sakula | 995e26d3c24d06f40dd6771fa55d0127639a50e59249c593cb21ee3ea9401cfa

General

Target

995e26d3c24d06f40dd6771fa55d0127639a50e59249c593cb21ee3ea9401cfa.exe
Size

4.5MB
MD5

ccdb023db49ef98e92bc4e52fd5d7bec
SHA1

704fe7f943331a69984527e50d3ab1823e111f4b
SHA256

995e26d3c24d06f40dd6771fa55d0127639a50e59249c593cb21ee3ea9401cfa
SHA512

4ce111297c6cdff1377d6eaa9069318ffd7845a4e91ec9bb01488cdef70c5ef292dcb7bb40fff76ff081eaff87e32632bdd4227f0f7c853857da0de4b52e1d29

Score

10^/10

sakula persistence rat trojan

Malware Config

Signatures

Sakula
Sakula is a remote access trojan with various capabilities.
trojan rat sakula

Sakula Payload 3 IoCs

Processes:

resource	yara_rule
\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe	family_sakula
\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe	family_sakula
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe	family_sakula

Executes dropped EXE 1 IoCs

Processes:

MediaCenter.exe

pid process

1528 MediaCenter.exe
Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

2004 cmd.exe

pid	process
1528	MediaCenter.exe

pid	process
2004	cmd.exe

Loads dropped DLL 2 IoCs

Processes:

995e26d3c24d06f40dd6771fa55d0127639a50e59249c593cb21ee3ea9401cfa.exe

pid	process
1692	995e26d3c24d06f40dd6771fa55d0127639a50e59249c593cb21ee3ea9401cfa.exe
1692	995e26d3c24d06f40dd6771fa55d0127639a50e59249c593cb21ee3ea9401cfa.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

995e26d3c24d06f40dd6771fa55d0127639a50e59249c593cb21ee3ea9401cfa.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe"	995e26d3c24d06f40dd6771fa55d0127639a50e59249c593cb21ee3ea9401cfa.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

1280 PING.EXE
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

995e26d3c24d06f40dd6771fa55d0127639a50e59249c593cb21ee3ea9401cfa.exe

description pid process

Token: SeIncBasePriorityPrivilege 1692 995e26d3c24d06f40dd6771fa55d0127639a50e59249c593cb21ee3ea9401cfa.exe

pid	process
1280	PING.EXE

description	pid	process
Token: SeIncBasePriorityPrivilege	1692	995e26d3c24d06f40dd6771fa55d0127639a50e59249c593cb21ee3ea9401cfa.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

995e26d3c24d06f40dd6771fa55d0127639a50e59249c593cb21ee3ea9401cfa.execmd.exe

description	pid	process	target process
PID 1692 wrote to memory of 1528	1692	995e26d3c24d06f40dd6771fa55d0127639a50e59249c593cb21ee3ea9401cfa.exe	MediaCenter.exe
PID 1692 wrote to memory of 1528	1692	995e26d3c24d06f40dd6771fa55d0127639a50e59249c593cb21ee3ea9401cfa.exe	MediaCenter.exe
PID 1692 wrote to memory of 1528	1692	995e26d3c24d06f40dd6771fa55d0127639a50e59249c593cb21ee3ea9401cfa.exe	MediaCenter.exe
PID 1692 wrote to memory of 1528	1692	995e26d3c24d06f40dd6771fa55d0127639a50e59249c593cb21ee3ea9401cfa.exe	MediaCenter.exe
PID 1692 wrote to memory of 2004	1692	995e26d3c24d06f40dd6771fa55d0127639a50e59249c593cb21ee3ea9401cfa.exe	cmd.exe
PID 1692 wrote to memory of 2004	1692	995e26d3c24d06f40dd6771fa55d0127639a50e59249c593cb21ee3ea9401cfa.exe	cmd.exe
PID 1692 wrote to memory of 2004	1692	995e26d3c24d06f40dd6771fa55d0127639a50e59249c593cb21ee3ea9401cfa.exe	cmd.exe
PID 1692 wrote to memory of 2004	1692	995e26d3c24d06f40dd6771fa55d0127639a50e59249c593cb21ee3ea9401cfa.exe	cmd.exe
PID 2004 wrote to memory of 1280	2004	cmd.exe	PING.EXE
PID 2004 wrote to memory of 1280	2004	cmd.exe	PING.EXE
PID 2004 wrote to memory of 1280	2004	cmd.exe	PING.EXE
PID 2004 wrote to memory of 1280	2004	cmd.exe	PING.EXE

C:\Users\Admin\AppData\Local\Temp\995e26d3c24d06f40dd6771fa55d0127639a50e59249c593cb21ee3ea9401cfa.exe
"C:\Users\Admin\AppData\Local\Temp\995e26d3c24d06f40dd6771fa55d0127639a50e59249c593cb21ee3ea9401cfa.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1692

C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
2⤵
- Executes dropped EXE
PID:1528

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\995e26d3c24d06f40dd6771fa55d0127639a50e59249c593cb21ee3ea9401cfa.exe"
2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:2004

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1
3⤵
- Runs ping.exe
PID:1280

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Remote System Discovery

1

T1018

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
MD5
d47d2dbf6dac4a6e63177740c1997b9e

SHA1
d6fdec33c9cc89892c9cc16217471d48a48cb132

SHA256
99412832c2597154e7d28d2e71839322d83c400ab4929be2f62284a1860f6e6e

SHA512
59528be3bbe877ea67d57567553f0a7b8e769738af4fb4a9ec6b329339e90283a611cec473236de937552570e4a25d8425e090a86f5dd7101276b67b84826fab

Download Submit
\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
MD5
d47d2dbf6dac4a6e63177740c1997b9e

SHA1
d6fdec33c9cc89892c9cc16217471d48a48cb132

SHA256
99412832c2597154e7d28d2e71839322d83c400ab4929be2f62284a1860f6e6e

SHA512
59528be3bbe877ea67d57567553f0a7b8e769738af4fb4a9ec6b329339e90283a611cec473236de937552570e4a25d8425e090a86f5dd7101276b67b84826fab

Download Submit
\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
MD5
d47d2dbf6dac4a6e63177740c1997b9e

SHA1
d6fdec33c9cc89892c9cc16217471d48a48cb132

SHA256
99412832c2597154e7d28d2e71839322d83c400ab4929be2f62284a1860f6e6e

SHA512
59528be3bbe877ea67d57567553f0a7b8e769738af4fb4a9ec6b329339e90283a611cec473236de937552570e4a25d8425e090a86f5dd7101276b67b84826fab

Download Submit
memory/1692-54-0x0000000076731000-0x0000000076733000-memory.dmp

Filesize
8KB

Download

Resubmissions

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads