sakula | 2ef07ce90f51ca389de09aad08048225b28c74c09cbaf3aceccddd3e6b003672

General

Target

2ef07ce90f51ca389de09aad08048225b28c74c09cbaf3aceccddd3e6b003672.exe
Size

220KB
MD5

c2ae8bc15021ce07686a8ef83f0287fc
SHA1

8d91e452bc71470d1ce05d02169f256a68d1e876
SHA256

2ef07ce90f51ca389de09aad08048225b28c74c09cbaf3aceccddd3e6b003672
SHA512

9475ae6c840f7f12eacd81333b5f87b0fc5fdaf40f54dd9a968c6f08d7e5409f7f1fe174c92fbbba94e48e3d939a6df9ec1f134f0d5fc019d587fcde527edf83
SSDEEP

3072:a29DkEGRQixVSjLaes5G30B6SHrMPK82S5EVVEdZHMoGo8uA0I6pVMybCFbRZ:a29qRfVSnfj30B+2S6ydMI8QVMgCFbRZ

Score

10^/10

sakula persistence rat trojan

Malware Config

Signatures

Sakula
Sakula is a remote access trojan with various capabilities.
trojan rat sakula

Sakula payload 2 IoCs

Processes:

resource	yara_rule
\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe	family_sakula
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe	family_sakula

Executes dropped EXE 1 IoCs

Processes:

MediaCenter.exe

pid process

1372 MediaCenter.exe
Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

1772 cmd.exe
Loads dropped DLL 1 IoCs

Processes:

2ef07ce90f51ca389de09aad08048225b28c74c09cbaf3aceccddd3e6b003672.exe

pid process

1408 2ef07ce90f51ca389de09aad08048225b28c74c09cbaf3aceccddd3e6b003672.exe

pid	process
1372	MediaCenter.exe

pid	process
1772	cmd.exe

pid	process
1408	2ef07ce90f51ca389de09aad08048225b28c74c09cbaf3aceccddd3e6b003672.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

2ef07ce90f51ca389de09aad08048225b28c74c09cbaf3aceccddd3e6b003672.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe"	2ef07ce90f51ca389de09aad08048225b28c74c09cbaf3aceccddd3e6b003672.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

1620 PING.EXE
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

2ef07ce90f51ca389de09aad08048225b28c74c09cbaf3aceccddd3e6b003672.exe

description pid process

Token: SeIncBasePriorityPrivilege 1408 2ef07ce90f51ca389de09aad08048225b28c74c09cbaf3aceccddd3e6b003672.exe

pid	process
1620	PING.EXE

description	pid	process
Token: SeIncBasePriorityPrivilege	1408	2ef07ce90f51ca389de09aad08048225b28c74c09cbaf3aceccddd3e6b003672.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

2ef07ce90f51ca389de09aad08048225b28c74c09cbaf3aceccddd3e6b003672.execmd.exe

description	pid	process	target process
PID 1408 wrote to memory of 1372	1408	2ef07ce90f51ca389de09aad08048225b28c74c09cbaf3aceccddd3e6b003672.exe	MediaCenter.exe
PID 1408 wrote to memory of 1372	1408	2ef07ce90f51ca389de09aad08048225b28c74c09cbaf3aceccddd3e6b003672.exe	MediaCenter.exe
PID 1408 wrote to memory of 1372	1408	2ef07ce90f51ca389de09aad08048225b28c74c09cbaf3aceccddd3e6b003672.exe	MediaCenter.exe
PID 1408 wrote to memory of 1372	1408	2ef07ce90f51ca389de09aad08048225b28c74c09cbaf3aceccddd3e6b003672.exe	MediaCenter.exe
PID 1408 wrote to memory of 1772	1408	2ef07ce90f51ca389de09aad08048225b28c74c09cbaf3aceccddd3e6b003672.exe	cmd.exe
PID 1408 wrote to memory of 1772	1408	2ef07ce90f51ca389de09aad08048225b28c74c09cbaf3aceccddd3e6b003672.exe	cmd.exe
PID 1408 wrote to memory of 1772	1408	2ef07ce90f51ca389de09aad08048225b28c74c09cbaf3aceccddd3e6b003672.exe	cmd.exe
PID 1408 wrote to memory of 1772	1408	2ef07ce90f51ca389de09aad08048225b28c74c09cbaf3aceccddd3e6b003672.exe	cmd.exe
PID 1772 wrote to memory of 1620	1772	cmd.exe	PING.EXE
PID 1772 wrote to memory of 1620	1772	cmd.exe	PING.EXE
PID 1772 wrote to memory of 1620	1772	cmd.exe	PING.EXE
PID 1772 wrote to memory of 1620	1772	cmd.exe	PING.EXE

C:\Users\Admin\AppData\Local\Temp\2ef07ce90f51ca389de09aad08048225b28c74c09cbaf3aceccddd3e6b003672.exe
"C:\Users\Admin\AppData\Local\Temp\2ef07ce90f51ca389de09aad08048225b28c74c09cbaf3aceccddd3e6b003672.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1408

C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
2⤵
- Executes dropped EXE
PID:1372

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\2ef07ce90f51ca389de09aad08048225b28c74c09cbaf3aceccddd3e6b003672.exe"
2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:1772

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1
3⤵
- Runs ping.exe
PID:1620

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Remote System Discovery

1

T1018

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
Filesize
220KB

MD5
2df33638bf15a52dfbf851286d987128

SHA1
eb2d49a70b751a2ed6382a021431224911e1252b

SHA256
abd13f8e2c10bc7127d98d513e0578b74c2cd02137ba48f777552e1b101a7990

SHA512
8660685112cd7743d59dd3c42dc588d7b9f1fe0fc42ae7156de8b7212f1e596f04f107b57a10a07281de4757c6a96a0fbd2df1329ff74f624ea9dc8fa6b48f7f

Download Submit
\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
Filesize
220KB

MD5
2df33638bf15a52dfbf851286d987128

SHA1
eb2d49a70b751a2ed6382a021431224911e1252b

SHA256
abd13f8e2c10bc7127d98d513e0578b74c2cd02137ba48f777552e1b101a7990

SHA512
8660685112cd7743d59dd3c42dc588d7b9f1fe0fc42ae7156de8b7212f1e596f04f107b57a10a07281de4757c6a96a0fbd2df1329ff74f624ea9dc8fa6b48f7f

Download Submit
memory/1372-56-0x0000000000000000-mapping.dmp

Download
memory/1408-54-0x00000000750A1000-0x00000000750A3000-memory.dmp

Filesize
8KB

Download
memory/1620-60-0x0000000000000000-mapping.dmp

Download
memory/1772-59-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads