sakula | 82334fde2fa92edf636d8885d542627f98aa326cf50df9b0f124229d8d857b11

Analysis

max time kernel
145s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20220901-en
resource tags

arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
submitted
12-10-2022 16:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

82334fde2fa92edf636d8885d542627f98aa326cf50df9b0f124229d8d857b11.exe
Size

89KB
MD5

3cae1b420842e5bc4098dffac0dd44fa
SHA1

321be89ffb70aa7c4cccfdb80df413b1c76c2230
SHA256

82334fde2fa92edf636d8885d542627f98aa326cf50df9b0f124229d8d857b11
SHA512

838f25841dc233671dd007b94c871ef0bb42b6efff66ecf4a079e9cd406ecbc228fe4050702f14224d4d46e50905f6fab9a6e02f35c7904bc8f74563c8e2d1c8
SSDEEP

1536:voaj1hJL1S9t0MIeboal8bCKxo7h0RP0jwHVz30rtroWuxzug:Q0hpgz6xGhTjwHN30BE3D

Score

10^/10

sakula persistence rat trojan

Malware Config

Signatures

Sakula
Sakula is a remote access trojan with various capabilities.
trojan rat sakula

Sakula payload 2 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe	family_sakula
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe	family_sakula

Executes dropped EXE 1 IoCs

Processes:

MediaCenter.exe

pid process

4792 MediaCenter.exe

pid	process
4792	MediaCenter.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

82334fde2fa92edf636d8885d542627f98aa326cf50df9b0f124229d8d857b11.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	82334fde2fa92edf636d8885d542627f98aa326cf50df9b0f124229d8d857b11.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

82334fde2fa92edf636d8885d542627f98aa326cf50df9b0f124229d8d857b11.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe"	82334fde2fa92edf636d8885d542627f98aa326cf50df9b0f124229d8d857b11.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

4492 PING.EXE
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

82334fde2fa92edf636d8885d542627f98aa326cf50df9b0f124229d8d857b11.exe

description pid process

Token: SeIncBasePriorityPrivilege 5008 82334fde2fa92edf636d8885d542627f98aa326cf50df9b0f124229d8d857b11.exe

pid	process
4492	PING.EXE

description	pid	process
Token: SeIncBasePriorityPrivilege	5008	82334fde2fa92edf636d8885d542627f98aa326cf50df9b0f124229d8d857b11.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

82334fde2fa92edf636d8885d542627f98aa326cf50df9b0f124229d8d857b11.execmd.exe

description	pid	process	target process
PID 5008 wrote to memory of 4792	5008	82334fde2fa92edf636d8885d542627f98aa326cf50df9b0f124229d8d857b11.exe	MediaCenter.exe
PID 5008 wrote to memory of 4792	5008	82334fde2fa92edf636d8885d542627f98aa326cf50df9b0f124229d8d857b11.exe	MediaCenter.exe
PID 5008 wrote to memory of 4792	5008	82334fde2fa92edf636d8885d542627f98aa326cf50df9b0f124229d8d857b11.exe	MediaCenter.exe
PID 5008 wrote to memory of 2836	5008	82334fde2fa92edf636d8885d542627f98aa326cf50df9b0f124229d8d857b11.exe	cmd.exe
PID 5008 wrote to memory of 2836	5008	82334fde2fa92edf636d8885d542627f98aa326cf50df9b0f124229d8d857b11.exe	cmd.exe
PID 5008 wrote to memory of 2836	5008	82334fde2fa92edf636d8885d542627f98aa326cf50df9b0f124229d8d857b11.exe	cmd.exe
PID 2836 wrote to memory of 4492	2836	cmd.exe	PING.EXE
PID 2836 wrote to memory of 4492	2836	cmd.exe	PING.EXE
PID 2836 wrote to memory of 4492	2836	cmd.exe	PING.EXE

C:\Users\Admin\AppData\Local\Temp\82334fde2fa92edf636d8885d542627f98aa326cf50df9b0f124229d8d857b11.exe
"C:\Users\Admin\AppData\Local\Temp\82334fde2fa92edf636d8885d542627f98aa326cf50df9b0f124229d8d857b11.exe"
1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5008

C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
2⤵
- Executes dropped EXE
PID:4792

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\82334fde2fa92edf636d8885d542627f98aa326cf50df9b0f124229d8d857b11.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:2836

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1
3⤵
- Runs ping.exe
PID:4492

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Remote System Discovery

T1018

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
Filesize
89KB

MD5
727665c7349d6cff3367b40d2e23163c

SHA1
ecc90f7722cbff9a5d674e3cb20bf0c1e7a05a5b

SHA256
63335ee7068a4ec5844eb9806ab98452ad57d94a096cfa4c08fac9787a7ee4b5

SHA512
8647c9c536c0e221c633836964e268e4102535ae8f6fcace3f69baeb30a423c303667f94d32f4351b8fddefa80414e523d703a118824396f0ba3f51f2536c8c3

Download Submit
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
Filesize
89KB

MD5
727665c7349d6cff3367b40d2e23163c

SHA1
ecc90f7722cbff9a5d674e3cb20bf0c1e7a05a5b

SHA256
63335ee7068a4ec5844eb9806ab98452ad57d94a096cfa4c08fac9787a7ee4b5

SHA512
8647c9c536c0e221c633836964e268e4102535ae8f6fcace3f69baeb30a423c303667f94d32f4351b8fddefa80414e523d703a118824396f0ba3f51f2536c8c3

Download Submit
memory/2836-135-0x0000000000000000-mapping.dmp

Download
memory/4492-136-0x0000000000000000-mapping.dmp

Download
memory/4792-132-0x0000000000000000-mapping.dmp

Download