sakula | c2264f2d6a6e0108caa212d4c3c786f6d77ac907b02abf1ccf9d74f9439890f4

General

Target

c2264f2d6a6e0108caa212d4c3c786f6d77ac907b02abf1ccf9d74f9439890f4.exe
Size

60KB
MD5

cfb618ea09382a4e7a68c3dd6a4732b3
SHA1

9156cb63276c50d24fa11f4dc6c2c65c01db2bb9
SHA256

c2264f2d6a6e0108caa212d4c3c786f6d77ac907b02abf1ccf9d74f9439890f4
SHA512

ff373843fe5d698316076cde9a087216ac62aefda35408a998ee407e0d9813d6a8b2025788cdfe6e3e7d3dc07a433afe7e8eb6140c0923292d3aaaa30f303f5e
SSDEEP

1536:iZioIoCwbYP4nuEApQK4TQbtY2gA9DX+ytBO8c3G3eTJ/X:iEoIlwIguEA4c5DgA9DOyq0eFP

Score

10^/10

sakula persistence rat trojan

Malware Config

Signatures

Sakula
Sakula is a remote access trojan with various capabilities.
trojan rat sakula

Sakula payload 3 IoCs

Processes:

resource	yara_rule
behavioral2/memory/4848-136-0x0000000000400000-0x000000000041A000-memory.dmp	family_sakula
behavioral2/memory/4744-137-0x0000000000400000-0x000000000041A000-memory.dmp	family_sakula
behavioral2/memory/4744-139-0x0000000000400000-0x000000000041A000-memory.dmp	family_sakula

Executes dropped EXE 1 IoCs

Processes:

MediaCenter.exe

pid process

4848 MediaCenter.exe

pid	process
4848	MediaCenter.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

c2264f2d6a6e0108caa212d4c3c786f6d77ac907b02abf1ccf9d74f9439890f4.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	c2264f2d6a6e0108caa212d4c3c786f6d77ac907b02abf1ccf9d74f9439890f4.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

c2264f2d6a6e0108caa212d4c3c786f6d77ac907b02abf1ccf9d74f9439890f4.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe"	c2264f2d6a6e0108caa212d4c3c786f6d77ac907b02abf1ccf9d74f9439890f4.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

4884 PING.EXE
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

c2264f2d6a6e0108caa212d4c3c786f6d77ac907b02abf1ccf9d74f9439890f4.exe

description pid process

Token: SeIncBasePriorityPrivilege 4744 c2264f2d6a6e0108caa212d4c3c786f6d77ac907b02abf1ccf9d74f9439890f4.exe

pid	process
4884	PING.EXE

description	pid	process
Token: SeIncBasePriorityPrivilege	4744	c2264f2d6a6e0108caa212d4c3c786f6d77ac907b02abf1ccf9d74f9439890f4.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

c2264f2d6a6e0108caa212d4c3c786f6d77ac907b02abf1ccf9d74f9439890f4.execmd.exe

description	pid	process	target process
PID 4744 wrote to memory of 4848	4744	c2264f2d6a6e0108caa212d4c3c786f6d77ac907b02abf1ccf9d74f9439890f4.exe	MediaCenter.exe
PID 4744 wrote to memory of 4848	4744	c2264f2d6a6e0108caa212d4c3c786f6d77ac907b02abf1ccf9d74f9439890f4.exe	MediaCenter.exe
PID 4744 wrote to memory of 4848	4744	c2264f2d6a6e0108caa212d4c3c786f6d77ac907b02abf1ccf9d74f9439890f4.exe	MediaCenter.exe
PID 4744 wrote to memory of 3760	4744	c2264f2d6a6e0108caa212d4c3c786f6d77ac907b02abf1ccf9d74f9439890f4.exe	cmd.exe
PID 4744 wrote to memory of 3760	4744	c2264f2d6a6e0108caa212d4c3c786f6d77ac907b02abf1ccf9d74f9439890f4.exe	cmd.exe
PID 4744 wrote to memory of 3760	4744	c2264f2d6a6e0108caa212d4c3c786f6d77ac907b02abf1ccf9d74f9439890f4.exe	cmd.exe
PID 3760 wrote to memory of 4884	3760	cmd.exe	PING.EXE
PID 3760 wrote to memory of 4884	3760	cmd.exe	PING.EXE
PID 3760 wrote to memory of 4884	3760	cmd.exe	PING.EXE

C:\Users\Admin\AppData\Local\Temp\c2264f2d6a6e0108caa212d4c3c786f6d77ac907b02abf1ccf9d74f9439890f4.exe
"C:\Users\Admin\AppData\Local\Temp\c2264f2d6a6e0108caa212d4c3c786f6d77ac907b02abf1ccf9d74f9439890f4.exe"
1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4744

C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
2⤵
- Executes dropped EXE
PID:4848

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\c2264f2d6a6e0108caa212d4c3c786f6d77ac907b02abf1ccf9d74f9439890f4.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:3760

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1
3⤵
- Runs ping.exe
PID:4884

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Remote System Discovery

1

T1018

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
Filesize
60KB

MD5
4dd90e784d86dba5f61739a397060d18

SHA1
f9446f6da017c7a9684e422a1a68658d35b03bbd

SHA256
56172439e061caac2684785ec98ad268cb2ff5dc702cad8af11f3ede97a2fc0b

SHA512
c4bb4d0426792a8319b14d16a14280211250b872c03203efa1472be8cdbb54bed3e9c08ef877edc106c9073484f0a4636f9d7a51228e6044664f2fac9933c923

Download Submit
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
Filesize
60KB

MD5
4dd90e784d86dba5f61739a397060d18

SHA1
f9446f6da017c7a9684e422a1a68658d35b03bbd

SHA256
56172439e061caac2684785ec98ad268cb2ff5dc702cad8af11f3ede97a2fc0b

SHA512
c4bb4d0426792a8319b14d16a14280211250b872c03203efa1472be8cdbb54bed3e9c08ef877edc106c9073484f0a4636f9d7a51228e6044664f2fac9933c923

Download Submit
memory/3760-138-0x0000000000000000-mapping.dmp

Download
memory/4744-132-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/4744-137-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/4744-139-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/4848-133-0x0000000000000000-mapping.dmp

Download
memory/4848-136-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/4884-140-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads