfaff2765db7426646aa93260c1c97

SHA1
51e3ed113c271eb3d396db7e2ba54b79d1647520

SHA256
6ccd28411560bc7ea58e031c4482c3a128f53061741926aa3a9e5311a4121fda

SHA512
be0c9ffde84b9c418281f16ab6049dc838fecab19f52516ea09481995e44b1b395bafc653070b907bccd37cac09fa8601e19b6073551cd5504575dcc58d18f4a

Download Submit
memory/1532-55-0x0000000074F11000-0x0000000074F13000-memory.dmp

Filesize
8KB

Download
memory/1532-59-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/1540-60-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads