sakula | 9e975ba0e67a3a13556a92152af9d9d7b1443aebde4332c54b63bb8e05ae3a0e

General

Target

9e975ba0e67a3a13556a92152af9d9d7b1443aebde4332c54b63bb8e05ae3a0e.exe
Size

104KB
MD5

49462ddd5d404f016ff2f73e163ac899
SHA1

c1b974717bcab23cbc45ede0dca54ba2022afa00
SHA256

9e975ba0e67a3a13556a92152af9d9d7b1443aebde4332c54b63bb8e05ae3a0e
SHA512

357a65dfbc834c6ef24bf6625573652b7496cdb7779086727401297b481f18a33f27efa6b76ecbe1cb5cca3e536fae847501c85eb50d208a52faf10574ddc071

Score

10^/10

sakula persistence rat trojan

Malware Config

Signatures

Sakula
Sakula is a remote access trojan with various capabilities.
trojan rat sakula

Sakula Payload 2 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe	family_sakula
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe	family_sakula

Executes dropped EXE 1 IoCs

Processes:

MediaCenter.exe

pid process

5028 MediaCenter.exe

pid	process
5028	MediaCenter.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

9e975ba0e67a3a13556a92152af9d9d7b1443aebde4332c54b63bb8e05ae3a0e.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2403053463-4052593947-3703345493-1000\Control Panel\International\Geo\Nation	9e975ba0e67a3a13556a92152af9d9d7b1443aebde4332c54b63bb8e05ae3a0e.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

9e975ba0e67a3a13556a92152af9d9d7b1443aebde4332c54b63bb8e05ae3a0e.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe"	9e975ba0e67a3a13556a92152af9d9d7b1443aebde4332c54b63bb8e05ae3a0e.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

760 PING.EXE
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

9e975ba0e67a3a13556a92152af9d9d7b1443aebde4332c54b63bb8e05ae3a0e.exe

description pid process

Token: SeIncBasePriorityPrivilege 4016 9e975ba0e67a3a13556a92152af9d9d7b1443aebde4332c54b63bb8e05ae3a0e.exe

pid	process
760	PING.EXE

description	pid	process
Token: SeIncBasePriorityPrivilege	4016	9e975ba0e67a3a13556a92152af9d9d7b1443aebde4332c54b63bb8e05ae3a0e.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

9e975ba0e67a3a13556a92152af9d9d7b1443aebde4332c54b63bb8e05ae3a0e.execmd.exe

description	pid	process	target process
PID 4016 wrote to memory of 5028	4016	9e975ba0e67a3a13556a92152af9d9d7b1443aebde4332c54b63bb8e05ae3a0e.exe	MediaCenter.exe
PID 4016 wrote to memory of 5028	4016	9e975ba0e67a3a13556a92152af9d9d7b1443aebde4332c54b63bb8e05ae3a0e.exe	MediaCenter.exe
PID 4016 wrote to memory of 5028	4016	9e975ba0e67a3a13556a92152af9d9d7b1443aebde4332c54b63bb8e05ae3a0e.exe	MediaCenter.exe
PID 4016 wrote to memory of 3336	4016	9e975ba0e67a3a13556a92152af9d9d7b1443aebde4332c54b63bb8e05ae3a0e.exe	cmd.exe
PID 4016 wrote to memory of 3336	4016	9e975ba0e67a3a13556a92152af9d9d7b1443aebde4332c54b63bb8e05ae3a0e.exe	cmd.exe
PID 4016 wrote to memory of 3336	4016	9e975ba0e67a3a13556a92152af9d9d7b1443aebde4332c54b63bb8e05ae3a0e.exe	cmd.exe
PID 3336 wrote to memory of 760	3336	cmd.exe	PING.EXE
PID 3336 wrote to memory of 760	3336	cmd.exe	PING.EXE
PID 3336 wrote to memory of 760	3336	cmd.exe	PING.EXE

C:\Users\Admin\AppData\Local\Temp\9e975ba0e67a3a13556a92152af9d9d7b1443aebde4332c54b63bb8e05ae3a0e.exe
"C:\Users\Admin\AppData\Local\Temp\9e975ba0e67a3a13556a92152af9d9d7b1443aebde4332c54b63bb8e05ae3a0e.exe"
1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4016
- C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
  C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
  2⤵
  - Executes dropped EXE
  PID:5028
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\9e975ba0e67a3a13556a92152af9d9d7b1443aebde4332c54b63bb8e05ae3a0e.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3336
- - C:\Windows\SysWOW64\PING.EXE
    ping 127.0.0.1
    3⤵
    - Runs ping.exe
    PID:760

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

Remote System Discovery

1

T1018

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe

MD5
674ace169e348ea908cc1ee992285155

SHA1
240e622550bde8509b8b1b02c3901a5a60c9fdd2

SHA256
f54229335490bbf67a06c718bbe825fa29b2b807b5ff6d8595f46af9026c9cfa

SHA512
2a24f79f6c2218e306d189a971f7642319c206c46582502b1c4a372ed4eb46542d953e7d72146502ac0e8e0e8d4d8abdf695e6849571e5b8dae4d8a287e1f1cc

Download Submit
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe

MD5
674ace169e348ea908cc1ee992285155

SHA1
240e622550bde8509b8b1b02c3901a5a60c9fdd2

SHA256
f54229335490bbf67a06c718bbe825fa29b2b807b5ff6d8595f46af9026c9cfa

SHA512
2a24f79f6c2218e306d189a971f7642319c206c46582502b1c4a372ed4eb46542d953e7d72146502ac0e8e0e8d4d8abdf695e6849571e5b8dae4d8a287e1f1cc

Download Submit
memory/760-138-0x0000000000000000-mapping.dmp

Download
memory/3336-137-0x0000000000000000-mapping.dmp

Download
memory/5028-134-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads