sakula | de1241f331f48e829e0a632c29c59f63662d180afb8e88bc42bdf959e4333b1d

Analysis

max time kernel
120s
max time network
163s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
04-10-2022 00:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ed9f64044aa25abc28fa4340eb9337e6.exe
Size

101KB
MD5

ed9f64044aa25abc28fa4340eb9337e6
SHA1

48c080fcebecc62a3eeff603cec5f5b1de1108b4
SHA256

de1241f331f48e829e0a632c29c59f63662d180afb8e88bc42bdf959e4333b1d
SHA512

d046ac3880aea6d3b70e1cdbb24c5c88649e8e42705680d65f8c266805cdfb5b9ff218a5dcb76d8d7011b07b55db128fd4e65fba0a6c26a338a4b4cb59519ce6
SSDEEP

1536:9JbCiJVkgMaT2itTkjoRXnM48dXFajVPYxCEtkz30rtrGPTEzV:/bfVk29te2jqxCEtg30BibEB

Score

10^/10

sakula persistence rat trojan

Malware Config

Signatures

Sakula
Sakula is a remote access trojan with various capabilities.
trojan rat sakula

Sakula payload 2 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\MicroMedia\AdobeUpdate.exe	family_sakula
C:\Users\Admin\AppData\Local\Temp\MicroMedia\AdobeUpdate.exe	family_sakula

Executes dropped EXE 1 IoCs

Processes:

AdobeUpdate.exe

pid process

1164 AdobeUpdate.exe

pid	process
1164	AdobeUpdate.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

ed9f64044aa25abc28fa4340eb9337e6.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	ed9f64044aa25abc28fa4340eb9337e6.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

ed9f64044aa25abc28fa4340eb9337e6.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\AdobeUpdate = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\AdobeUpdate.exe"	ed9f64044aa25abc28fa4340eb9337e6.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

2680 PING.EXE
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

ed9f64044aa25abc28fa4340eb9337e6.exe

description pid process

Token: SeIncBasePriorityPrivilege 396 ed9f64044aa25abc28fa4340eb9337e6.exe

pid	process
2680	PING.EXE

description	pid	process
Token: SeIncBasePriorityPrivilege	396	ed9f64044aa25abc28fa4340eb9337e6.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

ed9f64044aa25abc28fa4340eb9337e6.execmd.exe

description	pid	process	target process
PID 396 wrote to memory of 1164	396	ed9f64044aa25abc28fa4340eb9337e6.exe	AdobeUpdate.exe
PID 396 wrote to memory of 1164	396	ed9f64044aa25abc28fa4340eb9337e6.exe	AdobeUpdate.exe
PID 396 wrote to memory of 1164	396	ed9f64044aa25abc28fa4340eb9337e6.exe	AdobeUpdate.exe
PID 396 wrote to memory of 3384	396	ed9f64044aa25abc28fa4340eb9337e6.exe	cmd.exe
PID 396 wrote to memory of 3384	396	ed9f64044aa25abc28fa4340eb9337e6.exe	cmd.exe
PID 396 wrote to memory of 3384	396	ed9f64044aa25abc28fa4340eb9337e6.exe	cmd.exe
PID 3384 wrote to memory of 2680	3384	cmd.exe	PING.EXE
PID 3384 wrote to memory of 2680	3384	cmd.exe	PING.EXE
PID 3384 wrote to memory of 2680	3384	cmd.exe	PING.EXE

C:\Users\Admin\AppData\Local\Temp\ed9f64044aa25abc28fa4340eb9337e6.exe
"C:\Users\Admin\AppData\Local\Temp\ed9f64044aa25abc28fa4340eb9337e6.exe"
1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:396

C:\Users\Admin\AppData\Local\Temp\MicroMedia\AdobeUpdate.exe
C:\Users\Admin\AppData\Local\Temp\MicroMedia\AdobeUpdate.exe
2⤵
- Executes dropped EXE
PID:1164

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\ed9f64044aa25abc28fa4340eb9337e6.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:3384

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1
3⤵
- Runs ping.exe
PID:2680

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Remote System Discovery

T1018

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\MicroMedia\AdobeUpdate.exe
Filesize
101KB

MD5
4386b50958d08b1079126e33301deaa1

SHA1
379b306a869b3ef304de0e89ed3f8d3aa86be0ff

SHA256
857853346db45d003091675ca9bbabf60cbff02161b21d6a23d1f4cf89be8988

SHA512
87d6b54396759d86403bf4e42d48bef5486bd78901419a2d9189442cd0f960fef2949fe1be65e806d979d520633ef5dc4a57aeeb4238562f6315a9056fc6cee4

Download Submit
C:\Users\Admin\AppData\Local\Temp\MicroMedia\AdobeUpdate.exe
Filesize
101KB

MD5
4386b50958d08b1079126e33301deaa1

SHA1
379b306a869b3ef304de0e89ed3f8d3aa86be0ff

SHA256
857853346db45d003091675ca9bbabf60cbff02161b21d6a23d1f4cf89be8988

SHA512
87d6b54396759d86403bf4e42d48bef5486bd78901419a2d9189442cd0f960fef2949fe1be65e806d979d520633ef5dc4a57aeeb4238562f6315a9056fc6cee4

Download Submit
memory/1164-132-0x0000000000000000-mapping.dmp

Download
memory/2680-136-0x0000000000000000-mapping.dmp

Download
memory/3384-135-0x0000000000000000-mapping.dmp

Download