sakula | 280622602950739b9b13be1aa783a895f674e85d0dccf78d6350bcaa214361a7

General

Target

280622602950739b9b13be1aa783a895f674e85d0dccf78d6350bcaa214361a7.exe
Size

72KB
MD5

007a14d72f82e5718e99f23cefbad5c3
SHA1

01bb44f4fb23529ee35a21b0aeb9dd397d72ad90
SHA256

280622602950739b9b13be1aa783a895f674e85d0dccf78d6350bcaa214361a7
SHA512

dac91685a48c284cd02b877df5262883925b955473b7f19e18c6ba68e71ed95ad6e66d49be3ef846b284ce8577508cdd68151eb744add2937f1a2666d76ebfd9

Score

10^/10

sakula persistence rat trojan

Malware Config

Signatures

Sakula
Sakula is a remote access trojan with various capabilities.
trojan rat sakula
Executes dropped EXE 1 IoCs

Processes:

MediaCenter.exe

pid process

1932 MediaCenter.exe
Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

1980 cmd.exe
Loads dropped DLL 2 IoCs

Processes:

cmd.exe

pid process

1672 cmd.exe
1672 cmd.exe

pid	process
1932	MediaCenter.exe

pid	process
1980	cmd.exe

pid	process
1672	cmd.exe
1672	cmd.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

reg.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe"	reg.exe

Modifies registry key 1 TTPs 1 IoCs

Modify Registry
T1112

Processes:

reg.exe

pid process

1476 reg.exe
Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

1020 PING.EXE

pid	process
1476	reg.exe

pid	process
1020	PING.EXE

Suspicious use of WriteProcessMemory 24 IoCs

Processes:

280622602950739b9b13be1aa783a895f674e85d0dccf78d6350bcaa214361a7.execmd.execmd.execmd.exe

description	pid	process	target process
PID 972 wrote to memory of 1696	972	280622602950739b9b13be1aa783a895f674e85d0dccf78d6350bcaa214361a7.exe	cmd.exe
PID 972 wrote to memory of 1696	972	280622602950739b9b13be1aa783a895f674e85d0dccf78d6350bcaa214361a7.exe	cmd.exe
PID 972 wrote to memory of 1696	972	280622602950739b9b13be1aa783a895f674e85d0dccf78d6350bcaa214361a7.exe	cmd.exe
PID 972 wrote to memory of 1696	972	280622602950739b9b13be1aa783a895f674e85d0dccf78d6350bcaa214361a7.exe	cmd.exe
PID 972 wrote to memory of 1672	972	280622602950739b9b13be1aa783a895f674e85d0dccf78d6350bcaa214361a7.exe	cmd.exe
PID 972 wrote to memory of 1672	972	280622602950739b9b13be1aa783a895f674e85d0dccf78d6350bcaa214361a7.exe	cmd.exe
PID 972 wrote to memory of 1672	972	280622602950739b9b13be1aa783a895f674e85d0dccf78d6350bcaa214361a7.exe	cmd.exe
PID 972 wrote to memory of 1672	972	280622602950739b9b13be1aa783a895f674e85d0dccf78d6350bcaa214361a7.exe	cmd.exe
PID 972 wrote to memory of 1980	972	280622602950739b9b13be1aa783a895f674e85d0dccf78d6350bcaa214361a7.exe	cmd.exe
PID 972 wrote to memory of 1980	972	280622602950739b9b13be1aa783a895f674e85d0dccf78d6350bcaa214361a7.exe	cmd.exe
PID 972 wrote to memory of 1980	972	280622602950739b9b13be1aa783a895f674e85d0dccf78d6350bcaa214361a7.exe	cmd.exe
PID 972 wrote to memory of 1980	972	280622602950739b9b13be1aa783a895f674e85d0dccf78d6350bcaa214361a7.exe	cmd.exe
PID 1980 wrote to memory of 1020	1980	cmd.exe	PING.EXE
PID 1980 wrote to memory of 1020	1980	cmd.exe	PING.EXE
PID 1980 wrote to memory of 1020	1980	cmd.exe	PING.EXE
PID 1980 wrote to memory of 1020	1980	cmd.exe	PING.EXE
PID 1672 wrote to memory of 1932	1672	cmd.exe	MediaCenter.exe
PID 1672 wrote to memory of 1932	1672	cmd.exe	MediaCenter.exe
PID 1672 wrote to memory of 1932	1672	cmd.exe	MediaCenter.exe
PID 1672 wrote to memory of 1932	1672	cmd.exe	MediaCenter.exe
PID 1696 wrote to memory of 1476	1696	cmd.exe	reg.exe
PID 1696 wrote to memory of 1476	1696	cmd.exe	reg.exe
PID 1696 wrote to memory of 1476	1696	cmd.exe	reg.exe
PID 1696 wrote to memory of 1476	1696	cmd.exe	reg.exe

C:\Users\Admin\AppData\Local\Temp\280622602950739b9b13be1aa783a895f674e85d0dccf78d6350bcaa214361a7.exe
"C:\Users\Admin\AppData\Local\Temp\280622602950739b9b13be1aa783a895f674e85d0dccf78d6350bcaa214361a7.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:972

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v "MicroMedia" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:1696

C:\Windows\SysWOW64\reg.exe
reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v "MicroMedia" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe"
3⤵
- Adds Run key to start application
- Modifies registry key
PID:1476

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe"
2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1672

C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
3⤵
- Executes dropped EXE
PID:1932

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c ping 127.0.0.1 & del "C:\Users\Admin\AppData\Local\Temp\280622602950739b9b13be1aa783a895f674e85d0dccf78d6350bcaa214361a7.exe"
2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:1980

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1
3⤵
- Runs ping.exe
PID:1020

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

Remote System Discovery

1

T1018

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
MD5
43538c79814a61bd1141e791048705ae

SHA1
1999162d5fd2295fb01d6ae83b729dc3f67cf398

SHA256
2dba1a5af19ce59338da6489f7dd9ebdab90275f8d52623f2e4a8c3ec4b48c23

SHA512
35ec806d0368fdc226b8efa667c3c5dbed87a11ef61d9831776d92d0bc27945da1970b63c7153080521765a05735a7cd907c4fd29fe4bd133e610148d1e7bf98

Download Submit
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
MD5
43538c79814a61bd1141e791048705ae

SHA1
1999162d5fd2295fb01d6ae83b729dc3f67cf398

SHA256
2dba1a5af19ce59338da6489f7dd9ebdab90275f8d52623f2e4a8c3ec4b48c23

SHA512
35ec806d0368fdc226b8efa667c3c5dbed87a11ef61d9831776d92d0bc27945da1970b63c7153080521765a05735a7cd907c4fd29fe4bd133e610148d1e7bf98

Download Submit
\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
MD5
43538c79814a61bd1141e791048705ae

SHA1
1999162d5fd2295fb01d6ae83b729dc3f67cf398

SHA256
2dba1a5af19ce59338da6489f7dd9ebdab90275f8d52623f2e4a8c3ec4b48c23

SHA512
35ec806d0368fdc226b8efa667c3c5dbed87a11ef61d9831776d92d0bc27945da1970b63c7153080521765a05735a7cd907c4fd29fe4bd133e610148d1e7bf98

Download Submit
\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
MD5
43538c79814a61bd1141e791048705ae

SHA1
1999162d5fd2295fb01d6ae83b729dc3f67cf398

SHA256
2dba1a5af19ce59338da6489f7dd9ebdab90275f8d52623f2e4a8c3ec4b48c23

SHA512
35ec806d0368fdc226b8efa667c3c5dbed87a11ef61d9831776d92d0bc27945da1970b63c7153080521765a05735a7cd907c4fd29fe4bd133e610148d1e7bf98

Download Submit
memory/972-54-0x00000000760A1000-0x00000000760A3000-memory.dmp

Filesize
8KB

Download
memory/972-55-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download

Analysis

Sharing