sakula | c282d35f4f5b6476fa15a710062b76ac2f74c73c4228fc5448e52618a8cb18a2

General

Target

c282d35f4f5b6476fa15a710062b76ac2f74c73c4228fc5448e52618a8cb18a2.exe
Size

44KB
MD5

2e8a0f866db9089197a7ce653a31d8a4
SHA1

a3d5131211641e9b5571e84a30f0315600714520
SHA256

c282d35f4f5b6476fa15a710062b76ac2f74c73c4228fc5448e52618a8cb18a2
SHA512

b1cb633c21a98d545252beb848370145b028dc8e7c7096c93c7cbb64a2087e7d29daba180b0b2386b884b914884c54b811052668d1d7e5b86e8c9eec830574ed

Score

10^/10

sakula persistence rat trojan

Malware Config

Signatures

Sakula
Sakula is a remote access trojan with various capabilities.
trojan rat sakula
Executes dropped EXE 1 IoCs

Processes:

MediaCenter.exe

pid process

3976 MediaCenter.exe

pid	process
3976	MediaCenter.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

reg.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe"	reg.exe

Modifies registry key 1 TTPs 1 IoCs

Modify Registry
T1112

Processes:

reg.exe

pid process

4468 reg.exe
Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

5056 PING.EXE

pid	process
4468	reg.exe

pid	process
5056	PING.EXE

Suspicious use of WriteProcessMemory 18 IoCs

Processes:

c282d35f4f5b6476fa15a710062b76ac2f74c73c4228fc5448e52618a8cb18a2.execmd.execmd.execmd.exe

description	pid	process	target process
PID 1996 wrote to memory of 2552	1996	c282d35f4f5b6476fa15a710062b76ac2f74c73c4228fc5448e52618a8cb18a2.exe	cmd.exe
PID 1996 wrote to memory of 2552	1996	c282d35f4f5b6476fa15a710062b76ac2f74c73c4228fc5448e52618a8cb18a2.exe	cmd.exe
PID 1996 wrote to memory of 2552	1996	c282d35f4f5b6476fa15a710062b76ac2f74c73c4228fc5448e52618a8cb18a2.exe	cmd.exe
PID 1996 wrote to memory of 2728	1996	c282d35f4f5b6476fa15a710062b76ac2f74c73c4228fc5448e52618a8cb18a2.exe	cmd.exe
PID 1996 wrote to memory of 2728	1996	c282d35f4f5b6476fa15a710062b76ac2f74c73c4228fc5448e52618a8cb18a2.exe	cmd.exe
PID 1996 wrote to memory of 2728	1996	c282d35f4f5b6476fa15a710062b76ac2f74c73c4228fc5448e52618a8cb18a2.exe	cmd.exe
PID 1996 wrote to memory of 2756	1996	c282d35f4f5b6476fa15a710062b76ac2f74c73c4228fc5448e52618a8cb18a2.exe	cmd.exe
PID 1996 wrote to memory of 2756	1996	c282d35f4f5b6476fa15a710062b76ac2f74c73c4228fc5448e52618a8cb18a2.exe	cmd.exe
PID 1996 wrote to memory of 2756	1996	c282d35f4f5b6476fa15a710062b76ac2f74c73c4228fc5448e52618a8cb18a2.exe	cmd.exe
PID 2756 wrote to memory of 5056	2756	cmd.exe	PING.EXE
PID 2756 wrote to memory of 5056	2756	cmd.exe	PING.EXE
PID 2756 wrote to memory of 5056	2756	cmd.exe	PING.EXE
PID 2552 wrote to memory of 4468	2552	cmd.exe	reg.exe
PID 2552 wrote to memory of 4468	2552	cmd.exe	reg.exe
PID 2552 wrote to memory of 4468	2552	cmd.exe	reg.exe
PID 2728 wrote to memory of 3976	2728	cmd.exe	MediaCenter.exe
PID 2728 wrote to memory of 3976	2728	cmd.exe	MediaCenter.exe
PID 2728 wrote to memory of 3976	2728	cmd.exe	MediaCenter.exe

C:\Users\Admin\AppData\Local\Temp\c282d35f4f5b6476fa15a710062b76ac2f74c73c4228fc5448e52618a8cb18a2.exe
"C:\Users\Admin\AppData\Local\Temp\c282d35f4f5b6476fa15a710062b76ac2f74c73c4228fc5448e52618a8cb18a2.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1996

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v "MicroMedia" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:2552

C:\Windows\SysWOW64\reg.exe
reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v "MicroMedia" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe"
3⤵
- Adds Run key to start application
- Modifies registry key
PID:4468

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:2728

C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
3⤵
- Executes dropped EXE
PID:3976

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c ping 127.0.0.1 & del "C:\Users\Admin\AppData\Local\Temp\c282d35f4f5b6476fa15a710062b76ac2f74c73c4228fc5448e52618a8cb18a2.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:2756

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1
3⤵
- Runs ping.exe
PID:5056

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

Remote System Discovery

1

T1018

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
MD5
8ed2017c2afac40e15d7d46e88ae3345

SHA1
4ac674621193ade5949a2273544e9bd870be898b

SHA256
13312e953f1a9535e0a0cac6173bff39bb421668d6c96a67937a29d2642d2f7a

SHA512
a783d554de6adf70ff50484a5c2683a24df9644fd9153c95b876b7c3cd804c09657c60411e3a783a938505ce2a5b691fc1f0b23a45fc9a9be6d38fb4d8b7d576

Download Submit
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
MD5
8ed2017c2afac40e15d7d46e88ae3345

SHA1
4ac674621193ade5949a2273544e9bd870be898b

SHA256
13312e953f1a9535e0a0cac6173bff39bb421668d6c96a67937a29d2642d2f7a

SHA512
a783d554de6adf70ff50484a5c2683a24df9644fd9153c95b876b7c3cd804c09657c60411e3a783a938505ce2a5b691fc1f0b23a45fc9a9be6d38fb4d8b7d576

Download Submit
memory/1996-133-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/2552-130-0x0000000000000000-mapping.dmp

Download
memory/2728-131-0x0000000000000000-mapping.dmp

Download
memory/2756-132-0x0000000000000000-mapping.dmp

Download
memory/3976-136-0x0000000000000000-mapping.dmp

Download
memory/3976-139-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/4468-135-0x0000000000000000-mapping.dmp

Download
memory/5056-134-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing