sakula | 962398a8148727431d8a651dcacbb972883559f651f19784a0a0cd9c30c63a2f

General

Target

962398a8148727431d8a651dcacbb972883559f651f19784a0a0cd9c30c63a2f.exe
Size

42KB
MD5

0df6396e7775f62dba90ff08a846cc34
SHA1

6bbc28cd80acc12f222c45b8ab93a7b34f0d6b48
SHA256

962398a8148727431d8a651dcacbb972883559f651f19784a0a0cd9c30c63a2f
SHA512

7f46b8d2b8f0281d249e626c9e1dcbffe1b8054ea926e3bbb53cceb029d40843a33c986bc6d17ebbec992b395cf288e2b61e37a3d42036eef9c5f1521e24c2df

Score

10^/10

sakula persistence rat trojan

Malware Config

Signatures

Sakula
Sakula is a remote access trojan with various capabilities.
trojan rat sakula
Executes dropped EXE 1 IoCs

Processes:

MediaCenter.exe

pid process

3440 MediaCenter.exe

pid	process
3440	MediaCenter.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

reg.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe"	reg.exe

Modifies registry key 1 TTPs 1 IoCs

Modify Registry
T1112

Processes:

reg.exe

pid process

560 reg.exe
Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

4672 PING.EXE

pid	process
560	reg.exe

pid	process
4672	PING.EXE

Suspicious use of WriteProcessMemory 18 IoCs

Processes:

962398a8148727431d8a651dcacbb972883559f651f19784a0a0cd9c30c63a2f.execmd.execmd.execmd.exe

description	pid	process	target process
PID 4720 wrote to memory of 5096	4720	962398a8148727431d8a651dcacbb972883559f651f19784a0a0cd9c30c63a2f.exe	cmd.exe
PID 4720 wrote to memory of 5096	4720	962398a8148727431d8a651dcacbb972883559f651f19784a0a0cd9c30c63a2f.exe	cmd.exe
PID 4720 wrote to memory of 5096	4720	962398a8148727431d8a651dcacbb972883559f651f19784a0a0cd9c30c63a2f.exe	cmd.exe
PID 4720 wrote to memory of 4316	4720	962398a8148727431d8a651dcacbb972883559f651f19784a0a0cd9c30c63a2f.exe	cmd.exe
PID 4720 wrote to memory of 4316	4720	962398a8148727431d8a651dcacbb972883559f651f19784a0a0cd9c30c63a2f.exe	cmd.exe
PID 4720 wrote to memory of 4316	4720	962398a8148727431d8a651dcacbb972883559f651f19784a0a0cd9c30c63a2f.exe	cmd.exe
PID 4720 wrote to memory of 3720	4720	962398a8148727431d8a651dcacbb972883559f651f19784a0a0cd9c30c63a2f.exe	cmd.exe
PID 4720 wrote to memory of 3720	4720	962398a8148727431d8a651dcacbb972883559f651f19784a0a0cd9c30c63a2f.exe	cmd.exe
PID 4720 wrote to memory of 3720	4720	962398a8148727431d8a651dcacbb972883559f651f19784a0a0cd9c30c63a2f.exe	cmd.exe
PID 3720 wrote to memory of 4672	3720	cmd.exe	PING.EXE
PID 5096 wrote to memory of 560	5096	cmd.exe	reg.exe
PID 3720 wrote to memory of 4672	3720	cmd.exe	PING.EXE
PID 5096 wrote to memory of 560	5096	cmd.exe	reg.exe
PID 3720 wrote to memory of 4672	3720	cmd.exe	PING.EXE
PID 5096 wrote to memory of 560	5096	cmd.exe	reg.exe
PID 4316 wrote to memory of 3440	4316	cmd.exe	MediaCenter.exe
PID 4316 wrote to memory of 3440	4316	cmd.exe	MediaCenter.exe
PID 4316 wrote to memory of 3440	4316	cmd.exe	MediaCenter.exe

C:\Users\Admin\AppData\Local\Temp\962398a8148727431d8a651dcacbb972883559f651f19784a0a0cd9c30c63a2f.exe
"C:\Users\Admin\AppData\Local\Temp\962398a8148727431d8a651dcacbb972883559f651f19784a0a0cd9c30c63a2f.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4720

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v "MicroMedia" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:5096

C:\Windows\SysWOW64\reg.exe
reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v "MicroMedia" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe"
3⤵
- Adds Run key to start application
- Modifies registry key
PID:560

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:4316

C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
3⤵
- Executes dropped EXE
PID:3440

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c ping 127.0.0.1 & del "C:\Users\Admin\AppData\Local\Temp\962398a8148727431d8a651dcacbb972883559f651f19784a0a0cd9c30c63a2f.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:3720

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1
3⤵
- Runs ping.exe
PID:4672

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

Remote System Discovery

1

T1018

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
MD5
c81ab6ef72b6160928df060288c96774

SHA1
4536573fd5b7a19580a8d107aba51b88337bb4c3

SHA256
167f30bd9f16acffd8de9ae258710d2383aed2a72589fc30d6935387feb8a23f

SHA512
728d04a9bc932383d3c687c37eb7dee9a3fd7f5be23c1b3d5f826c4079164811b162cb3f8fee77f922cccc119de949d8a659c2e6043134f13f163b1702c225fa

Download Submit
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
MD5
c81ab6ef72b6160928df060288c96774

SHA1
4536573fd5b7a19580a8d107aba51b88337bb4c3

SHA256
167f30bd9f16acffd8de9ae258710d2383aed2a72589fc30d6935387feb8a23f

SHA512
728d04a9bc932383d3c687c37eb7dee9a3fd7f5be23c1b3d5f826c4079164811b162cb3f8fee77f922cccc119de949d8a659c2e6043134f13f163b1702c225fa

Download Submit
memory/560-135-0x0000000000000000-mapping.dmp

Download
memory/3440-136-0x0000000000000000-mapping.dmp

Download
memory/3440-139-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/3720-132-0x0000000000000000-mapping.dmp

Download
memory/4316-131-0x0000000000000000-mapping.dmp

Download
memory/4672-134-0x0000000000000000-mapping.dmp

Download
memory/4720-133-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/5096-130-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing