sakula | c2264f2d6a6e0108caa212d4c3c786f6d77ac907b02abf1ccf9d74f9439890f4

General

Target

c2264f2d6a6e0108caa212d4c3c786f6d77ac907b02abf1ccf9d74f9439890f4.exe
Size

60KB
MD5

cfb618ea09382a4e7a68c3dd6a4732b3
SHA1

9156cb63276c50d24fa11f4dc6c2c65c01db2bb9
SHA256

c2264f2d6a6e0108caa212d4c3c786f6d77ac907b02abf1ccf9d74f9439890f4
SHA512

ff373843fe5d698316076cde9a087216ac62aefda35408a998ee407e0d9813d6a8b2025788cdfe6e3e7d3dc07a433afe7e8eb6140c0923292d3aaaa30f303f5e
SSDEEP

1536:iZioIoCwbYP4nuEApQK4TQbtY2gA9DX+ytBO8c3G3eTJ/X:iEoIlwIguEA4c5DgA9DOyq0eFP

Score

10^/10

sakula persistence rat trojan

Malware Config

Signatures

Sakula
Sakula is a remote access trojan with various capabilities.
trojan rat sakula

Sakula payload 3 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1048-60-0x0000000000400000-0x000000000041A000-memory.dmp	family_sakula
behavioral1/memory/1988-63-0x0000000000400000-0x000000000041A000-memory.dmp	family_sakula
behavioral1/memory/1048-66-0x0000000000400000-0x000000000041A000-memory.dmp	family_sakula

Executes dropped EXE 1 IoCs

Processes:

MediaCenter.exe

pid process

1988 MediaCenter.exe
Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

672 cmd.exe

pid	process
1988	MediaCenter.exe

pid	process
672	cmd.exe

Loads dropped DLL 2 IoCs

Processes:

c2264f2d6a6e0108caa212d4c3c786f6d77ac907b02abf1ccf9d74f9439890f4.exe

pid	process
1048	c2264f2d6a6e0108caa212d4c3c786f6d77ac907b02abf1ccf9d74f9439890f4.exe
1048	c2264f2d6a6e0108caa212d4c3c786f6d77ac907b02abf1ccf9d74f9439890f4.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

c2264f2d6a6e0108caa212d4c3c786f6d77ac907b02abf1ccf9d74f9439890f4.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe"	c2264f2d6a6e0108caa212d4c3c786f6d77ac907b02abf1ccf9d74f9439890f4.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

1012 PING.EXE
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

c2264f2d6a6e0108caa212d4c3c786f6d77ac907b02abf1ccf9d74f9439890f4.exe

description pid process

Token: SeIncBasePriorityPrivilege 1048 c2264f2d6a6e0108caa212d4c3c786f6d77ac907b02abf1ccf9d74f9439890f4.exe

pid	process
1012	PING.EXE

description	pid	process
Token: SeIncBasePriorityPrivilege	1048	c2264f2d6a6e0108caa212d4c3c786f6d77ac907b02abf1ccf9d74f9439890f4.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

c2264f2d6a6e0108caa212d4c3c786f6d77ac907b02abf1ccf9d74f9439890f4.execmd.exe

description	pid	process	target process
PID 1048 wrote to memory of 1988	1048	c2264f2d6a6e0108caa212d4c3c786f6d77ac907b02abf1ccf9d74f9439890f4.exe	MediaCenter.exe
PID 1048 wrote to memory of 1988	1048	c2264f2d6a6e0108caa212d4c3c786f6d77ac907b02abf1ccf9d74f9439890f4.exe	MediaCenter.exe
PID 1048 wrote to memory of 1988	1048	c2264f2d6a6e0108caa212d4c3c786f6d77ac907b02abf1ccf9d74f9439890f4.exe	MediaCenter.exe
PID 1048 wrote to memory of 1988	1048	c2264f2d6a6e0108caa212d4c3c786f6d77ac907b02abf1ccf9d74f9439890f4.exe	MediaCenter.exe
PID 1048 wrote to memory of 672	1048	c2264f2d6a6e0108caa212d4c3c786f6d77ac907b02abf1ccf9d74f9439890f4.exe	cmd.exe
PID 1048 wrote to memory of 672	1048	c2264f2d6a6e0108caa212d4c3c786f6d77ac907b02abf1ccf9d74f9439890f4.exe	cmd.exe
PID 1048 wrote to memory of 672	1048	c2264f2d6a6e0108caa212d4c3c786f6d77ac907b02abf1ccf9d74f9439890f4.exe	cmd.exe
PID 1048 wrote to memory of 672	1048	c2264f2d6a6e0108caa212d4c3c786f6d77ac907b02abf1ccf9d74f9439890f4.exe	cmd.exe
PID 672 wrote to memory of 1012	672	cmd.exe	PING.EXE
PID 672 wrote to memory of 1012	672	cmd.exe	PING.EXE
PID 672 wrote to memory of 1012	672	cmd.exe	PING.EXE
PID 672 wrote to memory of 1012	672	cmd.exe	PING.EXE

C:\Users\Admin\AppData\Local\Temp\c2264f2d6a6e0108caa212d4c3c786f6d77ac907b02abf1ccf9d74f9439890f4.exe
"C:\Users\Admin\AppData\Local\Temp\c2264f2d6a6e0108caa212d4c3c786f6d77ac907b02abf1ccf9d74f9439890f4.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1048

C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
2⤵
- Executes dropped EXE
PID:1988

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\c2264f2d6a6e0108caa212d4c3c786f6d77ac907b02abf1ccf9d74f9439890f4.exe"
2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:672

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1
3⤵
- Runs ping.exe
PID:1012

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Remote System Discovery

1

T1018

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
Filesize
60KB

MD5
6960866eb3d04a5d58850cae1171e6fe

SHA1
228cd7384221d34ae4bfec40c47f6245caa0beea

SHA256
70377765076e39f305fca2060120599fdbab888ccad8f411ff75442c270b2f10

SHA512
4abc8cd5f9f51f45ac954083eecb0d0b2daea97f16b478d45efa14f2eef343b7f3d241f9d8ed3b4331c16ff2f3039b8b3e314a49f815dec8c97e31c95d0642ba

Download Submit
\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
Filesize
60KB

MD5
6960866eb3d04a5d58850cae1171e6fe

SHA1
228cd7384221d34ae4bfec40c47f6245caa0beea

SHA256
70377765076e39f305fca2060120599fdbab888ccad8f411ff75442c270b2f10

SHA512
4abc8cd5f9f51f45ac954083eecb0d0b2daea97f16b478d45efa14f2eef343b7f3d241f9d8ed3b4331c16ff2f3039b8b3e314a49f815dec8c97e31c95d0642ba

Download Submit
\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
Filesize
60KB

MD5
6960866eb3d04a5d58850cae1171e6fe

SHA1
228cd7384221d34ae4bfec40c47f6245caa0beea

SHA256
70377765076e39f305fca2060120599fdbab888ccad8f411ff75442c270b2f10

SHA512
4abc8cd5f9f51f45ac954083eecb0d0b2daea97f16b478d45efa14f2eef343b7f3d241f9d8ed3b4331c16ff2f3039b8b3e314a49f815dec8c97e31c95d0642ba

Download Submit
memory/672-65-0x0000000000000000-mapping.dmp

Download
memory/1012-67-0x0000000000000000-mapping.dmp

Download
memory/1048-61-0x00000000001B0000-0x00000000001CA000-memory.dmp

Filesize
104KB

Download
memory/1048-54-0x0000000076171000-0x0000000076173000-memory.dmp

Filesize
8KB

Download
memory/1048-62-0x00000000001B0000-0x00000000001CA000-memory.dmp

Filesize
104KB

Download
memory/1048-64-0x00000000001B0000-0x00000000001CA000-memory.dmp

Filesize
104KB

Download
memory/1048-60-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/1048-66-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/1988-63-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/1988-57-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads