sakula | 005fd6dbed96dc3a9cb190326be4d4c8ceb820022b1ee2498d900c9a2655dfb0

General

Target

005fd6dbed96dc3a9cb190326be4d4c8ceb820022b1ee2498d900c9a2655dfb0.exe
Size

191KB
MD5

04f2391f092760a14798805ac1a19728
SHA1

43db8226ccca8354b265493193329d8afb623881
SHA256

005fd6dbed96dc3a9cb190326be4d4c8ceb820022b1ee2498d900c9a2655dfb0
SHA512

1e8fb874719c5f8db30be71a761fac0fc378648265bc6d4dff8036c5f5f7ab7f1c2a1dd030ba1d7c779d0b56fddc687daf2950c6a4f7dd85bd4871e574065c47

Score

10^/10

sakula persistence rat trojan

Malware Config

Signatures

Sakula
Sakula is a remote access trojan with various capabilities.
trojan rat sakula

Sakula Payload 2 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe	family_sakula
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe	family_sakula

Executes dropped EXE 1 IoCs

Processes:

MediaCenter.exe

pid process

1448 MediaCenter.exe

pid	process
1448	MediaCenter.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

005fd6dbed96dc3a9cb190326be4d4c8ceb820022b1ee2498d900c9a2655dfb0.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation	005fd6dbed96dc3a9cb190326be4d4c8ceb820022b1ee2498d900c9a2655dfb0.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

005fd6dbed96dc3a9cb190326be4d4c8ceb820022b1ee2498d900c9a2655dfb0.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe"	005fd6dbed96dc3a9cb190326be4d4c8ceb820022b1ee2498d900c9a2655dfb0.exe

Drops file in Windows directory 8 IoCs

Processes:

TiWorker.exesvchost.exe

description	ioc	process
File opened for modification	C:\Windows\WinSxS\pending.xml	TiWorker.exe
File opened for modification	C:\Windows\WindowsUpdate.log	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\DataStore\Logs\edb.chk	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\DataStore\Logs\edb.log	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\DataStore\DataStore.edb	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\DataStore\DataStore.jfm	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\ReportingEvents.log	svchost.exe
File opened for modification	C:\Windows\Logs\CBS\CBS.log	TiWorker.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

3680 PING.EXE

pid	process
3680	PING.EXE

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

svchost.exe005fd6dbed96dc3a9cb190326be4d4c8ceb820022b1ee2498d900c9a2655dfb0.exeTiWorker.exe

description	pid	process
Token: SeShutdownPrivilege	1692	svchost.exe
Token: SeCreatePagefilePrivilege	1692	svchost.exe
Token: SeShutdownPrivilege	1692	svchost.exe
Token: SeCreatePagefilePrivilege	1692	svchost.exe
Token: SeShutdownPrivilege	1692	svchost.exe
Token: SeCreatePagefilePrivilege	1692	svchost.exe
Token: SeIncBasePriorityPrivilege	3580	005fd6dbed96dc3a9cb190326be4d4c8ceb820022b1ee2498d900c9a2655dfb0.exe
Token: SeSecurityPrivilege	2908	TiWorker.exe
Token: SeRestorePrivilege	2908	TiWorker.exe
Token: SeBackupPrivilege	2908	TiWorker.exe
Token: SeBackupPrivilege	2908	TiWorker.exe
Token: SeRestorePrivilege	2908	TiWorker.exe
Token: SeSecurityPrivilege	2908	TiWorker.exe
Token: SeBackupPrivilege	2908	TiWorker.exe
Token: SeRestorePrivilege	2908	TiWorker.exe
Token: SeSecurityPrivilege	2908	TiWorker.exe
Token: SeBackupPrivilege	2908	TiWorker.exe
Token: SeRestorePrivilege	2908	TiWorker.exe
Token: SeSecurityPrivilege	2908	TiWorker.exe
Token: SeBackupPrivilege	2908	TiWorker.exe
Token: SeRestorePrivilege	2908	TiWorker.exe
Token: SeSecurityPrivilege	2908	TiWorker.exe
Token: SeBackupPrivilege	2908	TiWorker.exe
Token: SeRestorePrivilege	2908	TiWorker.exe
Token: SeSecurityPrivilege	2908	TiWorker.exe
Token: SeBackupPrivilege	2908	TiWorker.exe
Token: SeRestorePrivilege	2908	TiWorker.exe
Token: SeSecurityPrivilege	2908	TiWorker.exe
Token: SeBackupPrivilege	2908	TiWorker.exe
Token: SeRestorePrivilege	2908	TiWorker.exe
Token: SeSecurityPrivilege	2908	TiWorker.exe
Token: SeBackupPrivilege	2908	TiWorker.exe
Token: SeRestorePrivilege	2908	TiWorker.exe
Token: SeSecurityPrivilege	2908	TiWorker.exe
Token: SeBackupPrivilege	2908	TiWorker.exe
Token: SeRestorePrivilege	2908	TiWorker.exe
Token: SeSecurityPrivilege	2908	TiWorker.exe
Token: SeBackupPrivilege	2908	TiWorker.exe
Token: SeRestorePrivilege	2908	TiWorker.exe
Token: SeSecurityPrivilege	2908	TiWorker.exe
Token: SeBackupPrivilege	2908	TiWorker.exe
Token: SeRestorePrivilege	2908	TiWorker.exe
Token: SeSecurityPrivilege	2908	TiWorker.exe
Token: SeBackupPrivilege	2908	TiWorker.exe
Token: SeRestorePrivilege	2908	TiWorker.exe
Token: SeSecurityPrivilege	2908	TiWorker.exe
Token: SeBackupPrivilege	2908	TiWorker.exe
Token: SeRestorePrivilege	2908	TiWorker.exe
Token: SeSecurityPrivilege	2908	TiWorker.exe
Token: SeBackupPrivilege	2908	TiWorker.exe
Token: SeRestorePrivilege	2908	TiWorker.exe
Token: SeSecurityPrivilege	2908	TiWorker.exe
Token: SeBackupPrivilege	2908	TiWorker.exe
Token: SeRestorePrivilege	2908	TiWorker.exe
Token: SeSecurityPrivilege	2908	TiWorker.exe
Token: SeBackupPrivilege	2908	TiWorker.exe
Token: SeRestorePrivilege	2908	TiWorker.exe
Token: SeSecurityPrivilege	2908	TiWorker.exe
Token: SeBackupPrivilege	2908	TiWorker.exe
Token: SeRestorePrivilege	2908	TiWorker.exe
Token: SeSecurityPrivilege	2908	TiWorker.exe
Token: SeBackupPrivilege	2908	TiWorker.exe
Token: SeRestorePrivilege	2908	TiWorker.exe
Token: SeSecurityPrivilege	2908	TiWorker.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

