sakula | b0144b6b820bbd7e84f82b2cbc63dfe25b858dd39f70e52efca66f5d5104046e

General

Target

b0144b6b820bbd7e84f82b2cbc63dfe25b858dd39f70e52efca66f5d5104046e.exe
Size

76KB
MD5

f032614326676138de5a4dc97ddc87e5
SHA1

a55a86bdd0f40b8a8801cacbbc025a8f58a5aeec
SHA256

b0144b6b820bbd7e84f82b2cbc63dfe25b858dd39f70e52efca66f5d5104046e
SHA512

3fd27b90ebfd2c94369bc432d082baa88c8c53b1aa83fae2e5c03f9e59f53c7520071a79e968abd232e2998c27176a011e038c7900ddea3dba6b97812ef13456

Score

10^/10

sakula persistence rat trojan

Malware Config

Signatures

Sakula
Sakula is a remote access trojan with various capabilities.
trojan rat sakula
Executes dropped EXE 1 IoCs

Processes:

MediaCenter.exe

pid process

1992 MediaCenter.exe

pid	process
1992	MediaCenter.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

reg.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe"	reg.exe

Modifies registry key 1 TTPs 1 IoCs

Modify Registry
T1112

Processes:

reg.exe

pid process

3052 reg.exe
Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

2744 PING.EXE

pid	process
3052	reg.exe

pid	process
2744	PING.EXE

Suspicious use of WriteProcessMemory 18 IoCs

Processes:

b0144b6b820bbd7e84f82b2cbc63dfe25b858dd39f70e52efca66f5d5104046e.execmd.execmd.execmd.exe

description	pid	process	target process
PID 3540 wrote to memory of 3296	3540	b0144b6b820bbd7e84f82b2cbc63dfe25b858dd39f70e52efca66f5d5104046e.exe	cmd.exe
PID 3540 wrote to memory of 3296	3540	b0144b6b820bbd7e84f82b2cbc63dfe25b858dd39f70e52efca66f5d5104046e.exe	cmd.exe
PID 3540 wrote to memory of 3296	3540	b0144b6b820bbd7e84f82b2cbc63dfe25b858dd39f70e52efca66f5d5104046e.exe	cmd.exe
PID 3540 wrote to memory of 3592	3540	b0144b6b820bbd7e84f82b2cbc63dfe25b858dd39f70e52efca66f5d5104046e.exe	cmd.exe
PID 3540 wrote to memory of 3592	3540	b0144b6b820bbd7e84f82b2cbc63dfe25b858dd39f70e52efca66f5d5104046e.exe	cmd.exe
PID 3540 wrote to memory of 3592	3540	b0144b6b820bbd7e84f82b2cbc63dfe25b858dd39f70e52efca66f5d5104046e.exe	cmd.exe
PID 3540 wrote to memory of 4088	3540	b0144b6b820bbd7e84f82b2cbc63dfe25b858dd39f70e52efca66f5d5104046e.exe	cmd.exe
PID 3540 wrote to memory of 4088	3540	b0144b6b820bbd7e84f82b2cbc63dfe25b858dd39f70e52efca66f5d5104046e.exe	cmd.exe
PID 3540 wrote to memory of 4088	3540	b0144b6b820bbd7e84f82b2cbc63dfe25b858dd39f70e52efca66f5d5104046e.exe	cmd.exe
PID 3592 wrote to memory of 1992	3592	cmd.exe	MediaCenter.exe
PID 3592 wrote to memory of 1992	3592	cmd.exe	MediaCenter.exe
PID 3592 wrote to memory of 1992	3592	cmd.exe	MediaCenter.exe
PID 4088 wrote to memory of 2744	4088	cmd.exe	PING.EXE
PID 4088 wrote to memory of 2744	4088	cmd.exe	PING.EXE
PID 4088 wrote to memory of 2744	4088	cmd.exe	PING.EXE
PID 3296 wrote to memory of 3052	3296	cmd.exe	reg.exe
PID 3296 wrote to memory of 3052	3296	cmd.exe	reg.exe
PID 3296 wrote to memory of 3052	3296	cmd.exe	reg.exe

C:\Users\Admin\AppData\Local\Temp\b0144b6b820bbd7e84f82b2cbc63dfe25b858dd39f70e52efca66f5d5104046e.exe
"C:\Users\Admin\AppData\Local\Temp\b0144b6b820bbd7e84f82b2cbc63dfe25b858dd39f70e52efca66f5d5104046e.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3540

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v "MicroMedia" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:3296

C:\Windows\SysWOW64\reg.exe
reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v "MicroMedia" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe"
3⤵
- Adds Run key to start application
- Modifies registry key
PID:3052

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:3592

C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
3⤵
- Executes dropped EXE
PID:1992

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c ping 127.0.0.1 & del "C:\Users\Admin\AppData\Local\Temp\b0144b6b820bbd7e84f82b2cbc63dfe25b858dd39f70e52efca66f5d5104046e.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:4088

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1
3⤵
- Runs ping.exe
PID:2744

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

Remote System Discovery

1

T1018

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
MD5
16f86f85565789cc412fd969568f6b3f

SHA1
b93351735aeda1aa18925679a153cb407293f0bf

SHA256
8323c5af48eeee648561b8d4f45d4a93750ec0784215dbaef1c52571f758f72d

SHA512
e3b2fbd01506a2226a8a43cd20cb02474bb4cab900235a2223c0188ba39b7a208b804b2bd77f10af7fad5d0d5a00a94b92350a445004d15beb6ffaefcfb7848a

Download Submit
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
MD5
16f86f85565789cc412fd969568f6b3f

SHA1
b93351735aeda1aa18925679a153cb407293f0bf

SHA256
8323c5af48eeee648561b8d4f45d4a93750ec0784215dbaef1c52571f758f72d

SHA512
e3b2fbd01506a2226a8a43cd20cb02474bb4cab900235a2223c0188ba39b7a208b804b2bd77f10af7fad5d0d5a00a94b92350a445004d15beb6ffaefcfb7848a

Download Submit
memory/3540-115-0x0000000000401000-0x0000000000404000-memory.dmp

Filesize
12KB

Download

Resubmissions

Analysis

Sharing