sakula | e84e3f69364a3aa00fee5e5f24744d77ac01c026b004756ca65e19a891f4de54

Analysis

max time kernel
129s
max time network
148s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
13-10-2022 01:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e84e3f69364a3aa00fee5e5f24744d77ac01c026b004756ca65e19a891f4de54.exe
Size

88KB
MD5

10fa04bbf25570d83c37d5b7008fe85d
SHA1

7f6c136b0cc97cfdd0ba5e27ec03a0ea4c87193f
SHA256

e84e3f69364a3aa00fee5e5f24744d77ac01c026b004756ca65e19a891f4de54
SHA512

8fbab615e94f86612ce7e696e6f5a0457c9a0c18ccaa286b4769315350861e14e125041b828d22a3abcfbe727020d414577e70a522bfb29b9221683ebd562612
SSDEEP

1536:Boaj1hJL1S9t0MIeboal8bCKxo7h0RP0jwHVz30rtroyPTEzg:y0hpgz6xGhTjwHN30BEybEk

Score

10^/10

sakula persistence rat trojan

Malware Config

Signatures

Sakula
Sakula is a remote access trojan with various capabilities.
trojan rat sakula

Sakula payload 2 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe	family_sakula
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe	family_sakula

Executes dropped EXE 1 IoCs

Processes:

MediaCenter.exe

pid process

4540 MediaCenter.exe

pid	process
4540	MediaCenter.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

e84e3f69364a3aa00fee5e5f24744d77ac01c026b004756ca65e19a891f4de54.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	e84e3f69364a3aa00fee5e5f24744d77ac01c026b004756ca65e19a891f4de54.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

e84e3f69364a3aa00fee5e5f24744d77ac01c026b004756ca65e19a891f4de54.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe"	e84e3f69364a3aa00fee5e5f24744d77ac01c026b004756ca65e19a891f4de54.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

4692 PING.EXE
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

e84e3f69364a3aa00fee5e5f24744d77ac01c026b004756ca65e19a891f4de54.exe

description pid process

Token: SeIncBasePriorityPrivilege 4676 e84e3f69364a3aa00fee5e5f24744d77ac01c026b004756ca65e19a891f4de54.exe

pid	process
4692	PING.EXE

description	pid	process
Token: SeIncBasePriorityPrivilege	4676	e84e3f69364a3aa00fee5e5f24744d77ac01c026b004756ca65e19a891f4de54.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

e84e3f69364a3aa00fee5e5f24744d77ac01c026b004756ca65e19a891f4de54.execmd.exe

description	pid	process	target process
PID 4676 wrote to memory of 4540	4676	e84e3f69364a3aa00fee5e5f24744d77ac01c026b004756ca65e19a891f4de54.exe	MediaCenter.exe
PID 4676 wrote to memory of 4540	4676	e84e3f69364a3aa00fee5e5f24744d77ac01c026b004756ca65e19a891f4de54.exe	MediaCenter.exe
PID 4676 wrote to memory of 4540	4676	e84e3f69364a3aa00fee5e5f24744d77ac01c026b004756ca65e19a891f4de54.exe	MediaCenter.exe
PID 4676 wrote to memory of 4884	4676	e84e3f69364a3aa00fee5e5f24744d77ac01c026b004756ca65e19a891f4de54.exe	cmd.exe
PID 4676 wrote to memory of 4884	4676	e84e3f69364a3aa00fee5e5f24744d77ac01c026b004756ca65e19a891f4de54.exe	cmd.exe
PID 4676 wrote to memory of 4884	4676	e84e3f69364a3aa00fee5e5f24744d77ac01c026b004756ca65e19a891f4de54.exe	cmd.exe
PID 4884 wrote to memory of 4692	4884	cmd.exe	PING.EXE
PID 4884 wrote to memory of 4692	4884	cmd.exe	PING.EXE
PID 4884 wrote to memory of 4692	4884	cmd.exe	PING.EXE

C:\Users\Admin\AppData\Local\Temp\e84e3f69364a3aa00fee5e5f24744d77ac01c026b004756ca65e19a891f4de54.exe
"C:\Users\Admin\AppData\Local\Temp\e84e3f69364a3aa00fee5e5f24744d77ac01c026b004756ca65e19a891f4de54.exe"
1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4676

C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
2⤵
- Executes dropped EXE
PID:4540

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\e84e3f69364a3aa00fee5e5f24744d77ac01c026b004756ca65e19a891f4de54.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:4884

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1
3⤵
- Runs ping.exe
PID:4692

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe

Filesize
88KB

MD5
75cf4b8c02161fa358ffe3e6cf748b80

SHA1
d58f77e27238fd20063df2665f4269185e96e5d9

SHA256
d6195ce720c788f614a7775a19a4a81aee2043925489e2fba3a293cccb19d6b8

SHA512
fd9061de9acdc30208ffa27e64ad2047a485898e73faff5136a156cf725df7f418b630b28d90b5a7be57e847065e47986df52bb2b8c70740d30add2cf2be4d35

Download Submit
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe

Filesize
88KB

MD5
75cf4b8c02161fa358ffe3e6cf748b80

SHA1
d58f77e27238fd20063df2665f4269185e96e5d9

SHA256
d6195ce720c788f614a7775a19a4a81aee2043925489e2fba3a293cccb19d6b8

SHA512
fd9061de9acdc30208ffa27e64ad2047a485898e73faff5136a156cf725df7f418b630b28d90b5a7be57e847065e47986df52bb2b8c70740d30add2cf2be4d35

Download Submit
memory/4540-132-0x0000000000000000-mapping.dmp

Download
memory/4692-136-0x0000000000000000-mapping.dmp

Download
memory/4884-135-0x0000000000000000-mapping.dmp

Download