sakula | 4f5363c919c970e147753a3b89cb0d216a1053029e48ebfd9037a5d2931fb67a

General

Target

4f5363c919c970e147753a3b89cb0d216a1053029e48ebfd9037a5d2931fb67a.exe
Size

76KB
MD5

023100d1d8ea30ded733c45dd61a94af
SHA1

6914992f8245f8ad6eb6662d318e77fa75412060
SHA256

4f5363c919c970e147753a3b89cb0d216a1053029e48ebfd9037a5d2931fb67a
SHA512

afff80139e3ffd57d90da376aa1ced923be09c3c26145cae9c359e55531aab8cb0a1a83346a39126de6480890d4c19570b544cd2d71d953cccfaaffcd8a64fcc

Score

10^/10

sakula persistence rat suricata trojan

Malware Config

Signatures

Sakula
Sakula is a remote access trojan with various capabilities.
trojan rat sakula
suricata: ET MALWARE Possible DEEP PANDA C2 Activity
suricata: ET MALWARE Possible DEEP PANDA C2 Activity
suricata
suricata: ET MALWARE Possible Deep Panda - Sakula/Mivast RAT CnC Beacon 5
suricata: ET MALWARE Possible Deep Panda - Sakula/Mivast RAT CnC Beacon 5
suricata
suricata: ET MALWARE Sakula/Mivast C2 Activity
suricata: ET MALWARE Sakula/Mivast C2 Activity
suricata
Executes dropped EXE 1 IoCs

Processes:

MediaCenter.exe

pid process

1428 MediaCenter.exe
Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

560 cmd.exe
Loads dropped DLL 2 IoCs

Processes:

cmd.exe

pid process

1496 cmd.exe
1496 cmd.exe

pid	process
1428	MediaCenter.exe

pid	process
560	cmd.exe

pid	process
1496	cmd.exe
1496	cmd.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

reg.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe"	reg.exe

Modifies registry key 1 TTPs 1 IoCs

Modify Registry
T1112

Processes:

reg.exe

pid process

1444 reg.exe
Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

1532 PING.EXE

pid	process
1444	reg.exe

pid	process
1532	PING.EXE

Suspicious use of WriteProcessMemory 24 IoCs

Processes:

4f5363c919c970e147753a3b89cb0d216a1053029e48ebfd9037a5d2931fb67a.execmd.execmd.execmd.exe

description	pid	process	target process
PID 1336 wrote to memory of 1132	1336	4f5363c919c970e147753a3b89cb0d216a1053029e48ebfd9037a5d2931fb67a.exe	cmd.exe
PID 1336 wrote to memory of 1132	1336	4f5363c919c970e147753a3b89cb0d216a1053029e48ebfd9037a5d2931fb67a.exe	cmd.exe
PID 1336 wrote to memory of 1132	1336	4f5363c919c970e147753a3b89cb0d216a1053029e48ebfd9037a5d2931fb67a.exe	cmd.exe
PID 1336 wrote to memory of 1132	1336	4f5363c919c970e147753a3b89cb0d216a1053029e48ebfd9037a5d2931fb67a.exe	cmd.exe
PID 1336 wrote to memory of 1496	1336	4f5363c919c970e147753a3b89cb0d216a1053029e48ebfd9037a5d2931fb67a.exe	cmd.exe
PID 1336 wrote to memory of 1496	1336	4f5363c919c970e147753a3b89cb0d216a1053029e48ebfd9037a5d2931fb67a.exe	cmd.exe
PID 1336 wrote to memory of 1496	1336	4f5363c919c970e147753a3b89cb0d216a1053029e48ebfd9037a5d2931fb67a.exe	cmd.exe
PID 1336 wrote to memory of 1496	1336	4f5363c919c970e147753a3b89cb0d216a1053029e48ebfd9037a5d2931fb67a.exe	cmd.exe
PID 1336 wrote to memory of 560	1336	4f5363c919c970e147753a3b89cb0d216a1053029e48ebfd9037a5d2931fb67a.exe	cmd.exe
PID 1336 wrote to memory of 560	1336	4f5363c919c970e147753a3b89cb0d216a1053029e48ebfd9037a5d2931fb67a.exe	cmd.exe
PID 1336 wrote to memory of 560	1336	4f5363c919c970e147753a3b89cb0d216a1053029e48ebfd9037a5d2931fb67a.exe	cmd.exe
PID 1336 wrote to memory of 560	1336	4f5363c919c970e147753a3b89cb0d216a1053029e48ebfd9037a5d2931fb67a.exe	cmd.exe
PID 560 wrote to memory of 1532	560	cmd.exe	PING.EXE
PID 560 wrote to memory of 1532	560	cmd.exe	PING.EXE
PID 560 wrote to memory of 1532	560	cmd.exe	PING.EXE
PID 560 wrote to memory of 1532	560	cmd.exe	PING.EXE
PID 1132 wrote to memory of 1444	1132	cmd.exe	reg.exe
PID 1132 wrote to memory of 1444	1132	cmd.exe	reg.exe
PID 1132 wrote to memory of 1444	1132	cmd.exe	reg.exe
PID 1132 wrote to memory of 1444	1132	cmd.exe	reg.exe
PID 1496 wrote to memory of 1428	1496	cmd.exe	MediaCenter.exe
PID 1496 wrote to memory of 1428	1496	cmd.exe	MediaCenter.exe
PID 1496 wrote to memory of 1428	1496	cmd.exe	MediaCenter.exe
PID 1496 wrote to memory of 1428	1496	cmd.exe	MediaCenter.exe

C:\Users\Admin\AppData\Local\Temp\4f5363c919c970e147753a3b89cb0d216a1053029e48ebfd9037a5d2931fb67a.exe
"C:\Users\Admin\AppData\Local\Temp\4f5363c919c970e147753a3b89cb0d216a1053029e48ebfd9037a5d2931fb67a.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1336

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v "MicroMedia" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:1132

C:\Windows\SysWOW64\reg.exe
reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v "MicroMedia" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe"
3⤵
- Adds Run key to start application
- Modifies registry key
PID:1444

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe"
2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1496

C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
3⤵
- Executes dropped EXE
PID:1428

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c ping 127.0.0.1 & del "C:\Users\Admin\AppData\Local\Temp\4f5363c919c970e147753a3b89cb0d216a1053029e48ebfd9037a5d2931fb67a.exe"
2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:560

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1
3⤵
- Runs ping.exe
PID:1532

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

Remote System Discovery

1

T1018

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
MD5
f9bcce7bfba23e2fa9c8ad513d49efcc

SHA1
2afd2871b1fb5e73a97d1dfc329881e78133864b

SHA256
e79a3eb617387e8b9379d9ec361abfa598f493c22a60be46f1045b23d5fcd1ac

SHA512
1c44819d832e7ceea38c7c80a2aad60f5a45945fb1708a5af64093ec2d0cc15925a0ed9ce9b2d996fb6e9b60f0f1289c8167815aef89675f7454ebe53a482bee

Download Submit
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
MD5
f9bcce7bfba23e2fa9c8ad513d49efcc

SHA1
2afd2871b1fb5e73a97d1dfc329881e78133864b

SHA256
e79a3eb617387e8b9379d9ec361abfa598f493c22a60be46f1045b23d5fcd1ac

SHA512
1c44819d832e7ceea38c7c80a2aad60f5a45945fb1708a5af64093ec2d0cc15925a0ed9ce9b2d996fb6e9b60f0f1289c8167815aef89675f7454ebe53a482bee

Download Submit
\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
MD5
f9bcce7bfba23e2fa9c8ad513d49efcc

SHA1
2afd2871b1fb5e73a97d1dfc329881e78133864b

SHA256
e79a3eb617387e8b9379d9ec361abfa598f493c22a60be46f1045b23d5fcd1ac

SHA512
1c44819d832e7ceea38c7c80a2aad60f5a45945fb1708a5af64093ec2d0cc15925a0ed9ce9b2d996fb6e9b60f0f1289c8167815aef89675f7454ebe53a482bee

Download Submit
\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
MD5
f9bcce7bfba23e2fa9c8ad513d49efcc

SHA1
2afd2871b1fb5e73a97d1dfc329881e78133864b

SHA256
e79a3eb617387e8b9379d9ec361abfa598f493c22a60be46f1045b23d5fcd1ac

SHA512
1c44819d832e7ceea38c7c80a2aad60f5a45945fb1708a5af64093ec2d0cc15925a0ed9ce9b2d996fb6e9b60f0f1289c8167815aef89675f7454ebe53a482bee

Download Submit
memory/1336-54-0x0000000075561000-0x0000000075563000-memory.dmp

Filesize
8KB

Download
memory/1336-55-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download

Analysis

Sharing