sakula | 13d4d6d42f009d0da238938089c0ca3c6a49b465ba8650ea8b2cb1a003c9af27

General

Target

13d4d6d42f009d0da238938089c0ca3c6a49b465ba8650ea8b2cb1a003c9af27.exe
Size

101KB
MD5

f96fcbf8a58763beb2d7da2d4d30459e
SHA1

0839a4442b9f4ccd10c8c66c8c585eec9fbd7def
SHA256

13d4d6d42f009d0da238938089c0ca3c6a49b465ba8650ea8b2cb1a003c9af27
SHA512

0fd67dc2a891ef94ff6d07443cfaa655e9f9b1ecd268dee699f89452f304c638711d3d2210ebb6c4bb1230f29b4b9a379738fcf4a0d4fa75372a8bbb35e678ab
SSDEEP

1536:9JbCiJVkgMaT2itTkjoRXnM48dXFajVPYxCEtkz30rtrfPTEzk:/bfVk29te2jqxCEtg30BLbEw

Score

10^/10

sakula persistence rat trojan

Malware Config

Signatures

Sakula
Sakula is a remote access trojan with various capabilities.
trojan rat sakula

Sakula payload 2 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\MicroMedia\AdobeUpdate.exe	family_sakula
C:\Users\Admin\AppData\Local\Temp\MicroMedia\AdobeUpdate.exe	family_sakula

Executes dropped EXE 1 IoCs

Processes:

AdobeUpdate.exe

pid process

4892 AdobeUpdate.exe

pid	process
4892	AdobeUpdate.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

13d4d6d42f009d0da238938089c0ca3c6a49b465ba8650ea8b2cb1a003c9af27.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	13d4d6d42f009d0da238938089c0ca3c6a49b465ba8650ea8b2cb1a003c9af27.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

13d4d6d42f009d0da238938089c0ca3c6a49b465ba8650ea8b2cb1a003c9af27.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\AdobeUpdate = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\AdobeUpdate.exe"	13d4d6d42f009d0da238938089c0ca3c6a49b465ba8650ea8b2cb1a003c9af27.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

1864 PING.EXE
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

13d4d6d42f009d0da238938089c0ca3c6a49b465ba8650ea8b2cb1a003c9af27.exe

description pid process

Token: SeIncBasePriorityPrivilege 1392 13d4d6d42f009d0da238938089c0ca3c6a49b465ba8650ea8b2cb1a003c9af27.exe

pid	process
1864	PING.EXE

description	pid	process
Token: SeIncBasePriorityPrivilege	1392	13d4d6d42f009d0da238938089c0ca3c6a49b465ba8650ea8b2cb1a003c9af27.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

13d4d6d42f009d0da238938089c0ca3c6a49b465ba8650ea8b2cb1a003c9af27.execmd.exe

description	pid	process	target process
PID 1392 wrote to memory of 4892	1392	13d4d6d42f009d0da238938089c0ca3c6a49b465ba8650ea8b2cb1a003c9af27.exe	AdobeUpdate.exe
PID 1392 wrote to memory of 4892	1392	13d4d6d42f009d0da238938089c0ca3c6a49b465ba8650ea8b2cb1a003c9af27.exe	AdobeUpdate.exe
PID 1392 wrote to memory of 4892	1392	13d4d6d42f009d0da238938089c0ca3c6a49b465ba8650ea8b2cb1a003c9af27.exe	AdobeUpdate.exe
PID 1392 wrote to memory of 1704	1392	13d4d6d42f009d0da238938089c0ca3c6a49b465ba8650ea8b2cb1a003c9af27.exe	cmd.exe
PID 1392 wrote to memory of 1704	1392	13d4d6d42f009d0da238938089c0ca3c6a49b465ba8650ea8b2cb1a003c9af27.exe	cmd.exe
PID 1392 wrote to memory of 1704	1392	13d4d6d42f009d0da238938089c0ca3c6a49b465ba8650ea8b2cb1a003c9af27.exe	cmd.exe
PID 1704 wrote to memory of 1864	1704	cmd.exe	PING.EXE
PID 1704 wrote to memory of 1864	1704	cmd.exe	PING.EXE
PID 1704 wrote to memory of 1864	1704	cmd.exe	PING.EXE

C:\Users\Admin\AppData\Local\Temp\13d4d6d42f009d0da238938089c0ca3c6a49b465ba8650ea8b2cb1a003c9af27.exe
"C:\Users\Admin\AppData\Local\Temp\13d4d6d42f009d0da238938089c0ca3c6a49b465ba8650ea8b2cb1a003c9af27.exe"
1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1392

C:\Users\Admin\AppData\Local\Temp\MicroMedia\AdobeUpdate.exe
C:\Users\Admin\AppData\Local\Temp\MicroMedia\AdobeUpdate.exe
2⤵
- Executes dropped EXE
PID:4892

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\13d4d6d42f009d0da238938089c0ca3c6a49b465ba8650ea8b2cb1a003c9af27.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:1704

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1
3⤵
- Runs ping.exe
PID:1864

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Remote System Discovery

1

T1018

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\MicroMedia\AdobeUpdate.exe
Filesize
101KB

MD5
eb36cad2029606e54a01f5d46b30f24d

SHA1
f51dbd76d80794635a9e542a980f4d3ea4084d97

SHA256
9dd71bc2681f2e915cfc60bc92921198f29563cd55b4a26a9458b61b0b0e8e68

SHA512
56b8f5117477b70de46acb2faecbfe9de30e4c7f7945c2de0030c11aca01210b2a48fec8ec99f10fc32f2e811a383fcfe2d8d5ad32fdb4ff2879290074c9c547

Download Submit
C:\Users\Admin\AppData\Local\Temp\MicroMedia\AdobeUpdate.exe
Filesize
101KB

MD5
eb36cad2029606e54a01f5d46b30f24d

SHA1
f51dbd76d80794635a9e542a980f4d3ea4084d97

SHA256
9dd71bc2681f2e915cfc60bc92921198f29563cd55b4a26a9458b61b0b0e8e68

SHA512
56b8f5117477b70de46acb2faecbfe9de30e4c7f7945c2de0030c11aca01210b2a48fec8ec99f10fc32f2e811a383fcfe2d8d5ad32fdb4ff2879290074c9c547

Download Submit
memory/1704-135-0x0000000000000000-mapping.dmp

Download
memory/1864-136-0x0000000000000000-mapping.dmp

Download
memory/4892-132-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads