sakula | b0144b6b820bbd7e84f82b2cbc63dfe25b858dd39f70e52efca66f5d5104046e

General

Target

b0144b6b820bbd7e84f82b2cbc63dfe25b858dd39f70e52efca66f5d5104046e.exe
Size

76KB
MD5

f032614326676138de5a4dc97ddc87e5
SHA1

a55a86bdd0f40b8a8801cacbbc025a8f58a5aeec
SHA256

b0144b6b820bbd7e84f82b2cbc63dfe25b858dd39f70e52efca66f5d5104046e
SHA512

3fd27b90ebfd2c94369bc432d082baa88c8c53b1aa83fae2e5c03f9e59f53c7520071a79e968abd232e2998c27176a011e038c7900ddea3dba6b97812ef13456

Score

10^/10

sakula persistence rat trojan

Malware Config

Signatures

Sakula
Sakula is a remote access trojan with various capabilities.
trojan rat sakula
Executes dropped EXE 1 IoCs

Processes:

MediaCenter.exe

pid process

2604 MediaCenter.exe

pid	process
2604	MediaCenter.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

reg.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe"	reg.exe

Modifies registry key 1 TTPs 1 IoCs

Modify Registry
T1112

Processes:

reg.exe

pid process

2336 reg.exe
Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

2764 PING.EXE

pid	process
2336	reg.exe

pid	process
2764	PING.EXE

Suspicious use of WriteProcessMemory 18 IoCs

Processes:

b0144b6b820bbd7e84f82b2cbc63dfe25b858dd39f70e52efca66f5d5104046e.execmd.execmd.execmd.exe

description	pid	process	target process
PID 3320 wrote to memory of 1248	3320	b0144b6b820bbd7e84f82b2cbc63dfe25b858dd39f70e52efca66f5d5104046e.exe	cmd.exe
PID 3320 wrote to memory of 1248	3320	b0144b6b820bbd7e84f82b2cbc63dfe25b858dd39f70e52efca66f5d5104046e.exe	cmd.exe
PID 3320 wrote to memory of 1248	3320	b0144b6b820bbd7e84f82b2cbc63dfe25b858dd39f70e52efca66f5d5104046e.exe	cmd.exe
PID 3320 wrote to memory of 1352	3320	b0144b6b820bbd7e84f82b2cbc63dfe25b858dd39f70e52efca66f5d5104046e.exe	cmd.exe
PID 3320 wrote to memory of 1352	3320	b0144b6b820bbd7e84f82b2cbc63dfe25b858dd39f70e52efca66f5d5104046e.exe	cmd.exe
PID 3320 wrote to memory of 1352	3320	b0144b6b820bbd7e84f82b2cbc63dfe25b858dd39f70e52efca66f5d5104046e.exe	cmd.exe
PID 3320 wrote to memory of 1400	3320	b0144b6b820bbd7e84f82b2cbc63dfe25b858dd39f70e52efca66f5d5104046e.exe	cmd.exe
PID 3320 wrote to memory of 1400	3320	b0144b6b820bbd7e84f82b2cbc63dfe25b858dd39f70e52efca66f5d5104046e.exe	cmd.exe
PID 3320 wrote to memory of 1400	3320	b0144b6b820bbd7e84f82b2cbc63dfe25b858dd39f70e52efca66f5d5104046e.exe	cmd.exe
PID 1400 wrote to memory of 2764	1400	cmd.exe	PING.EXE
PID 1400 wrote to memory of 2764	1400	cmd.exe	PING.EXE
PID 1400 wrote to memory of 2764	1400	cmd.exe	PING.EXE
PID 1248 wrote to memory of 2336	1248	cmd.exe	reg.exe
PID 1248 wrote to memory of 2336	1248	cmd.exe	reg.exe
PID 1248 wrote to memory of 2336	1248	cmd.exe	reg.exe
PID 1352 wrote to memory of 2604	1352	cmd.exe	MediaCenter.exe
PID 1352 wrote to memory of 2604	1352	cmd.exe	MediaCenter.exe
PID 1352 wrote to memory of 2604	1352	cmd.exe	MediaCenter.exe

C:\Users\Admin\AppData\Local\Temp\b0144b6b820bbd7e84f82b2cbc63dfe25b858dd39f70e52efca66f5d5104046e.exe
"C:\Users\Admin\AppData\Local\Temp\b0144b6b820bbd7e84f82b2cbc63dfe25b858dd39f70e52efca66f5d5104046e.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3320

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v "MicroMedia" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:1248

C:\Windows\SysWOW64\reg.exe
reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v "MicroMedia" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe"
3⤵
- Adds Run key to start application
- Modifies registry key
PID:2336

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:1352

C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
3⤵
- Executes dropped EXE
PID:2604

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c ping 127.0.0.1 & del "C:\Users\Admin\AppData\Local\Temp\b0144b6b820bbd7e84f82b2cbc63dfe25b858dd39f70e52efca66f5d5104046e.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:1400

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1
3⤵
- Runs ping.exe
PID:2764

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

Remote System Discovery

1

T1018

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
MD5
348cab12013d0bb99563504ccfe6f2c4

SHA1
90858489641a388d19d27cdbd4c89d83e89cf7c1

SHA256
fdd8e6b083d810cdafc02070008c1b9c990bc99a860b8756dd3867766181a79f

SHA512
de922692a294a10639976fd91565e99b58ab2db25651f0ea23944209028b33c46381f9a95b3199e78893c81ed554b4495d2baa514d9c97d6d9d33f06f0e75726

Download Submit
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
MD5
348cab12013d0bb99563504ccfe6f2c4

SHA1
90858489641a388d19d27cdbd4c89d83e89cf7c1

SHA256
fdd8e6b083d810cdafc02070008c1b9c990bc99a860b8756dd3867766181a79f

SHA512
de922692a294a10639976fd91565e99b58ab2db25651f0ea23944209028b33c46381f9a95b3199e78893c81ed554b4495d2baa514d9c97d6d9d33f06f0e75726

Download Submit
memory/3320-130-0x0000000000401000-0x0000000000404000-memory.dmp

Filesize
12KB

Download

Resubmissions

Analysis

Sharing