005fd6dbed96dc3a9cb190326be4d4c8ceb820022b1ee2498d900c9a2655dfb0.execmd.exe

description	pid	process	target process
PID 3580 wrote to memory of 1448	3580	005fd6dbed96dc3a9cb190326be4d4c8ceb820022b1ee2498d900c9a2655dfb0.exe	MediaCenter.exe
PID 3580 wrote to memory of 1448	3580	005fd6dbed96dc3a9cb190326be4d4c8ceb820022b1ee2498d900c9a2655dfb0.exe	MediaCenter.exe
PID 3580 wrote to memory of 1448	3580	005fd6dbed96dc3a9cb190326be4d4c8ceb820022b1ee2498d900c9a2655dfb0.exe	MediaCenter.exe
PID 3580 wrote to memory of 8	3580	005fd6dbed96dc3a9cb190326be4d4c8ceb820022b1ee2498d900c9a2655dfb0.exe	cmd.exe
PID 3580 wrote to memory of 8	3580	005fd6dbed96dc3a9cb190326be4d4c8ceb820022b1ee2498d900c9a2655dfb0.exe	cmd.exe
PID 3580 wrote to memory of 8	3580	005fd6dbed96dc3a9cb190326be4d4c8ceb820022b1ee2498d900c9a2655dfb0.exe	cmd.exe
PID 8 wrote to memory of 3680	8	cmd.exe	PING.EXE
PID 8 wrote to memory of 3680	8	cmd.exe	PING.EXE
PID 8 wrote to memory of 3680	8	cmd.exe	PING.EXE

C:\Users\Admin\AppData\Local\Temp\005fd6dbed96dc3a9cb190326be4d4c8ceb820022b1ee2498d900c9a2655dfb0.exe
"C:\Users\Admin\AppData\Local\Temp\005fd6dbed96dc3a9cb190326be4d4c8ceb820022b1ee2498d900c9a2655dfb0.exe"
1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3580
- C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
  C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
  2⤵
  - Executes dropped EXE
  PID:1448
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\005fd6dbed96dc3a9cb190326be4d4c8ceb820022b1ee2498d900c9a2655dfb0.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:8
- - C:\Windows\SysWOW64\PING.EXE
    ping 127.0.0.1
    3⤵
    - Runs ping.exe
    PID:3680

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:1692

C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2908

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

Remote System Discovery

1

T1018

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe

MD5
fd0edb415afa5f33b3882595dfb20323

SHA1
53b77aa90ae2cbe17a00f1995788fcdf179a28c2

SHA256
39d4d5c1f2c33c4adbca4c27fdb316d19f3b15251700b0ce1e572c506960ff0a

SHA512
2dba699f9d1c2f77e2bcc22bac520dff033ede511670871823d248e35c14a55a0e5b116d59a4ee7ff013b565699e8e64f1ef2dddbbe86912d56453a8b1be9722

Download Submit
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe

MD5
fd0edb415afa5f33b3882595dfb20323

SHA1
53b77aa90ae2cbe17a00f1995788fcdf179a28c2

SHA256
39d4d5c1f2c33c4adbca4c27fdb316d19f3b15251700b0ce1e572c506960ff0a

SHA512
2dba699f9d1c2f77e2bcc22bac520dff033ede511670871823d248e35c14a55a0e5b116d59a4ee7ff013b565699e8e64f1ef2dddbbe86912d56453a8b1be9722

Download Submit
memory/1692-132-0x000001A560560000-0x000001A560570000-memory.dmp

Filesize
64KB

Download
memory/1692-133-0x000001A560CE0000-0x000001A560CF0000-memory.dmp

Filesize
64KB

Download
memory/1692-134-0x000001A5631B0000-0x000001A5631B4000-memory.dmp

Filesize
16KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads