sakula | 367d0147ad21a3d5596aebe5bc8607e84d2af8c55373d2e9d376dcd3343804e1

General

Target

367d0147ad21a3d5596aebe5bc8607e84d2af8c55373d2e9d376dcd3343804e1.exe
Size

19KB
MD5

7eae7b067a47a76d1b4791ab0c5c70c0
SHA1

04ec3f9663ee24293d15c9b8cbf880cb4142a2cf
SHA256

367d0147ad21a3d5596aebe5bc8607e84d2af8c55373d2e9d376dcd3343804e1
SHA512

3c99c677d6618a84a31bc6909f0bf85fab4e560cfbc23ae57a1cd806ef7003fa4d32049736162da62d75f266c1373917157a66a1e356683526f97aaf97eb4679

Score

10^/10

sakula persistence rat suricata trojan

Malware Config

Signatures

Sakula
Sakula is a remote access trojan with various capabilities.
trojan rat sakula
suricata: ET MALWARE Possible DEEP PANDA C2 Activity
suricata: ET MALWARE Possible DEEP PANDA C2 Activity
suricata
suricata: ET MALWARE Possible Deep Panda - Sakula/Mivast RAT CnC Beacon 5
suricata: ET MALWARE Possible Deep Panda - Sakula/Mivast RAT CnC Beacon 5
suricata
suricata: ET MALWARE Sakula/Mivast C2 Activity
suricata: ET MALWARE Sakula/Mivast C2 Activity
suricata
Executes dropped EXE 1 IoCs

Processes:

MediaCenter.exe

pid process

1288 MediaCenter.exe
Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

836 cmd.exe
Loads dropped DLL 2 IoCs

Processes:

cmd.exe

pid process

652 cmd.exe
652 cmd.exe

pid	process
1288	MediaCenter.exe

pid	process
836	cmd.exe

pid	process
652	cmd.exe
652	cmd.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

reg.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe"	reg.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	reg.exe

Modifies registry key 1 TTPs 1 IoCs

Modify Registry
T1112

Processes:

reg.exe

pid process

1284 reg.exe
Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

1260 PING.EXE

pid	process
1284	reg.exe

pid	process
1260	PING.EXE

Suspicious use of WriteProcessMemory 24 IoCs

Processes:

367d0147ad21a3d5596aebe5bc8607e84d2af8c55373d2e9d376dcd3343804e1.execmd.execmd.execmd.exe

description	pid	process	target process
PID 1660 wrote to memory of 2024	1660	367d0147ad21a3d5596aebe5bc8607e84d2af8c55373d2e9d376dcd3343804e1.exe	cmd.exe
PID 1660 wrote to memory of 2024	1660	367d0147ad21a3d5596aebe5bc8607e84d2af8c55373d2e9d376dcd3343804e1.exe	cmd.exe
PID 1660 wrote to memory of 2024	1660	367d0147ad21a3d5596aebe5bc8607e84d2af8c55373d2e9d376dcd3343804e1.exe	cmd.exe
PID 1660 wrote to memory of 2024	1660	367d0147ad21a3d5596aebe5bc8607e84d2af8c55373d2e9d376dcd3343804e1.exe	cmd.exe
PID 1660 wrote to memory of 652	1660	367d0147ad21a3d5596aebe5bc8607e84d2af8c55373d2e9d376dcd3343804e1.exe	cmd.exe
PID 1660 wrote to memory of 652	1660	367d0147ad21a3d5596aebe5bc8607e84d2af8c55373d2e9d376dcd3343804e1.exe	cmd.exe
PID 1660 wrote to memory of 652	1660	367d0147ad21a3d5596aebe5bc8607e84d2af8c55373d2e9d376dcd3343804e1.exe	cmd.exe
PID 1660 wrote to memory of 652	1660	367d0147ad21a3d5596aebe5bc8607e84d2af8c55373d2e9d376dcd3343804e1.exe	cmd.exe
PID 1660 wrote to memory of 836	1660	367d0147ad21a3d5596aebe5bc8607e84d2af8c55373d2e9d376dcd3343804e1.exe	cmd.exe
PID 1660 wrote to memory of 836	1660	367d0147ad21a3d5596aebe5bc8607e84d2af8c55373d2e9d376dcd3343804e1.exe	cmd.exe
PID 1660 wrote to memory of 836	1660	367d0147ad21a3d5596aebe5bc8607e84d2af8c55373d2e9d376dcd3343804e1.exe	cmd.exe
PID 1660 wrote to memory of 836	1660	367d0147ad21a3d5596aebe5bc8607e84d2af8c55373d2e9d376dcd3343804e1.exe	cmd.exe
PID 652 wrote to memory of 1288	652	cmd.exe	MediaCenter.exe
PID 652 wrote to memory of 1288	652	cmd.exe	MediaCenter.exe
PID 652 wrote to memory of 1288	652	cmd.exe	MediaCenter.exe
PID 652 wrote to memory of 1288	652	cmd.exe	MediaCenter.exe
PID 2024 wrote to memory of 1284	2024	cmd.exe	reg.exe
PID 2024 wrote to memory of 1284	2024	cmd.exe	reg.exe
PID 2024 wrote to memory of 1284	2024	cmd.exe	reg.exe
PID 2024 wrote to memory of 1284	2024	cmd.exe	reg.exe
PID 836 wrote to memory of 1260	836	cmd.exe	PING.EXE
PID 836 wrote to memory of 1260	836	cmd.exe	PING.EXE
PID 836 wrote to memory of 1260	836	cmd.exe	PING.EXE
PID 836 wrote to memory of 1260	836	cmd.exe	PING.EXE

C:\Users\Admin\AppData\Local\Temp\367d0147ad21a3d5596aebe5bc8607e84d2af8c55373d2e9d376dcd3343804e1.exe
"C:\Users\Admin\AppData\Local\Temp\367d0147ad21a3d5596aebe5bc8607e84d2af8c55373d2e9d376dcd3343804e1.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1660

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v "MicroMedia" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:2024

C:\Windows\SysWOW64\reg.exe
reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v "MicroMedia" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe"
3⤵
- Adds Run key to start application
- Modifies registry key
PID:1284

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe"
2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:652

C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
3⤵
- Executes dropped EXE
PID:1288

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c ping 127.0.0.1 & del "C:\Users\Admin\AppData\Local\Temp\367d0147ad21a3d5596aebe5bc8607e84d2af8c55373d2e9d376dcd3343804e1.exe"
2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:836

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1
3⤵
- Runs ping.exe
PID:1260

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

Remote System Discovery

1

T1018

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe

Filesize
19KB

MD5
f6db9df000bf0e44059b0b30e9c831eb

SHA1
74325e35d805ca7b2614eb3a1b322961b404c92d

SHA256
6d5b20d692769764b174696e0109ed17ca72c6db5166fbc1c840c1348e0defb1

SHA512
9b111c5438e11fe7cec222cf96ebdfe322773a5db5f6394eaaba7674791e4a14da3c0b7766c50c5a93e83c88c677ef6b8cedcc685e49c91afda846c1d641d1d8

Download Submit
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe

Filesize
19KB

MD5
f6db9df000bf0e44059b0b30e9c831eb

SHA1
74325e35d805ca7b2614eb3a1b322961b404c92d

SHA256
6d5b20d692769764b174696e0109ed17ca72c6db5166fbc1c840c1348e0defb1

SHA512
9b111c5438e11fe7cec222cf96ebdfe322773a5db5f6394eaaba7674791e4a14da3c0b7766c50c5a93e83c88c677ef6b8cedcc685e49c91afda846c1d641d1d8

Download Submit
\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe

Filesize
19KB

MD5
f6db9df000bf0e44059b0b30e9c831eb

SHA1
74325e35d805ca7b2614eb3a1b322961b404c92d

SHA256
6d5b20d692769764b174696e0109ed17ca72c6db5166fbc1c840c1348e0defb1

SHA512
9b111c5438e11fe7cec222cf96ebdfe322773a5db5f6394eaaba7674791e4a14da3c0b7766c50c5a93e83c88c677ef6b8cedcc685e49c91afda846c1d641d1d8

Download Submit
\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe

Filesize
19KB

MD5
f6db9df000bf0e44059b0b30e9c831eb

SHA1
74325e35d805ca7b2614eb3a1b322961b404c92d

SHA256
6d5b20d692769764b174696e0109ed17ca72c6db5166fbc1c840c1348e0defb1

SHA512
9b111c5438e11fe7cec222cf96ebdfe322773a5db5f6394eaaba7674791e4a14da3c0b7766c50c5a93e83c88c677ef6b8cedcc685e49c91afda846c1d641d1d8

Download Submit
memory/652-58-0x0000000000000000-mapping.dmp

Download
memory/652-72-0x00000000000B0000-0x00000000000BB000-memory.dmp

Filesize
44KB

Download
memory/652-71-0x00000000000B0000-0x00000000000BB000-memory.dmp

Filesize
44KB

Download
memory/652-70-0x00000000000B0000-0x00000000000BB000-memory.dmp

Filesize
44KB

Download
memory/652-69-0x00000000000B0000-0x00000000000BB000-memory.dmp

Filesize
44KB

Download
memory/836-59-0x0000000000000000-mapping.dmp

Download
memory/1260-68-0x0000000000000000-mapping.dmp

Download
memory/1284-65-0x0000000000000000-mapping.dmp

Download
memory/1288-64-0x0000000000000000-mapping.dmp

Download
memory/1288-73-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/1660-55-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/1660-56-0x0000000000020000-0x0000000000024000-memory.dmp

Filesize
16KB

Download
memory/1660-54-0x00000000765F1000-0x00000000765F3000-memory.dmp

Filesize
8KB

Download
memory/1660-60-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/2024-57-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing