sakula | 995e26d3c24d06f40dd6771fa55d0127639a50e59249c593cb21ee3ea9401cfa

General

Target

995e26d3c24d06f40dd6771fa55d0127639a50e59249c593cb21ee3ea9401cfa.exe
Size

4.5MB
MD5

ccdb023db49ef98e92bc4e52fd5d7bec
SHA1

704fe7f943331a69984527e50d3ab1823e111f4b
SHA256

995e26d3c24d06f40dd6771fa55d0127639a50e59249c593cb21ee3ea9401cfa
SHA512

4ce111297c6cdff1377d6eaa9069318ffd7845a4e91ec9bb01488cdef70c5ef292dcb7bb40fff76ff081eaff87e32632bdd4227f0f7c853857da0de4b52e1d29

Score

10^/10

sakula persistence rat trojan

Malware Config

Signatures

Sakula
Sakula is a remote access trojan with various capabilities.
trojan rat sakula

Sakula Payload 2 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe	family_sakula
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe	family_sakula

Executes dropped EXE 1 IoCs

Processes:

MediaCenter.exe

pid process

3424 MediaCenter.exe

pid	process
3424	MediaCenter.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

995e26d3c24d06f40dd6771fa55d0127639a50e59249c593cb21ee3ea9401cfa.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation	995e26d3c24d06f40dd6771fa55d0127639a50e59249c593cb21ee3ea9401cfa.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

995e26d3c24d06f40dd6771fa55d0127639a50e59249c593cb21ee3ea9401cfa.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe"	995e26d3c24d06f40dd6771fa55d0127639a50e59249c593cb21ee3ea9401cfa.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

4516 PING.EXE
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

995e26d3c24d06f40dd6771fa55d0127639a50e59249c593cb21ee3ea9401cfa.exe

description pid process

Token: SeIncBasePriorityPrivilege 1268 995e26d3c24d06f40dd6771fa55d0127639a50e59249c593cb21ee3ea9401cfa.exe

pid	process
4516	PING.EXE

description	pid	process
Token: SeIncBasePriorityPrivilege	1268	995e26d3c24d06f40dd6771fa55d0127639a50e59249c593cb21ee3ea9401cfa.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

995e26d3c24d06f40dd6771fa55d0127639a50e59249c593cb21ee3ea9401cfa.execmd.exe

description	pid	process	target process
PID 1268 wrote to memory of 3424	1268	995e26d3c24d06f40dd6771fa55d0127639a50e59249c593cb21ee3ea9401cfa.exe	MediaCenter.exe
PID 1268 wrote to memory of 3424	1268	995e26d3c24d06f40dd6771fa55d0127639a50e59249c593cb21ee3ea9401cfa.exe	MediaCenter.exe
PID 1268 wrote to memory of 3424	1268	995e26d3c24d06f40dd6771fa55d0127639a50e59249c593cb21ee3ea9401cfa.exe	MediaCenter.exe
PID 1268 wrote to memory of 4464	1268	995e26d3c24d06f40dd6771fa55d0127639a50e59249c593cb21ee3ea9401cfa.exe	cmd.exe
PID 1268 wrote to memory of 4464	1268	995e26d3c24d06f40dd6771fa55d0127639a50e59249c593cb21ee3ea9401cfa.exe	cmd.exe
PID 1268 wrote to memory of 4464	1268	995e26d3c24d06f40dd6771fa55d0127639a50e59249c593cb21ee3ea9401cfa.exe	cmd.exe
PID 4464 wrote to memory of 4516	4464	cmd.exe	PING.EXE
PID 4464 wrote to memory of 4516	4464	cmd.exe	PING.EXE
PID 4464 wrote to memory of 4516	4464	cmd.exe	PING.EXE

C:\Users\Admin\AppData\Local\Temp\995e26d3c24d06f40dd6771fa55d0127639a50e59249c593cb21ee3ea9401cfa.exe
"C:\Users\Admin\AppData\Local\Temp\995e26d3c24d06f40dd6771fa55d0127639a50e59249c593cb21ee3ea9401cfa.exe"
1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1268

C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
2⤵
- Executes dropped EXE
PID:3424

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\995e26d3c24d06f40dd6771fa55d0127639a50e59249c593cb21ee3ea9401cfa.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:4464

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1
3⤵
- Runs ping.exe
PID:4516

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Remote System Discovery

1

T1018

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
MD5
09a30137ce61df288e18c8428e6bfffe

SHA1
8a8a1b16a783a0902ccb02d76ac7b4b04d9dc359

SHA256
dd5db5e5f740959c4844f38926e57b68acddb1b65c3eb0de05c14a578b84b7de

SHA512
6d8cb3b28034d3cb1c82b15fe5474795840a409a54274f3ec8f37c46d0c883f8848c41e8bd42405e197187bb25c6112cd7a69cf743921e60cd067469c8fc6c54

Download Submit
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
MD5
09a30137ce61df288e18c8428e6bfffe

SHA1
8a8a1b16a783a0902ccb02d76ac7b4b04d9dc359

SHA256
dd5db5e5f740959c4844f38926e57b68acddb1b65c3eb0de05c14a578b84b7de

SHA512
6d8cb3b28034d3cb1c82b15fe5474795840a409a54274f3ec8f37c46d0c883f8848c41e8bd42405e197187bb25c6112cd7a69cf743921e60cd067469c8fc6c54

Download Submit

Resubmissions

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads