sakula | 99ec328bcbd54812cedd440448412187f1237e6b8f087e3a6dec0ec5421ed2b8

General

Target

99ec328bcbd54812cedd440448412187f1237e6b8f087e3a6dec0ec5421ed2b8.exe
Size

80KB
MD5

adb692a6723aecf736f9314a6bf64b8f
SHA1

6b059d15b577fca1c0815e1051378e9955b7c7fd
SHA256

99ec328bcbd54812cedd440448412187f1237e6b8f087e3a6dec0ec5421ed2b8
SHA512

114b03b4a8a0feb6a18acf8ec3077754549756f0327f7684cc716ec6b49601c5f9fb4a6c06147c94809c79768adbe24211a34ef7fb1d1e7e6e74660478e0186c

Score

10^/10

sakula persistence rat suricata trojan

Malware Config

Signatures

Sakula
Sakula is a remote access trojan with various capabilities.
trojan rat sakula
suricata: ET MALWARE Possible DEEP PANDA C2 Activity
suricata: ET MALWARE Possible DEEP PANDA C2 Activity
suricata
suricata: ET MALWARE Possible Deep Panda - Sakula/Mivast RAT CnC Beacon 5
suricata: ET MALWARE Possible Deep Panda - Sakula/Mivast RAT CnC Beacon 5
suricata
suricata: ET MALWARE Sakula/Mivast C2 Activity
suricata: ET MALWARE Sakula/Mivast C2 Activity
suricata
Executes dropped EXE 1 IoCs

Processes:

MediaCenter.exe

pid process

1484 MediaCenter.exe
Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

1660 cmd.exe
Loads dropped DLL 2 IoCs

Processes:

cmd.exe

pid process

1296 cmd.exe
1296 cmd.exe

pid	process
1484	MediaCenter.exe

pid	process
1660	cmd.exe

pid	process
1296	cmd.exe
1296	cmd.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

reg.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe"	reg.exe

Modifies registry key 1 TTPs 1 IoCs

Modify Registry
T1112

Processes:

reg.exe

pid process

1092 reg.exe
Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

972 PING.EXE

pid	process
1092	reg.exe

pid	process
972	PING.EXE

Suspicious use of WriteProcessMemory 24 IoCs

Processes:

99ec328bcbd54812cedd440448412187f1237e6b8f087e3a6dec0ec5421ed2b8.execmd.execmd.execmd.exe

description	pid	process	target process
PID 1700 wrote to memory of 1264	1700	99ec328bcbd54812cedd440448412187f1237e6b8f087e3a6dec0ec5421ed2b8.exe	cmd.exe
PID 1700 wrote to memory of 1264	1700	99ec328bcbd54812cedd440448412187f1237e6b8f087e3a6dec0ec5421ed2b8.exe	cmd.exe
PID 1700 wrote to memory of 1264	1700	99ec328bcbd54812cedd440448412187f1237e6b8f087e3a6dec0ec5421ed2b8.exe	cmd.exe
PID 1700 wrote to memory of 1264	1700	99ec328bcbd54812cedd440448412187f1237e6b8f087e3a6dec0ec5421ed2b8.exe	cmd.exe
PID 1700 wrote to memory of 1296	1700	99ec328bcbd54812cedd440448412187f1237e6b8f087e3a6dec0ec5421ed2b8.exe	cmd.exe
PID 1700 wrote to memory of 1296	1700	99ec328bcbd54812cedd440448412187f1237e6b8f087e3a6dec0ec5421ed2b8.exe	cmd.exe
PID 1700 wrote to memory of 1296	1700	99ec328bcbd54812cedd440448412187f1237e6b8f087e3a6dec0ec5421ed2b8.exe	cmd.exe
PID 1700 wrote to memory of 1296	1700	99ec328bcbd54812cedd440448412187f1237e6b8f087e3a6dec0ec5421ed2b8.exe	cmd.exe
PID 1700 wrote to memory of 1660	1700	99ec328bcbd54812cedd440448412187f1237e6b8f087e3a6dec0ec5421ed2b8.exe	cmd.exe
PID 1700 wrote to memory of 1660	1700	99ec328bcbd54812cedd440448412187f1237e6b8f087e3a6dec0ec5421ed2b8.exe	cmd.exe
PID 1700 wrote to memory of 1660	1700	99ec328bcbd54812cedd440448412187f1237e6b8f087e3a6dec0ec5421ed2b8.exe	cmd.exe
PID 1700 wrote to memory of 1660	1700	99ec328bcbd54812cedd440448412187f1237e6b8f087e3a6dec0ec5421ed2b8.exe	cmd.exe
PID 1296 wrote to memory of 1484	1296	cmd.exe	MediaCenter.exe
PID 1296 wrote to memory of 1484	1296	cmd.exe	MediaCenter.exe
PID 1296 wrote to memory of 1484	1296	cmd.exe	MediaCenter.exe
PID 1296 wrote to memory of 1484	1296	cmd.exe	MediaCenter.exe
PID 1264 wrote to memory of 1092	1264	cmd.exe	reg.exe
PID 1264 wrote to memory of 1092	1264	cmd.exe	reg.exe
PID 1264 wrote to memory of 1092	1264	cmd.exe	reg.exe
PID 1264 wrote to memory of 1092	1264	cmd.exe	reg.exe
PID 1660 wrote to memory of 972	1660	cmd.exe	PING.EXE
PID 1660 wrote to memory of 972	1660	cmd.exe	PING.EXE
PID 1660 wrote to memory of 972	1660	cmd.exe	PING.EXE
PID 1660 wrote to memory of 972	1660	cmd.exe	PING.EXE

C:\Users\Admin\AppData\Local\Temp\99ec328bcbd54812cedd440448412187f1237e6b8f087e3a6dec0ec5421ed2b8.exe
"C:\Users\Admin\AppData\Local\Temp\99ec328bcbd54812cedd440448412187f1237e6b8f087e3a6dec0ec5421ed2b8.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1700

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v "MicroMedia" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:1264

C:\Windows\SysWOW64\reg.exe
reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v "MicroMedia" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe"
3⤵
- Adds Run key to start application
- Modifies registry key
PID:1092

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe"
2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1296

C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
3⤵
- Executes dropped EXE
PID:1484

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c ping 127.0.0.1 & del "C:\Users\Admin\AppData\Local\Temp\99ec328bcbd54812cedd440448412187f1237e6b8f087e3a6dec0ec5421ed2b8.exe"
2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:1660

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1
3⤵
- Runs ping.exe
PID:972

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

Remote System Discovery

1

T1018

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
MD5
536781df94e54eedbf916ff6d4aec653

SHA1
1323d286a3c0c6bbd051394503169d95892b5792

SHA256
79ab85a3ad963ac1175b6408d6667c46f73e6a587f9f074891555dd9c06f772a

SHA512
9dff6093f7e0b0a0bca2dac0e05c9bab6f74dd42371ac4bcde5cee2f2c3a80a2fd497db1ab64f06d050b04d417a095673964357edfd091dbeb2a7e31b6d65da6

Download Submit
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
MD5
536781df94e54eedbf916ff6d4aec653

SHA1
1323d286a3c0c6bbd051394503169d95892b5792

SHA256
79ab85a3ad963ac1175b6408d6667c46f73e6a587f9f074891555dd9c06f772a

SHA512
9dff6093f7e0b0a0bca2dac0e05c9bab6f74dd42371ac4bcde5cee2f2c3a80a2fd497db1ab64f06d050b04d417a095673964357edfd091dbeb2a7e31b6d65da6

Download Submit
\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
MD5
536781df94e54eedbf916ff6d4aec653

SHA1
1323d286a3c0c6bbd051394503169d95892b5792

SHA256
79ab85a3ad963ac1175b6408d6667c46f73e6a587f9f074891555dd9c06f772a

SHA512
9dff6093f7e0b0a0bca2dac0e05c9bab6f74dd42371ac4bcde5cee2f2c3a80a2fd497db1ab64f06d050b04d417a095673964357edfd091dbeb2a7e31b6d65da6

Download Submit
\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
MD5
536781df94e54eedbf916ff6d4aec653

SHA1
1323d286a3c0c6bbd051394503169d95892b5792

SHA256
79ab85a3ad963ac1175b6408d6667c46f73e6a587f9f074891555dd9c06f772a

SHA512
9dff6093f7e0b0a0bca2dac0e05c9bab6f74dd42371ac4bcde5cee2f2c3a80a2fd497db1ab64f06d050b04d417a095673964357edfd091dbeb2a7e31b6d65da6

Download Submit
memory/1700-55-0x0000000075F91000-0x0000000075F93000-memory.dmp

Filesize
8KB

Download
memory/1700-56-0x0000000000401000-0x0000000000404000-memory.dmp

Filesize
12KB

Download

Resubmissions

Analysis

Sharing