sakula | 07d5d6f916da9da2e1d1add3eb927b4c5b89e093d41baecdff209e728ecab710

General

Target

07d5d6f916da9da2e1d1add3eb927b4c5b89e093d41baecdff209e728ecab710.exe
Size

212KB
MD5

2318575bbff6e228b9453eeb841ba952
SHA1

191e925300fe778355c91c14f6e95631cf94b831
SHA256

07d5d6f916da9da2e1d1add3eb927b4c5b89e093d41baecdff209e728ecab710
SHA512

8cb12fec7144cb2cad287dd34f82d92d853fb03ea2f82d795923a1c92dcf8361366f5bdfe5d7628b7cce3f5fc4aef8a185b569368aad08e4dc776667423a3b30
SSDEEP

1536:XcQFl29mEkE0L1rDEKrxZKF2zf9g2Pl7W/MwbxMX++pLz30rtr8gjXjp0danBj:r29DkEGRQixVSjLc330BYgjXjpDnBj

Score

10^/10

sakula persistence rat trojan upx

Malware Config

Extracted

Family

sakula

C2

www.polarroute.com

Signatures

Sakula
Sakula is a remote access trojan with various capabilities.
trojan rat sakula

Sakula payload 7 IoCs

Processes:

resource	yara_rule
behavioral2/memory/4188-133-0x0000000000400000-0x0000000000435000-memory.dmp	family_sakula
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe	family_sakula
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe	family_sakula
behavioral2/memory/1596-138-0x0000000000400000-0x0000000000435000-memory.dmp	family_sakula
behavioral2/memory/4188-139-0x0000000000400000-0x0000000000435000-memory.dmp	family_sakula
behavioral2/memory/1596-140-0x0000000000400000-0x0000000000435000-memory.dmp	family_sakula
behavioral2/memory/4188-141-0x0000000000400000-0x0000000000435000-memory.dmp	family_sakula

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

07d5d6f916da9da2e1d1add3eb927b4c5b89e093d41baecdff209e728ecab710.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\Control Panel\International\Geo\Nation	07d5d6f916da9da2e1d1add3eb927b4c5b89e093d41baecdff209e728ecab710.exe

Executes dropped EXE 1 IoCs

Processes:

MediaCenter.exe

pid process

1596 MediaCenter.exe

pid	process
1596	MediaCenter.exe

UPX packed file 7 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/4188-133-0x0000000000400000-0x0000000000435000-memory.dmp	upx
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe	upx
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe	upx
behavioral2/memory/1596-138-0x0000000000400000-0x0000000000435000-memory.dmp	upx
behavioral2/memory/4188-139-0x0000000000400000-0x0000000000435000-memory.dmp	upx
behavioral2/memory/1596-140-0x0000000000400000-0x0000000000435000-memory.dmp	upx
behavioral2/memory/4188-141-0x0000000000400000-0x0000000000435000-memory.dmp	upx

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

07d5d6f916da9da2e1d1add3eb927b4c5b89e093d41baecdff209e728ecab710.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe"	07d5d6f916da9da2e1d1add3eb927b4c5b89e093d41baecdff209e728ecab710.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

2964 PING.EXE
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

07d5d6f916da9da2e1d1add3eb927b4c5b89e093d41baecdff209e728ecab710.exe

description pid process

Token: SeIncBasePriorityPrivilege 4188 07d5d6f916da9da2e1d1add3eb927b4c5b89e093d41baecdff209e728ecab710.exe

pid	process
2964	PING.EXE

description	pid	process
Token: SeIncBasePriorityPrivilege	4188	07d5d6f916da9da2e1d1add3eb927b4c5b89e093d41baecdff209e728ecab710.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

07d5d6f916da9da2e1d1add3eb927b4c5b89e093d41baecdff209e728ecab710.execmd.exe

description	pid	process	target process
PID 4188 wrote to memory of 1596	4188	07d5d6f916da9da2e1d1add3eb927b4c5b89e093d41baecdff209e728ecab710.exe	MediaCenter.exe
PID 4188 wrote to memory of 1596	4188	07d5d6f916da9da2e1d1add3eb927b4c5b89e093d41baecdff209e728ecab710.exe	MediaCenter.exe
PID 4188 wrote to memory of 1596	4188	07d5d6f916da9da2e1d1add3eb927b4c5b89e093d41baecdff209e728ecab710.exe	MediaCenter.exe
PID 4188 wrote to memory of 4176	4188	07d5d6f916da9da2e1d1add3eb927b4c5b89e093d41baecdff209e728ecab710.exe	cmd.exe
PID 4188 wrote to memory of 4176	4188	07d5d6f916da9da2e1d1add3eb927b4c5b89e093d41baecdff209e728ecab710.exe	cmd.exe
PID 4188 wrote to memory of 4176	4188	07d5d6f916da9da2e1d1add3eb927b4c5b89e093d41baecdff209e728ecab710.exe	cmd.exe
PID 4176 wrote to memory of 2964	4176	cmd.exe	PING.EXE
PID 4176 wrote to memory of 2964	4176	cmd.exe	PING.EXE
PID 4176 wrote to memory of 2964	4176	cmd.exe	PING.EXE

C:\Users\Admin\AppData\Local\Temp\07d5d6f916da9da2e1d1add3eb927b4c5b89e093d41baecdff209e728ecab710.exe
"C:\Users\Admin\AppData\Local\Temp\07d5d6f916da9da2e1d1add3eb927b4c5b89e093d41baecdff209e728ecab710.exe"
1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4188

C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
2⤵
- Executes dropped EXE
PID:1596

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\07d5d6f916da9da2e1d1add3eb927b4c5b89e093d41baecdff209e728ecab710.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:4176

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1
3⤵
- Runs ping.exe
PID:2964

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Remote System Discovery

1

T1018

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
Filesize
212KB

MD5
7d7718ad29c10a90a3f0a5e2ac2bb485

SHA1
eeed0c16fb189cb6432a816546e3333fe5c00a3a

SHA256
d3042aa577292c583e13afdb2ff21d860a1fc7282e795ce6ac248c508807caac

SHA512
5bcb58e6da46afc457961fddfb9a14391843ffbe80929973bac854e0b39838ed5f58ef59325c43cd205234c4a4ae6a58707766b5e026e3e9b9dba067818ed621

Download Submit
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
Filesize
212KB

MD5
7d7718ad29c10a90a3f0a5e2ac2bb485

SHA1
eeed0c16fb189cb6432a816546e3333fe5c00a3a

SHA256
d3042aa577292c583e13afdb2ff21d860a1fc7282e795ce6ac248c508807caac

SHA512
5bcb58e6da46afc457961fddfb9a14391843ffbe80929973bac854e0b39838ed5f58ef59325c43cd205234c4a4ae6a58707766b5e026e3e9b9dba067818ed621

Download Submit
memory/1596-138-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1596-140-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4188-133-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4188-139-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4188-141-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads