sakula | ad9937437a8329c43a264e2aec154179fe291cd6f401839f9e27b48e5d80c435

Analysis

max time kernel
7s
max time network
10s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
23-10-2022 17:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ad9937437a8329c43a264e2aec154179fe291cd6f401839f9e27b48e5d80c435.exe
Size

588KB
MD5

ff63def383483e56337ccf0a12ff43b6
SHA1

1fd8b7d298a34711f51c8606135985367176d010
SHA256

ad9937437a8329c43a264e2aec154179fe291cd6f401839f9e27b48e5d80c435
SHA512

b3e613441a61cd0e1dff8a5f1e2f8c4e25fd2abed933b327b171f0777e64d0f81f862df506e4e02d812119c1eae35a635bf9eb999f59796b1113965cab3868e3
SSDEEP

12288:0RfQn+w8EYiBlMkn5f9J105ko8T6csV5n:g4+wlYBsb3zNs5n

Score

10^/10

sakula persistence rat trojan

Malware Config

Signatures

Sakula
Sakula is a remote access trojan with various capabilities.
trojan rat sakula

Sakula payload 4 IoCs

Processes:

resource	yara_rule
\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe	family_sakula
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe	family_sakula
behavioral1/memory/780-59-0x0000000000400000-0x0000000000420000-memory.dmp	family_sakula
behavioral1/memory/1960-61-0x0000000000400000-0x0000000000420000-memory.dmp	family_sakula

Executes dropped EXE 1 IoCs

Processes:

MediaCenter.exe

pid process

1960 MediaCenter.exe
Loads dropped DLL 1 IoCs

Processes:

ad9937437a8329c43a264e2aec154179fe291cd6f401839f9e27b48e5d80c435.exe

pid process

780 ad9937437a8329c43a264e2aec154179fe291cd6f401839f9e27b48e5d80c435.exe

pid	process
1960	MediaCenter.exe

pid	process
780	ad9937437a8329c43a264e2aec154179fe291cd6f401839f9e27b48e5d80c435.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

ad9937437a8329c43a264e2aec154179fe291cd6f401839f9e27b48e5d80c435.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe"	ad9937437a8329c43a264e2aec154179fe291cd6f401839f9e27b48e5d80c435.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

ad9937437a8329c43a264e2aec154179fe291cd6f401839f9e27b48e5d80c435.exe

description	pid	process	target process
PID 780 wrote to memory of 1960	780	ad9937437a8329c43a264e2aec154179fe291cd6f401839f9e27b48e5d80c435.exe	MediaCenter.exe
PID 780 wrote to memory of 1960	780	ad9937437a8329c43a264e2aec154179fe291cd6f401839f9e27b48e5d80c435.exe	MediaCenter.exe
PID 780 wrote to memory of 1960	780	ad9937437a8329c43a264e2aec154179fe291cd6f401839f9e27b48e5d80c435.exe	MediaCenter.exe
PID 780 wrote to memory of 1960	780	ad9937437a8329c43a264e2aec154179fe291cd6f401839f9e27b48e5d80c435.exe	MediaCenter.exe

C:\Users\Admin\AppData\Local\Temp\ad9937437a8329c43a264e2aec154179fe291cd6f401839f9e27b48e5d80c435.exe
"C:\Users\Admin\AppData\Local\Temp\ad9937437a8329c43a264e2aec154179fe291cd6f401839f9e27b48e5d80c435.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:780

C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
2⤵
- Executes dropped EXE
PID:1960

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
Filesize
588KB

MD5
4b325572c4506167740c0bb8760537f1

SHA1
ab956b2e7b08e1104bf7806ce53590840882691c

SHA256
d76f920fb1b2a3d116cec008964a690742fd769f706b2b08eb9aaac34ca49c27

SHA512
995abcadfacefbb8c03a5d249338baa50ed8803cff5e39bcfb508826df8cdb66ee55f26a5691f8e39f318b0ba624dba9e499b730a1f75d6155d684c0f88425ce

Download Submit
\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
Filesize
588KB

MD5
4b325572c4506167740c0bb8760537f1

SHA1
ab956b2e7b08e1104bf7806ce53590840882691c

SHA256
d76f920fb1b2a3d116cec008964a690742fd769f706b2b08eb9aaac34ca49c27

SHA512
995abcadfacefbb8c03a5d249338baa50ed8803cff5e39bcfb508826df8cdb66ee55f26a5691f8e39f318b0ba624dba9e499b730a1f75d6155d684c0f88425ce

Download Submit
memory/780-54-0x0000000076321000-0x0000000076323000-memory.dmp

Filesize
8KB

Download
memory/780-59-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/780-60-0x0000000000230000-0x0000000000250000-memory.dmp

Filesize
128KB

Download
memory/1960-56-0x0000000000000000-mapping.dmp

Download
memory/1960-61-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download