sakula | e0ddf1c40d03499d27db1420b83de2da1fdd609c8463faee3b7bfd6e62c42f0e

General

Target

NEAS.53f3cbe3b6506b5c5eb1fc23e421b6e0.exe
Size

212KB
MD5

53f3cbe3b6506b5c5eb1fc23e421b6e0
SHA1

408185b166aee1c29eb805df03711789b42a2936
SHA256

e0ddf1c40d03499d27db1420b83de2da1fdd609c8463faee3b7bfd6e62c42f0e
SHA512

d8969498e845bd841739f3db4631ed088907512dce20181d7985324b10707252a35534d46f59c251deb7b88563bb6aa8af15c9903ac7d17c679f951145208358
SSDEEP

1536:NtQFl29mEkE0L1rDEKrxZKF2zf9g2Pl7W/MwbxMX++pdz30rtr8gjXjp0GanBH:A29DkEGRQixVSjLc130BYgjXjpUnBH

Score

10^/10

sakula persistence rat trojan upx

Malware Config

Extracted

Family

sakula

C2

www.polarroute.com

Signatures

Sakula
Sakula is a remote access trojan with various capabilities.
trojan rat sakula

Sakula payload 7 IoCs

Processes:

resource	yara_rule
behavioral2/memory/3604-0-0x0000000000400000-0x0000000000435000-memory.dmp	family_sakula
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe	family_sakula
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe	family_sakula
behavioral2/memory/1172-5-0x0000000000400000-0x0000000000435000-memory.dmp	family_sakula
behavioral2/memory/3604-6-0x0000000000400000-0x0000000000435000-memory.dmp	family_sakula
behavioral2/memory/1172-7-0x0000000000400000-0x0000000000435000-memory.dmp	family_sakula
behavioral2/memory/3604-8-0x0000000000400000-0x0000000000435000-memory.dmp	family_sakula

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

NEAS.53f3cbe3b6506b5c5eb1fc23e421b6e0.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3027552071-446050021-1254071215-1000\Control Panel\International\Geo\Nation	NEAS.53f3cbe3b6506b5c5eb1fc23e421b6e0.exe

Executes dropped EXE 1 IoCs

Processes:

MediaCenter.exe

pid process

1172 MediaCenter.exe

pid	process
1172	MediaCenter.exe

UPX packed file 7 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/3604-0-0x0000000000400000-0x0000000000435000-memory.dmp	upx
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe	upx
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe	upx
behavioral2/memory/1172-5-0x0000000000400000-0x0000000000435000-memory.dmp	upx
behavioral2/memory/3604-6-0x0000000000400000-0x0000000000435000-memory.dmp	upx
behavioral2/memory/1172-7-0x0000000000400000-0x0000000000435000-memory.dmp	upx
behavioral2/memory/3604-8-0x0000000000400000-0x0000000000435000-memory.dmp	upx

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

NEAS.53f3cbe3b6506b5c5eb1fc23e421b6e0.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe"	NEAS.53f3cbe3b6506b5c5eb1fc23e421b6e0.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

500 PING.EXE
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

NEAS.53f3cbe3b6506b5c5eb1fc23e421b6e0.exe

description pid process

Token: SeIncBasePriorityPrivilege 3604 NEAS.53f3cbe3b6506b5c5eb1fc23e421b6e0.exe

pid	process
500	PING.EXE

description	pid	process
Token: SeIncBasePriorityPrivilege	3604	NEAS.53f3cbe3b6506b5c5eb1fc23e421b6e0.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

NEAS.53f3cbe3b6506b5c5eb1fc23e421b6e0.execmd.exe

description	pid	process	target process
PID 3604 wrote to memory of 1172	3604	NEAS.53f3cbe3b6506b5c5eb1fc23e421b6e0.exe	MediaCenter.exe
PID 3604 wrote to memory of 1172	3604	NEAS.53f3cbe3b6506b5c5eb1fc23e421b6e0.exe	MediaCenter.exe
PID 3604 wrote to memory of 1172	3604	NEAS.53f3cbe3b6506b5c5eb1fc23e421b6e0.exe	MediaCenter.exe
PID 3604 wrote to memory of 1168	3604	NEAS.53f3cbe3b6506b5c5eb1fc23e421b6e0.exe	cmd.exe
PID 3604 wrote to memory of 1168	3604	NEAS.53f3cbe3b6506b5c5eb1fc23e421b6e0.exe	cmd.exe
PID 3604 wrote to memory of 1168	3604	NEAS.53f3cbe3b6506b5c5eb1fc23e421b6e0.exe	cmd.exe
PID 1168 wrote to memory of 500	1168	cmd.exe	PING.EXE
PID 1168 wrote to memory of 500	1168	cmd.exe	PING.EXE
PID 1168 wrote to memory of 500	1168	cmd.exe	PING.EXE

C:\Users\Admin\AppData\Local\Temp\NEAS.53f3cbe3b6506b5c5eb1fc23e421b6e0.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.53f3cbe3b6506b5c5eb1fc23e421b6e0.exe"
1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3604

C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
2⤵
- Executes dropped EXE
PID:1172

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\NEAS.53f3cbe3b6506b5c5eb1fc23e421b6e0.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:1168

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1
3⤵
- Runs ping.exe
PID:500

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

Remote System Discovery

1

T1018

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
Filesize
212KB

MD5
e82f2f1b75123e35eb5980ba73ef992c

SHA1
d93e4a1e68243f8c5c6b3e719b52a40017c8056d

SHA256
493bde58b29403ef82046622881510eb264c90de2fe4e46559757eb301abab6f

SHA512
13f0d6c7a50780dfd1c6f23a9aee06e0d849170d3a3da31628e6cfcab4c7a9de6eb5e86c0d597fb9deee5643aa36b3694a1fc46c08e221a17938f973e687fa77

Download Submit
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
Filesize
212KB

MD5
e82f2f1b75123e35eb5980ba73ef992c

SHA1
d93e4a1e68243f8c5c6b3e719b52a40017c8056d

SHA256
493bde58b29403ef82046622881510eb264c90de2fe4e46559757eb301abab6f

SHA512
13f0d6c7a50780dfd1c6f23a9aee06e0d849170d3a3da31628e6cfcab4c7a9de6eb5e86c0d597fb9deee5643aa36b3694a1fc46c08e221a17938f973e687fa77

Download Submit
memory/1172-5-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1172-7-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3604-0-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3604-6-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3604-8-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads