sakula | 5378189c64d82fdcc1ab31d23f82594d6c0805fa26621d944cd3d7767861064c

General

Target

5378189c64d82fdcc1ab31d23f82594d6c0805fa26621d944cd3d7767861064c.exe
Size

40KB
MD5

1cc8846038d84ed445d3a71fd4fc88eb
SHA1

85c988e1827cf3aa75926be7c002c71585013b04
SHA256

5378189c64d82fdcc1ab31d23f82594d6c0805fa26621d944cd3d7767861064c
SHA512

890d2cca605adfabb6c4104b2a6aad1503abc513f037d9f98b2f6ad113ed1edc3b287e3f4211c31f577c9b7ca181d0c0cbc701f2066e4e22439f9fea6918383c

Score

10^/10

sakula persistence rat trojan upx

Malware Config

Signatures

Sakula
Sakula is a remote access trojan with various capabilities.
trojan rat sakula
Executes dropped EXE 1 IoCs

Processes:

MediaCenter.exe

pid process

588 MediaCenter.exe

pid	process
588	MediaCenter.exe

UPX packed file 6 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/1768-55-0x0000000000400000-0x000000000040D000-memory.dmp	upx
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe	upx
\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe	upx
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe	upx
\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe	upx
behavioral1/memory/588-67-0x0000000000400000-0x000000000040D000-memory.dmp	upx

Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

972 cmd.exe
Loads dropped DLL 2 IoCs

Processes:

cmd.exe

pid process

1648 cmd.exe
1648 cmd.exe

pid	process
972	cmd.exe

pid	process
1648	cmd.exe
1648	cmd.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

reg.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe"	reg.exe

Modifies registry key 1 TTPs 1 IoCs

Modify Registry
T1112

Processes:

reg.exe

pid process

1324 reg.exe
Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

900 PING.EXE

pid	process
1324	reg.exe

pid	process
900	PING.EXE

Suspicious use of WriteProcessMemory 24 IoCs

Processes:

5378189c64d82fdcc1ab31d23f82594d6c0805fa26621d944cd3d7767861064c.execmd.execmd.execmd.exe

description	pid	process	target process
PID 1768 wrote to memory of 1592	1768	5378189c64d82fdcc1ab31d23f82594d6c0805fa26621d944cd3d7767861064c.exe	cmd.exe
PID 1768 wrote to memory of 1592	1768	5378189c64d82fdcc1ab31d23f82594d6c0805fa26621d944cd3d7767861064c.exe	cmd.exe
PID 1768 wrote to memory of 1592	1768	5378189c64d82fdcc1ab31d23f82594d6c0805fa26621d944cd3d7767861064c.exe	cmd.exe
PID 1768 wrote to memory of 1592	1768	5378189c64d82fdcc1ab31d23f82594d6c0805fa26621d944cd3d7767861064c.exe	cmd.exe
PID 1768 wrote to memory of 1648	1768	5378189c64d82fdcc1ab31d23f82594d6c0805fa26621d944cd3d7767861064c.exe	cmd.exe
PID 1768 wrote to memory of 1648	1768	5378189c64d82fdcc1ab31d23f82594d6c0805fa26621d944cd3d7767861064c.exe	cmd.exe
PID 1768 wrote to memory of 1648	1768	5378189c64d82fdcc1ab31d23f82594d6c0805fa26621d944cd3d7767861064c.exe	cmd.exe
PID 1768 wrote to memory of 1648	1768	5378189c64d82fdcc1ab31d23f82594d6c0805fa26621d944cd3d7767861064c.exe	cmd.exe
PID 1768 wrote to memory of 972	1768	5378189c64d82fdcc1ab31d23f82594d6c0805fa26621d944cd3d7767861064c.exe	cmd.exe
PID 1768 wrote to memory of 972	1768	5378189c64d82fdcc1ab31d23f82594d6c0805fa26621d944cd3d7767861064c.exe	cmd.exe
PID 1768 wrote to memory of 972	1768	5378189c64d82fdcc1ab31d23f82594d6c0805fa26621d944cd3d7767861064c.exe	cmd.exe
PID 1768 wrote to memory of 972	1768	5378189c64d82fdcc1ab31d23f82594d6c0805fa26621d944cd3d7767861064c.exe	cmd.exe
PID 1592 wrote to memory of 1324	1592	cmd.exe	reg.exe
PID 1592 wrote to memory of 1324	1592	cmd.exe	reg.exe
PID 1592 wrote to memory of 1324	1592	cmd.exe	reg.exe
PID 1592 wrote to memory of 1324	1592	cmd.exe	reg.exe
PID 972 wrote to memory of 900	972	cmd.exe	PING.EXE
PID 972 wrote to memory of 900	972	cmd.exe	PING.EXE
PID 972 wrote to memory of 900	972	cmd.exe	PING.EXE
PID 972 wrote to memory of 900	972	cmd.exe	PING.EXE
PID 1648 wrote to memory of 588	1648	cmd.exe	MediaCenter.exe
PID 1648 wrote to memory of 588	1648	cmd.exe	MediaCenter.exe
PID 1648 wrote to memory of 588	1648	cmd.exe	MediaCenter.exe
PID 1648 wrote to memory of 588	1648	cmd.exe	MediaCenter.exe

C:\Users\Admin\AppData\Local\Temp\5378189c64d82fdcc1ab31d23f82594d6c0805fa26621d944cd3d7767861064c.exe
"C:\Users\Admin\AppData\Local\Temp\5378189c64d82fdcc1ab31d23f82594d6c0805fa26621d944cd3d7767861064c.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1768

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v "MicroMedia" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:1592

C:\Windows\SysWOW64\reg.exe
reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v "MicroMedia" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe"
3⤵
- Adds Run key to start application
- Modifies registry key
PID:1324

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c ping 127.0.0.1 & del "C:\Users\Admin\AppData\Local\Temp\5378189c64d82fdcc1ab31d23f82594d6c0805fa26621d944cd3d7767861064c.exe"
2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:972

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe"
2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1648

C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
3⤵
- Executes dropped EXE
PID:588

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1
1⤵
- Runs ping.exe
PID:900

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

Remote System Discovery

1

T1018

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
Filesize
40KB

MD5
ade3eec585c8618edd700d2aebfe51cd

SHA1
bd6016228f8a793f90c07fb5c3c11f7cc12363b7

SHA256
ea0d5d4005e8e1f4f2e34ae4c689038683dbc719bc7b05872c4d40ca030d2789

SHA512
25cc8c251a64c44c7b9167764fa4c9da2deda06730f830a0a99e1d7ea2ebe3731c2147f5138cdce5c12d2769b77eaa19002ce90bfc2b71de884e7d791f45b499

Download Submit
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
Filesize
40KB

MD5
ade3eec585c8618edd700d2aebfe51cd

SHA1
bd6016228f8a793f90c07fb5c3c11f7cc12363b7

SHA256
ea0d5d4005e8e1f4f2e34ae4c689038683dbc719bc7b05872c4d40ca030d2789

SHA512
25cc8c251a64c44c7b9167764fa4c9da2deda06730f830a0a99e1d7ea2ebe3731c2147f5138cdce5c12d2769b77eaa19002ce90bfc2b71de884e7d791f45b499

Download Submit
\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
Filesize
40KB

MD5
ade3eec585c8618edd700d2aebfe51cd

SHA1
bd6016228f8a793f90c07fb5c3c11f7cc12363b7

SHA256
ea0d5d4005e8e1f4f2e34ae4c689038683dbc719bc7b05872c4d40ca030d2789

SHA512
25cc8c251a64c44c7b9167764fa4c9da2deda06730f830a0a99e1d7ea2ebe3731c2147f5138cdce5c12d2769b77eaa19002ce90bfc2b71de884e7d791f45b499

Download Submit
\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
Filesize
40KB

MD5
ade3eec585c8618edd700d2aebfe51cd

SHA1
bd6016228f8a793f90c07fb5c3c11f7cc12363b7

SHA256
ea0d5d4005e8e1f4f2e34ae4c689038683dbc719bc7b05872c4d40ca030d2789

SHA512
25cc8c251a64c44c7b9167764fa4c9da2deda06730f830a0a99e1d7ea2ebe3731c2147f5138cdce5c12d2769b77eaa19002ce90bfc2b71de884e7d791f45b499

Download Submit
memory/588-67-0x0000000000400000-0x000000000040D000-memory.dmp

Filesize
52KB

Download
memory/588-64-0x0000000000000000-mapping.dmp

Download
memory/900-60-0x0000000000000000-mapping.dmp

Download
memory/972-58-0x0000000000000000-mapping.dmp

Download
memory/1324-59-0x0000000000000000-mapping.dmp

Download
memory/1592-56-0x0000000000000000-mapping.dmp

Download
memory/1648-57-0x0000000000000000-mapping.dmp

Download
memory/1768-54-0x0000000076171000-0x0000000076173000-memory.dmp

Filesize
8KB

Download
memory/1768-55-0x0000000000400000-0x000000000040D000-memory.dmp

Filesize
52KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads