sakula | 9e975ba0e67a3a13556a92152af9d9d7b1443aebde4332c54b63bb8e05ae3a0e

General

Target

9e975ba0e67a3a13556a92152af9d9d7b1443aebde4332c54b63bb8e05ae3a0e.exe
Size

104KB
MD5

49462ddd5d404f016ff2f73e163ac899
SHA1

c1b974717bcab23cbc45ede0dca54ba2022afa00
SHA256

9e975ba0e67a3a13556a92152af9d9d7b1443aebde4332c54b63bb8e05ae3a0e
SHA512

357a65dfbc834c6ef24bf6625573652b7496cdb7779086727401297b481f18a33f27efa6b76ecbe1cb5cca3e536fae847501c85eb50d208a52faf10574ddc071

Score

10^/10

sakula persistence rat trojan

Malware Config

Signatures

Sakula
Sakula is a remote access trojan with various capabilities.
trojan rat sakula

Sakula Payload 3 IoCs

Processes:

resource	yara_rule
\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe	family_sakula
\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe	family_sakula
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe	family_sakula

Executes dropped EXE 1 IoCs

Processes:

MediaCenter.exe

pid process

1960 MediaCenter.exe
Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

1548 cmd.exe

pid	process
1960	MediaCenter.exe

pid	process
1548	cmd.exe

Loads dropped DLL 2 IoCs

Processes:

9e975ba0e67a3a13556a92152af9d9d7b1443aebde4332c54b63bb8e05ae3a0e.exe

pid	process
856	9e975ba0e67a3a13556a92152af9d9d7b1443aebde4332c54b63bb8e05ae3a0e.exe
856	9e975ba0e67a3a13556a92152af9d9d7b1443aebde4332c54b63bb8e05ae3a0e.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

9e975ba0e67a3a13556a92152af9d9d7b1443aebde4332c54b63bb8e05ae3a0e.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe"	9e975ba0e67a3a13556a92152af9d9d7b1443aebde4332c54b63bb8e05ae3a0e.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

556 PING.EXE
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

9e975ba0e67a3a13556a92152af9d9d7b1443aebde4332c54b63bb8e05ae3a0e.exe

description pid process

Token: SeIncBasePriorityPrivilege 856 9e975ba0e67a3a13556a92152af9d9d7b1443aebde4332c54b63bb8e05ae3a0e.exe

pid	process
556	PING.EXE

description	pid	process
Token: SeIncBasePriorityPrivilege	856	9e975ba0e67a3a13556a92152af9d9d7b1443aebde4332c54b63bb8e05ae3a0e.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

9e975ba0e67a3a13556a92152af9d9d7b1443aebde4332c54b63bb8e05ae3a0e.execmd.exe

description	pid	process	target process
PID 856 wrote to memory of 1960	856	9e975ba0e67a3a13556a92152af9d9d7b1443aebde4332c54b63bb8e05ae3a0e.exe	MediaCenter.exe
PID 856 wrote to memory of 1960	856	9e975ba0e67a3a13556a92152af9d9d7b1443aebde4332c54b63bb8e05ae3a0e.exe	MediaCenter.exe
PID 856 wrote to memory of 1960	856	9e975ba0e67a3a13556a92152af9d9d7b1443aebde4332c54b63bb8e05ae3a0e.exe	MediaCenter.exe
PID 856 wrote to memory of 1960	856	9e975ba0e67a3a13556a92152af9d9d7b1443aebde4332c54b63bb8e05ae3a0e.exe	MediaCenter.exe
PID 856 wrote to memory of 1548	856	9e975ba0e67a3a13556a92152af9d9d7b1443aebde4332c54b63bb8e05ae3a0e.exe	cmd.exe
PID 856 wrote to memory of 1548	856	9e975ba0e67a3a13556a92152af9d9d7b1443aebde4332c54b63bb8e05ae3a0e.exe	cmd.exe
PID 856 wrote to memory of 1548	856	9e975ba0e67a3a13556a92152af9d9d7b1443aebde4332c54b63bb8e05ae3a0e.exe	cmd.exe
PID 856 wrote to memory of 1548	856	9e975ba0e67a3a13556a92152af9d9d7b1443aebde4332c54b63bb8e05ae3a0e.exe	cmd.exe
PID 1548 wrote to memory of 556	1548	cmd.exe	PING.EXE
PID 1548 wrote to memory of 556	1548	cmd.exe	PING.EXE
PID 1548 wrote to memory of 556	1548	cmd.exe	PING.EXE
PID 1548 wrote to memory of 556	1548	cmd.exe	PING.EXE

C:\Users\Admin\AppData\Local\Temp\9e975ba0e67a3a13556a92152af9d9d7b1443aebde4332c54b63bb8e05ae3a0e.exe
"C:\Users\Admin\AppData\Local\Temp\9e975ba0e67a3a13556a92152af9d9d7b1443aebde4332c54b63bb8e05ae3a0e.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:856

C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
2⤵
- Executes dropped EXE
PID:1960

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\9e975ba0e67a3a13556a92152af9d9d7b1443aebde4332c54b63bb8e05ae3a0e.exe"
2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:1548

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1
3⤵
- Runs ping.exe
PID:556

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Remote System Discovery

1

T1018

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
MD5
56d8cbefa3586bf8475a689dd4b1cd0f

SHA1
303d63e77cc792cf602f21f403e97823bbc7669d

SHA256
7372099220b2d6e9b6735fbfe14a03716616dd5c76111e3762bcbf9713104569

SHA512
367d543c43165471e18a3afde4b1e4d69867f548e83fe795271995379e147a587ee11d7f4002dcfb8f6299f9d305e89b21ee37fe0be50a31f8893982316472a5

Download Submit
\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
MD5
56d8cbefa3586bf8475a689dd4b1cd0f

SHA1
303d63e77cc792cf602f21f403e97823bbc7669d

SHA256
7372099220b2d6e9b6735fbfe14a03716616dd5c76111e3762bcbf9713104569

SHA512
367d543c43165471e18a3afde4b1e4d69867f548e83fe795271995379e147a587ee11d7f4002dcfb8f6299f9d305e89b21ee37fe0be50a31f8893982316472a5

Download Submit
\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
MD5
56d8cbefa3586bf8475a689dd4b1cd0f

SHA1
303d63e77cc792cf602f21f403e97823bbc7669d

SHA256
7372099220b2d6e9b6735fbfe14a03716616dd5c76111e3762bcbf9713104569

SHA512
367d543c43165471e18a3afde4b1e4d69867f548e83fe795271995379e147a587ee11d7f4002dcfb8f6299f9d305e89b21ee37fe0be50a31f8893982316472a5

Download Submit
memory/556-61-0x0000000000000000-mapping.dmp

Download
memory/856-54-0x0000000075CA1000-0x0000000075CA3000-memory.dmp

Filesize
8KB

Download
memory/1548-60-0x0000000000000000-mapping.dmp

Download
memory/1960-57-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads