sakula | 82334fde2fa92edf636d8885d542627f98aa326cf50df9b0f124229d8d857b11

General

Target

3cae1b420842e5bc4098dffac0dd44fa.exe
Size

89KB
MD5

3cae1b420842e5bc4098dffac0dd44fa
SHA1

321be89ffb70aa7c4cccfdb80df413b1c76c2230
SHA256

82334fde2fa92edf636d8885d542627f98aa326cf50df9b0f124229d8d857b11
SHA512

838f25841dc233671dd007b94c871ef0bb42b6efff66ecf4a079e9cd406ecbc228fe4050702f14224d4d46e50905f6fab9a6e02f35c7904bc8f74563c8e2d1c8
SSDEEP

1536:voaj1hJL1S9t0MIeboal8bCKxo7h0RP0jwHVz30rtroWuxzug:Q0hpgz6xGhTjwHN30BE3D

Score

10^/10

sakula persistence rat trojan

Malware Config

Signatures

Sakula
Sakula is a remote access trojan with various capabilities.
trojan rat sakula

Sakula payload 3 IoCs

Processes:

resource	yara_rule
\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe	family_sakula
\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe	family_sakula
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe	family_sakula

Executes dropped EXE 1 IoCs

Processes:

MediaCenter.exe

pid process

1628 MediaCenter.exe
Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

1696 cmd.exe
Loads dropped DLL 2 IoCs

Processes:

3cae1b420842e5bc4098dffac0dd44fa.exe

pid process

1096 3cae1b420842e5bc4098dffac0dd44fa.exe
1096 3cae1b420842e5bc4098dffac0dd44fa.exe

pid	process
1628	MediaCenter.exe

pid	process
1696	cmd.exe

pid	process
1096	3cae1b420842e5bc4098dffac0dd44fa.exe
1096	3cae1b420842e5bc4098dffac0dd44fa.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

3cae1b420842e5bc4098dffac0dd44fa.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe"	3cae1b420842e5bc4098dffac0dd44fa.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

292 PING.EXE
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

3cae1b420842e5bc4098dffac0dd44fa.exe

description pid process

Token: SeIncBasePriorityPrivilege 1096 3cae1b420842e5bc4098dffac0dd44fa.exe

pid	process
292	PING.EXE

description	pid	process
Token: SeIncBasePriorityPrivilege	1096	3cae1b420842e5bc4098dffac0dd44fa.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

3cae1b420842e5bc4098dffac0dd44fa.execmd.exe

description	pid	process	target process
PID 1096 wrote to memory of 1628	1096	3cae1b420842e5bc4098dffac0dd44fa.exe	MediaCenter.exe
PID 1096 wrote to memory of 1628	1096	3cae1b420842e5bc4098dffac0dd44fa.exe	MediaCenter.exe
PID 1096 wrote to memory of 1628	1096	3cae1b420842e5bc4098dffac0dd44fa.exe	MediaCenter.exe
PID 1096 wrote to memory of 1628	1096	3cae1b420842e5bc4098dffac0dd44fa.exe	MediaCenter.exe
PID 1096 wrote to memory of 1696	1096	3cae1b420842e5bc4098dffac0dd44fa.exe	cmd.exe
PID 1096 wrote to memory of 1696	1096	3cae1b420842e5bc4098dffac0dd44fa.exe	cmd.exe
PID 1096 wrote to memory of 1696	1096	3cae1b420842e5bc4098dffac0dd44fa.exe	cmd.exe
PID 1096 wrote to memory of 1696	1096	3cae1b420842e5bc4098dffac0dd44fa.exe	cmd.exe
PID 1696 wrote to memory of 292	1696	cmd.exe	PING.EXE
PID 1696 wrote to memory of 292	1696	cmd.exe	PING.EXE
PID 1696 wrote to memory of 292	1696	cmd.exe	PING.EXE
PID 1696 wrote to memory of 292	1696	cmd.exe	PING.EXE

C:\Users\Admin\AppData\Local\Temp\3cae1b420842e5bc4098dffac0dd44fa.exe
"C:\Users\Admin\AppData\Local\Temp\3cae1b420842e5bc4098dffac0dd44fa.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1096

C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
2⤵
- Executes dropped EXE
PID:1628

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\3cae1b420842e5bc4098dffac0dd44fa.exe"
2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:1696

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1
3⤵
- Runs ping.exe
PID:292

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Remote System Discovery

1

T1018

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
Filesize
89KB

MD5
0f428350ee7737de4590ecb1c1695de9

SHA1
a4c67d71f2f71228289652fc3864d6ac2aababc5

SHA256
271be9c3df89b518eceeb3be77246d48313bd98299f9c5c76b23bc983521bfc1

SHA512
a5224473cf4513545ea60c7dbb1c4ce2ecaa6632cd7f490bf3d1025715c26db2ba10458a6a6666a07ec9b13f74c275a7dab6c012023bd950b295dba2be798838

Download Submit
\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
Filesize
89KB

MD5
0f428350ee7737de4590ecb1c1695de9

SHA1
a4c67d71f2f71228289652fc3864d6ac2aababc5

SHA256
271be9c3df89b518eceeb3be77246d48313bd98299f9c5c76b23bc983521bfc1

SHA512
a5224473cf4513545ea60c7dbb1c4ce2ecaa6632cd7f490bf3d1025715c26db2ba10458a6a6666a07ec9b13f74c275a7dab6c012023bd950b295dba2be798838

Download Submit
\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
Filesize
89KB

MD5
0f428350ee7737de4590ecb1c1695de9

SHA1
a4c67d71f2f71228289652fc3864d6ac2aababc5

SHA256
271be9c3df89b518eceeb3be77246d48313bd98299f9c5c76b23bc983521bfc1

SHA512
a5224473cf4513545ea60c7dbb1c4ce2ecaa6632cd7f490bf3d1025715c26db2ba10458a6a6666a07ec9b13f74c275a7dab6c012023bd950b295dba2be798838

Download Submit
memory/292-61-0x0000000000000000-mapping.dmp

Download
memory/1096-54-0x0000000075ED1000-0x0000000075ED3000-memory.dmp

Filesize
8KB

Download
memory/1628-57-0x0000000000000000-mapping.dmp

Download
memory/1696-60-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads