sakula | 026fc07d2c09ca93ad95d4a7975fe0a2dcad282eb09e0f1ad60777ad22016b6e

General

Target

026fc07d2c09ca93ad95d4a7975fe0a2dcad282eb09e0f1ad60777ad22016b6e.exe
Size

60KB
MD5

707a1d509d63fdc4a0d35b277d0b1418
SHA1

253275d5b24cf38acd8ed9df9989901d01854286
SHA256

026fc07d2c09ca93ad95d4a7975fe0a2dcad282eb09e0f1ad60777ad22016b6e
SHA512

fedbbdab37cd3990fca35f87306e3d1e6a17c81badb2e4514396aa7dd8182f2fe5c9d3155ad09288e953228dcad49adf0d9c0b971b0988ca3a05812da8488523

Score

10^/10

sakula persistence rat trojan

Malware Config

Signatures

Sakula
Sakula is a remote access trojan with various capabilities.
trojan rat sakula
Executes dropped EXE 1 IoCs

Processes:

MediaCenter.exe

pid process

468 MediaCenter.exe
Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

1340 cmd.exe

pid	process
468	MediaCenter.exe

pid	process
1340	cmd.exe

Loads dropped DLL 2 IoCs

Processes:

026fc07d2c09ca93ad95d4a7975fe0a2dcad282eb09e0f1ad60777ad22016b6e.exe

pid	process
1744	026fc07d2c09ca93ad95d4a7975fe0a2dcad282eb09e0f1ad60777ad22016b6e.exe
1744	026fc07d2c09ca93ad95d4a7975fe0a2dcad282eb09e0f1ad60777ad22016b6e.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

026fc07d2c09ca93ad95d4a7975fe0a2dcad282eb09e0f1ad60777ad22016b6e.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe"	026fc07d2c09ca93ad95d4a7975fe0a2dcad282eb09e0f1ad60777ad22016b6e.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

1512 PING.EXE
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

026fc07d2c09ca93ad95d4a7975fe0a2dcad282eb09e0f1ad60777ad22016b6e.exe

description pid process

Token: SeIncBasePriorityPrivilege 1744 026fc07d2c09ca93ad95d4a7975fe0a2dcad282eb09e0f1ad60777ad22016b6e.exe

pid	process
1512	PING.EXE

description	pid	process
Token: SeIncBasePriorityPrivilege	1744	026fc07d2c09ca93ad95d4a7975fe0a2dcad282eb09e0f1ad60777ad22016b6e.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

026fc07d2c09ca93ad95d4a7975fe0a2dcad282eb09e0f1ad60777ad22016b6e.execmd.exe

description	pid	process	target process
PID 1744 wrote to memory of 468	1744	026fc07d2c09ca93ad95d4a7975fe0a2dcad282eb09e0f1ad60777ad22016b6e.exe	MediaCenter.exe
PID 1744 wrote to memory of 468	1744	026fc07d2c09ca93ad95d4a7975fe0a2dcad282eb09e0f1ad60777ad22016b6e.exe	MediaCenter.exe
PID 1744 wrote to memory of 468	1744	026fc07d2c09ca93ad95d4a7975fe0a2dcad282eb09e0f1ad60777ad22016b6e.exe	MediaCenter.exe
PID 1744 wrote to memory of 468	1744	026fc07d2c09ca93ad95d4a7975fe0a2dcad282eb09e0f1ad60777ad22016b6e.exe	MediaCenter.exe
PID 1744 wrote to memory of 1340	1744	026fc07d2c09ca93ad95d4a7975fe0a2dcad282eb09e0f1ad60777ad22016b6e.exe	cmd.exe
PID 1744 wrote to memory of 1340	1744	026fc07d2c09ca93ad95d4a7975fe0a2dcad282eb09e0f1ad60777ad22016b6e.exe	cmd.exe
PID 1744 wrote to memory of 1340	1744	026fc07d2c09ca93ad95d4a7975fe0a2dcad282eb09e0f1ad60777ad22016b6e.exe	cmd.exe
PID 1744 wrote to memory of 1340	1744	026fc07d2c09ca93ad95d4a7975fe0a2dcad282eb09e0f1ad60777ad22016b6e.exe	cmd.exe
PID 1340 wrote to memory of 1512	1340	cmd.exe	PING.EXE
PID 1340 wrote to memory of 1512	1340	cmd.exe	PING.EXE
PID 1340 wrote to memory of 1512	1340	cmd.exe	PING.EXE
PID 1340 wrote to memory of 1512	1340	cmd.exe	PING.EXE

C:\Users\Admin\AppData\Local\Temp\026fc07d2c09ca93ad95d4a7975fe0a2dcad282eb09e0f1ad60777ad22016b6e.exe
"C:\Users\Admin\AppData\Local\Temp\026fc07d2c09ca93ad95d4a7975fe0a2dcad282eb09e0f1ad60777ad22016b6e.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1744

C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
2⤵
- Executes dropped EXE
PID:468

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\026fc07d2c09ca93ad95d4a7975fe0a2dcad282eb09e0f1ad60777ad22016b6e.exe"
2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:1340

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1
3⤵
- Runs ping.exe
PID:1512

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Remote System Discovery

1

T1018

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
MD5
d4c28f713839c5184d8aa9ba7b4c4b43

SHA1
6bcb1db1a3cfa84d6a7fcac8fe167bf35366c036

SHA256
d67d3e8439d8af4fbd41e4a008df0d2c9f22fc7627623205550c484e2f2756c1

SHA512
1ad485d264f30247e3135d657f316c6b883371f528282845b6de0c29e4c451945f1842e77d7104e8cbb9e95638836b8619d881e5296f719ac3f9668dcb12c8f1

Download Submit
\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
MD5
d4c28f713839c5184d8aa9ba7b4c4b43

SHA1
6bcb1db1a3cfa84d6a7fcac8fe167bf35366c036

SHA256
d67d3e8439d8af4fbd41e4a008df0d2c9f22fc7627623205550c484e2f2756c1

SHA512
1ad485d264f30247e3135d657f316c6b883371f528282845b6de0c29e4c451945f1842e77d7104e8cbb9e95638836b8619d881e5296f719ac3f9668dcb12c8f1

Download Submit
\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
MD5
d4c28f713839c5184d8aa9ba7b4c4b43

SHA1
6bcb1db1a3cfa84d6a7fcac8fe167bf35366c036

SHA256
d67d3e8439d8af4fbd41e4a008df0d2c9f22fc7627623205550c484e2f2756c1

SHA512
1ad485d264f30247e3135d657f316c6b883371f528282845b6de0c29e4c451945f1842e77d7104e8cbb9e95638836b8619d881e5296f719ac3f9668dcb12c8f1

Download Submit
memory/1744-55-0x00000000763B1000-0x00000000763B3000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads