sakula | 280622602950739b9b13be1aa783a895f674e85d0dccf78d6350bcaa214361a7

General

Target

280622602950739b9b13be1aa783a895f674e85d0dccf78d6350bcaa214361a7.exe
Size

72KB
MD5

007a14d72f82e5718e99f23cefbad5c3
SHA1

01bb44f4fb23529ee35a21b0aeb9dd397d72ad90
SHA256

280622602950739b9b13be1aa783a895f674e85d0dccf78d6350bcaa214361a7
SHA512

dac91685a48c284cd02b877df5262883925b955473b7f19e18c6ba68e71ed95ad6e66d49be3ef846b284ce8577508cdd68151eb744add2937f1a2666d76ebfd9

Score

10^/10

sakula persistence rat trojan

Malware Config

Signatures

Sakula
Sakula is a remote access trojan with various capabilities.
trojan rat sakula
Executes dropped EXE 1 IoCs

Processes:

MediaCenter.exe

pid process

3716 MediaCenter.exe

pid	process
3716	MediaCenter.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

reg.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe"	reg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	reg.exe

Drops file in System32 directory 2 IoCs

Processes:

svchost.exe

description	ioc	process
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\InstallService\{C579840E-7AAB-4BE5-878F-E9F2F0A572D9}.catalogItem	svchost.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\InstallService\{6E7307F9-E79A-441A-A7F5-77E96C761E3C}.catalogItem	svchost.exe

Modifies registry key 1 TTPs 1 IoCs

Modify Registry
T1112

Processes:

reg.exe

pid process

3764 reg.exe
Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

3744 PING.EXE

pid	process
3764	reg.exe

pid	process
3744	PING.EXE

Suspicious use of WriteProcessMemory 18 IoCs

Processes:

280622602950739b9b13be1aa783a895f674e85d0dccf78d6350bcaa214361a7.execmd.execmd.execmd.exe

description	pid	process	target process
PID 3464 wrote to memory of 3016	3464	280622602950739b9b13be1aa783a895f674e85d0dccf78d6350bcaa214361a7.exe	cmd.exe
PID 3464 wrote to memory of 3016	3464	280622602950739b9b13be1aa783a895f674e85d0dccf78d6350bcaa214361a7.exe	cmd.exe
PID 3464 wrote to memory of 3016	3464	280622602950739b9b13be1aa783a895f674e85d0dccf78d6350bcaa214361a7.exe	cmd.exe
PID 3464 wrote to memory of 3984	3464	280622602950739b9b13be1aa783a895f674e85d0dccf78d6350bcaa214361a7.exe	cmd.exe
PID 3464 wrote to memory of 3984	3464	280622602950739b9b13be1aa783a895f674e85d0dccf78d6350bcaa214361a7.exe	cmd.exe
PID 3464 wrote to memory of 3984	3464	280622602950739b9b13be1aa783a895f674e85d0dccf78d6350bcaa214361a7.exe	cmd.exe
PID 3464 wrote to memory of 2448	3464	280622602950739b9b13be1aa783a895f674e85d0dccf78d6350bcaa214361a7.exe	cmd.exe
PID 3464 wrote to memory of 2448	3464	280622602950739b9b13be1aa783a895f674e85d0dccf78d6350bcaa214361a7.exe	cmd.exe
PID 3464 wrote to memory of 2448	3464	280622602950739b9b13be1aa783a895f674e85d0dccf78d6350bcaa214361a7.exe	cmd.exe
PID 3016 wrote to memory of 3764	3016	cmd.exe	reg.exe
PID 3016 wrote to memory of 3764	3016	cmd.exe	reg.exe
PID 3016 wrote to memory of 3764	3016	cmd.exe	reg.exe
PID 2448 wrote to memory of 3744	2448	cmd.exe	PING.EXE
PID 2448 wrote to memory of 3744	2448	cmd.exe	PING.EXE
PID 2448 wrote to memory of 3744	2448	cmd.exe	PING.EXE
PID 3984 wrote to memory of 3716	3984	cmd.exe	MediaCenter.exe
PID 3984 wrote to memory of 3716	3984	cmd.exe	MediaCenter.exe
PID 3984 wrote to memory of 3716	3984	cmd.exe	MediaCenter.exe

C:\Users\Admin\AppData\Local\Temp\280622602950739b9b13be1aa783a895f674e85d0dccf78d6350bcaa214361a7.exe
"C:\Users\Admin\AppData\Local\Temp\280622602950739b9b13be1aa783a895f674e85d0dccf78d6350bcaa214361a7.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3464

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v "MicroMedia" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:3016

C:\Windows\SysWOW64\reg.exe
reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v "MicroMedia" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe"
3⤵
- Adds Run key to start application
- Modifies registry key
PID:3764

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:3984

C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
3⤵
- Executes dropped EXE
PID:3716

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c ping 127.0.0.1 & del "C:\Users\Admin\AppData\Local\Temp\280622602950739b9b13be1aa783a895f674e85d0dccf78d6350bcaa214361a7.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:2448

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1
3⤵
- Runs ping.exe
PID:3744

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p
1⤵
- Drops file in System32 directory
PID:3320

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

Remote System Discovery

1

T1018

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
MD5
410422fe8bff1a11fd69980ea879fa4f

SHA1
3743d56d27603e856377660c98d5f63dcc6cf9a8

SHA256
e22ee7b25c493600004b75b2039426f50ae30b2e845f8c417b4aa9a9cc7d12fd

SHA512
e243a77ea7d6c4d69ab485463bbfe105ca133b3f847ec88605fa4fdf5c261602ec44dad8790f8bb05bd674917880c59dcaaa31695cef81b4e4ac0f6910c2b281

Download Submit
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
MD5
410422fe8bff1a11fd69980ea879fa4f

SHA1
3743d56d27603e856377660c98d5f63dcc6cf9a8

SHA256
e22ee7b25c493600004b75b2039426f50ae30b2e845f8c417b4aa9a9cc7d12fd

SHA512
e243a77ea7d6c4d69ab485463bbfe105ca133b3f847ec88605fa4fdf5c261602ec44dad8790f8bb05bd674917880c59dcaaa31695cef81b4e4ac0f6910c2b281

Download Submit
memory/3464-134-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/3716-137-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads