sakula | 1f6999433b7ac1b5e41d71c0922e6472cce3b19665da1da5c9c76c64fbda97fb

General

Target

1f6999433b7ac1b5e41d71c0922e6472cce3b19665da1da5c9c76c64fbda97fb.exe
Size

88KB
MD5

2891e37bed6d36ec6c9b3bcc5835e313
SHA1

5cf55d05e3d6499f5cfd2ff460886029eb507cfd
SHA256

1f6999433b7ac1b5e41d71c0922e6472cce3b19665da1da5c9c76c64fbda97fb
SHA512

de98b2f8ebdfac9bd04680b3d69230d6dc8428b1df6237651c93e06e4664cd795e5d059fc28fd38df5d4e78f981ac3557f321b2886acda0581371999d185b07d
SSDEEP

1536:Boaj1hJL1S9t0MIeboal8bCKxo7h0RP0jwHVz30rtro1PTEzh:y0hpgz6xGhTjwHN30BE1bEl

Score

10^/10

sakula persistence rat trojan

Malware Config

Signatures

Sakula
Sakula is a remote access trojan with various capabilities.
trojan rat sakula

Sakula payload 3 IoCs

Processes:

resource	yara_rule
\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe	family_sakula
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe	family_sakula
\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe	family_sakula

Executes dropped EXE 1 IoCs

Processes:

MediaCenter.exe

pid process

1968 MediaCenter.exe
Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

1372 cmd.exe

pid	process
1968	MediaCenter.exe

pid	process
1372	cmd.exe

Loads dropped DLL 2 IoCs

Processes:

1f6999433b7ac1b5e41d71c0922e6472cce3b19665da1da5c9c76c64fbda97fb.exe

pid	process
1960	1f6999433b7ac1b5e41d71c0922e6472cce3b19665da1da5c9c76c64fbda97fb.exe
1960	1f6999433b7ac1b5e41d71c0922e6472cce3b19665da1da5c9c76c64fbda97fb.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

1f6999433b7ac1b5e41d71c0922e6472cce3b19665da1da5c9c76c64fbda97fb.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe"	1f6999433b7ac1b5e41d71c0922e6472cce3b19665da1da5c9c76c64fbda97fb.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

824 PING.EXE
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

1f6999433b7ac1b5e41d71c0922e6472cce3b19665da1da5c9c76c64fbda97fb.exe

description pid process

Token: SeIncBasePriorityPrivilege 1960 1f6999433b7ac1b5e41d71c0922e6472cce3b19665da1da5c9c76c64fbda97fb.exe

pid	process
824	PING.EXE

description	pid	process
Token: SeIncBasePriorityPrivilege	1960	1f6999433b7ac1b5e41d71c0922e6472cce3b19665da1da5c9c76c64fbda97fb.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

1f6999433b7ac1b5e41d71c0922e6472cce3b19665da1da5c9c76c64fbda97fb.execmd.exe

description	pid	process	target process
PID 1960 wrote to memory of 1968	1960	1f6999433b7ac1b5e41d71c0922e6472cce3b19665da1da5c9c76c64fbda97fb.exe	MediaCenter.exe
PID 1960 wrote to memory of 1968	1960	1f6999433b7ac1b5e41d71c0922e6472cce3b19665da1da5c9c76c64fbda97fb.exe	MediaCenter.exe
PID 1960 wrote to memory of 1968	1960	1f6999433b7ac1b5e41d71c0922e6472cce3b19665da1da5c9c76c64fbda97fb.exe	MediaCenter.exe
PID 1960 wrote to memory of 1968	1960	1f6999433b7ac1b5e41d71c0922e6472cce3b19665da1da5c9c76c64fbda97fb.exe	MediaCenter.exe
PID 1960 wrote to memory of 1372	1960	1f6999433b7ac1b5e41d71c0922e6472cce3b19665da1da5c9c76c64fbda97fb.exe	cmd.exe
PID 1960 wrote to memory of 1372	1960	1f6999433b7ac1b5e41d71c0922e6472cce3b19665da1da5c9c76c64fbda97fb.exe	cmd.exe
PID 1960 wrote to memory of 1372	1960	1f6999433b7ac1b5e41d71c0922e6472cce3b19665da1da5c9c76c64fbda97fb.exe	cmd.exe
PID 1960 wrote to memory of 1372	1960	1f6999433b7ac1b5e41d71c0922e6472cce3b19665da1da5c9c76c64fbda97fb.exe	cmd.exe
PID 1372 wrote to memory of 824	1372	cmd.exe	PING.EXE
PID 1372 wrote to memory of 824	1372	cmd.exe	PING.EXE
PID 1372 wrote to memory of 824	1372	cmd.exe	PING.EXE
PID 1372 wrote to memory of 824	1372	cmd.exe	PING.EXE

C:\Users\Admin\AppData\Local\Temp\1f6999433b7ac1b5e41d71c0922e6472cce3b19665da1da5c9c76c64fbda97fb.exe
"C:\Users\Admin\AppData\Local\Temp\1f6999433b7ac1b5e41d71c0922e6472cce3b19665da1da5c9c76c64fbda97fb.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1960

C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
2⤵
- Executes dropped EXE
PID:1968

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\1f6999433b7ac1b5e41d71c0922e6472cce3b19665da1da5c9c76c64fbda97fb.exe"
2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:1372

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1
3⤵
- Runs ping.exe
PID:824

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Remote System Discovery

1

T1018

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
Filesize
88KB

MD5
ba6fc00322778c481af31c52e6a5ab2b

SHA1
3485b93912fc95572eb8cae5ef4032ddc0825972

SHA256
43505be548c9fd576f8638bd98fea0c01e939b7512152fefab150c26a09f61c2

SHA512
7a439dd632cbbf41406a7574a098ed8346241ca6d04e271ba608b9c1ca5ccbc941a900dd8ba66808b562eaa3c89d17e1d075fb52782c631b3907c1e739051f81

Download Submit
\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
Filesize
88KB

MD5
ba6fc00322778c481af31c52e6a5ab2b

SHA1
3485b93912fc95572eb8cae5ef4032ddc0825972

SHA256
43505be548c9fd576f8638bd98fea0c01e939b7512152fefab150c26a09f61c2

SHA512
7a439dd632cbbf41406a7574a098ed8346241ca6d04e271ba608b9c1ca5ccbc941a900dd8ba66808b562eaa3c89d17e1d075fb52782c631b3907c1e739051f81

Download Submit
\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
Filesize
88KB

MD5
ba6fc00322778c481af31c52e6a5ab2b

SHA1
3485b93912fc95572eb8cae5ef4032ddc0825972

SHA256
43505be548c9fd576f8638bd98fea0c01e939b7512152fefab150c26a09f61c2

SHA512
7a439dd632cbbf41406a7574a098ed8346241ca6d04e271ba608b9c1ca5ccbc941a900dd8ba66808b562eaa3c89d17e1d075fb52782c631b3907c1e739051f81

Download Submit
memory/824-61-0x0000000000000000-mapping.dmp

Download
memory/1372-60-0x0000000000000000-mapping.dmp

Download
memory/1960-54-0x0000000074AB1000-0x0000000074AB3000-memory.dmp

Filesize
8KB

Download
memory/1968-57-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads