sakula | 7a3c203d3668423e2bf6e11568ceeac3c5081d06f304db0db39fea341833323e

General

Target

virussign.exe
Size

212KB
MD5

1bc0e4769e7c8d200892a2b1450961e0
SHA1

08b0805ed34458af16a73e494999ad2e8ba83655
SHA256

7a3c203d3668423e2bf6e11568ceeac3c5081d06f304db0db39fea341833323e
SHA512

406170bf43063a2b18359560d73ef0c3bb0726d3f0d180d3aa02e504ac0cda3eb408606f8932ed35e4e0a84f1d04cbe0fa6212d910a33089dc496d8dd644a502

Score

10^/10

sakula persistence rat suricata trojan upx

Malware Config

Signatures

Sakula
Sakula is a remote access trojan with various capabilities.
trojan rat sakula

Sakula payload 5 IoCs

Processes:

resource	yara_rule
\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe	family_sakula
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe	family_sakula
behavioral1/memory/1516-59-0x0000000000400000-0x0000000000435000-memory.dmp	family_sakula
behavioral1/memory/972-61-0x0000000000400000-0x0000000000435000-memory.dmp	family_sakula
behavioral1/memory/1516-63-0x0000000000400000-0x0000000000435000-memory.dmp	family_sakula

suricata: ET MALWARE SUSPICIOUS UA (iexplore)
suricata: ET MALWARE SUSPICIOUS UA (iexplore)
suricata
suricata: ET MALWARE Sakula/Mivast RAT CnC Beacon 1
suricata: ET MALWARE Sakula/Mivast RAT CnC Beacon 1
suricata
Executes dropped EXE 1 IoCs

Processes:

MediaCenter.exe

pid process

972 MediaCenter.exe

pid	process
972	MediaCenter.exe

UPX packed file 5 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe	upx
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe	upx
behavioral1/memory/1516-59-0x0000000000400000-0x0000000000435000-memory.dmp	upx
behavioral1/memory/972-61-0x0000000000400000-0x0000000000435000-memory.dmp	upx
behavioral1/memory/1516-63-0x0000000000400000-0x0000000000435000-memory.dmp	upx

Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

1684 cmd.exe
Loads dropped DLL 1 IoCs

Processes:

virussign.exe

pid process

1516 virussign.exe

pid	process
1684	cmd.exe

pid	process
1516	virussign.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

virussign.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe"	virussign.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

1204 PING.EXE
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

virussign.exe

description pid process

Token: SeIncBasePriorityPrivilege 1516 virussign.exe

pid	process
1204	PING.EXE

description	pid	process
Token: SeIncBasePriorityPrivilege	1516	virussign.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

virussign.execmd.exe

description	pid	process	target process
PID 1516 wrote to memory of 972	1516	virussign.exe	MediaCenter.exe
PID 1516 wrote to memory of 972	1516	virussign.exe	MediaCenter.exe
PID 1516 wrote to memory of 972	1516	virussign.exe	MediaCenter.exe
PID 1516 wrote to memory of 972	1516	virussign.exe	MediaCenter.exe
PID 1516 wrote to memory of 1684	1516	virussign.exe	cmd.exe
PID 1516 wrote to memory of 1684	1516	virussign.exe	cmd.exe
PID 1516 wrote to memory of 1684	1516	virussign.exe	cmd.exe
PID 1516 wrote to memory of 1684	1516	virussign.exe	cmd.exe
PID 1684 wrote to memory of 1204	1684	cmd.exe	PING.EXE
PID 1684 wrote to memory of 1204	1684	cmd.exe	PING.EXE
PID 1684 wrote to memory of 1204	1684	cmd.exe	PING.EXE
PID 1684 wrote to memory of 1204	1684	cmd.exe	PING.EXE

C:\Users\Admin\AppData\Local\Temp\virussign.exe
"C:\Users\Admin\AppData\Local\Temp\virussign.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1516

C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
2⤵
- Executes dropped EXE
PID:972

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\virussign.exe"
2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:1684

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1
3⤵
- Runs ping.exe
PID:1204

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Remote System Discovery

1

T1018

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
Filesize
212KB

MD5
78e8d366a9398e0122b01f5e7fcd11a9

SHA1
07beb008010de20198cad3ecad910547656f1f23

SHA256
95123cffb519372a9ef0d5eddd69e8349724d401a4d77f4a17010594f0f897eb

SHA512
21b4ffac9850a36ff2fa1a38832faea842034bd1cf79de84830c5527dc2d1cfb2532b0f7269f1ec8bcb72ad56f84052d466a7b623087bf00601912858227f1d4

Download Submit
\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
Filesize
212KB

MD5
78e8d366a9398e0122b01f5e7fcd11a9

SHA1
07beb008010de20198cad3ecad910547656f1f23

SHA256
95123cffb519372a9ef0d5eddd69e8349724d401a4d77f4a17010594f0f897eb

SHA512
21b4ffac9850a36ff2fa1a38832faea842034bd1cf79de84830c5527dc2d1cfb2532b0f7269f1ec8bcb72ad56f84052d466a7b623087bf00601912858227f1d4

Download Submit
memory/972-56-0x0000000000000000-mapping.dmp

Download
memory/972-61-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1204-64-0x0000000000000000-mapping.dmp

Download
memory/1516-54-0x0000000074DE1000-0x0000000074DE3000-memory.dmp

Filesize
8KB

Download
memory/1516-59-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1516-60-0x0000000000440000-0x0000000000475000-memory.dmp

Filesize
212KB

Download
memory/1516-63-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1684-62-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads