sakula | 01ec9fd8625be6f43ef086441d1e08ba6fd0ddf093383e4488287bc8c1cad2c2

General

Target

01ec9fd8625be6f43ef086441d1e08ba6fd0ddf093383e4488287bc8c1cad2c2.exe
Size

80KB
MD5

c81e526c5c1fda71c660d65519ab2732
SHA1

a79a683ac5df1b0a43bf5b41a31b78a6de9e27ae
SHA256

01ec9fd8625be6f43ef086441d1e08ba6fd0ddf093383e4488287bc8c1cad2c2
SHA512

b80f220beaaec6061223026d3ba3a68932fcd2aaf1d3d65710c5d9130e63b7e1ea6bed65339ff7a925d210e529698bb1e7aecf4a105369e40c33cedb2285fad6

Score

10^/10

sakula persistence rat trojan

Malware Config

Signatures

Sakula
Sakula is a remote access trojan with various capabilities.
trojan rat sakula

Sakula Payload 3 IoCs

Processes:

resource	yara_rule
\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe	family_sakula
\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe	family_sakula
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe	family_sakula

Executes dropped EXE 1 IoCs

Processes:

MediaCenter.exe

pid process

1736 MediaCenter.exe
Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

928 cmd.exe

pid	process
1736	MediaCenter.exe

pid	process
928	cmd.exe

Loads dropped DLL 2 IoCs

Processes:

01ec9fd8625be6f43ef086441d1e08ba6fd0ddf093383e4488287bc8c1cad2c2.exe

pid	process
1548	01ec9fd8625be6f43ef086441d1e08ba6fd0ddf093383e4488287bc8c1cad2c2.exe
1548	01ec9fd8625be6f43ef086441d1e08ba6fd0ddf093383e4488287bc8c1cad2c2.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

01ec9fd8625be6f43ef086441d1e08ba6fd0ddf093383e4488287bc8c1cad2c2.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe"	01ec9fd8625be6f43ef086441d1e08ba6fd0ddf093383e4488287bc8c1cad2c2.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

1696 PING.EXE
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

01ec9fd8625be6f43ef086441d1e08ba6fd0ddf093383e4488287bc8c1cad2c2.exe

description pid process

Token: SeIncBasePriorityPrivilege 1548 01ec9fd8625be6f43ef086441d1e08ba6fd0ddf093383e4488287bc8c1cad2c2.exe

pid	process
1696	PING.EXE

description	pid	process
Token: SeIncBasePriorityPrivilege	1548	01ec9fd8625be6f43ef086441d1e08ba6fd0ddf093383e4488287bc8c1cad2c2.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

01ec9fd8625be6f43ef086441d1e08ba6fd0ddf093383e4488287bc8c1cad2c2.execmd.exe

description	pid	process	target process
PID 1548 wrote to memory of 1736	1548	01ec9fd8625be6f43ef086441d1e08ba6fd0ddf093383e4488287bc8c1cad2c2.exe	MediaCenter.exe
PID 1548 wrote to memory of 1736	1548	01ec9fd8625be6f43ef086441d1e08ba6fd0ddf093383e4488287bc8c1cad2c2.exe	MediaCenter.exe
PID 1548 wrote to memory of 1736	1548	01ec9fd8625be6f43ef086441d1e08ba6fd0ddf093383e4488287bc8c1cad2c2.exe	MediaCenter.exe
PID 1548 wrote to memory of 1736	1548	01ec9fd8625be6f43ef086441d1e08ba6fd0ddf093383e4488287bc8c1cad2c2.exe	MediaCenter.exe
PID 1548 wrote to memory of 928	1548	01ec9fd8625be6f43ef086441d1e08ba6fd0ddf093383e4488287bc8c1cad2c2.exe	cmd.exe
PID 1548 wrote to memory of 928	1548	01ec9fd8625be6f43ef086441d1e08ba6fd0ddf093383e4488287bc8c1cad2c2.exe	cmd.exe
PID 1548 wrote to memory of 928	1548	01ec9fd8625be6f43ef086441d1e08ba6fd0ddf093383e4488287bc8c1cad2c2.exe	cmd.exe
PID 1548 wrote to memory of 928	1548	01ec9fd8625be6f43ef086441d1e08ba6fd0ddf093383e4488287bc8c1cad2c2.exe	cmd.exe
PID 928 wrote to memory of 1696	928	cmd.exe	PING.EXE
PID 928 wrote to memory of 1696	928	cmd.exe	PING.EXE
PID 928 wrote to memory of 1696	928	cmd.exe	PING.EXE
PID 928 wrote to memory of 1696	928	cmd.exe	PING.EXE

C:\Users\Admin\AppData\Local\Temp\01ec9fd8625be6f43ef086441d1e08ba6fd0ddf093383e4488287bc8c1cad2c2.exe
"C:\Users\Admin\AppData\Local\Temp\01ec9fd8625be6f43ef086441d1e08ba6fd0ddf093383e4488287bc8c1cad2c2.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1548

C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
2⤵
- Executes dropped EXE
PID:1736

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\01ec9fd8625be6f43ef086441d1e08ba6fd0ddf093383e4488287bc8c1cad2c2.exe"
2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:928

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1
3⤵
- Runs ping.exe
PID:1696

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Remote System Discovery

1

T1018

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
MD5
0d3fd81df0dfb9c55bcb105bf088cc75

SHA1
6319856e713c5dc3ab03ffd0b12ef6ff2b7fae6a

SHA256
3e22de460c5abdaee370bc98a36c94cbd03176609a8625916f06a88aa96d4fb4

SHA512
3f31f415766a02c4e9517f5f77c405c52c0041d0d852690fb4b9463e170b1bbf1870f60005fdb312e9a6b310d2e719187424d3dd97151c86e7be16b2a8352903

Download Submit
\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
MD5
0d3fd81df0dfb9c55bcb105bf088cc75

SHA1
6319856e713c5dc3ab03ffd0b12ef6ff2b7fae6a

SHA256
3e22de460c5abdaee370bc98a36c94cbd03176609a8625916f06a88aa96d4fb4

SHA512
3f31f415766a02c4e9517f5f77c405c52c0041d0d852690fb4b9463e170b1bbf1870f60005fdb312e9a6b310d2e719187424d3dd97151c86e7be16b2a8352903

Download Submit
\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
MD5
0d3fd81df0dfb9c55bcb105bf088cc75

SHA1
6319856e713c5dc3ab03ffd0b12ef6ff2b7fae6a

SHA256
3e22de460c5abdaee370bc98a36c94cbd03176609a8625916f06a88aa96d4fb4

SHA512
3f31f415766a02c4e9517f5f77c405c52c0041d0d852690fb4b9463e170b1bbf1870f60005fdb312e9a6b310d2e719187424d3dd97151c86e7be16b2a8352903

Download Submit
memory/1548-55-0x00000000762C1000-0x00000000762C3000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads