sakula | 1d9deea1f2460ec87569b0af5f2693a0b36a80aacdedda1ecce870bb56749de2

Analysis

max time kernel
133s
max time network
164s
platform
windows10-2004_x64
resource
win10v2004-20230915-en
resource tags

arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
submitted
15-10-2023 19:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7e9c917a00d385169f54f0302f39adb0_exe32.exe
Size

67KB
MD5

7e9c917a00d385169f54f0302f39adb0
SHA1

404ab31a239a7ed764a31ddebea39bf6242cd957
SHA256

1d9deea1f2460ec87569b0af5f2693a0b36a80aacdedda1ecce870bb56749de2
SHA512

65ef31aefc3d45f51ab2f6b3d8af861a3c2b00600f98d476b79465eaabb096d990f6034097031e356b4bef524ce14a9d6a3a39e9fca6f77f315e3b6fe7065575
SSDEEP

768:u7Xezc/T6Zp14hyYtoVxYF9mHF1yD3BmNV8PsED3VK2+ZtyOjgO4r9vFAg2rqb:a6zqhyYtkYWI3BDYTjipvF2W

Score

10^/10

sakula persistence rat trojan

Malware Config

Extracted

Family

sakula

http://www.we11point.com:443/view.asp?cookie=%s&type=%d&vid=%d

http://www.we11point.com:443/photo/%s.jpg?vid=%d

Signatures

Sakula
Sakula is a remote access trojan with various capabilities.
trojan rat sakula
Executes dropped EXE 1 IoCs

Processes:

MediaCenter.exe

pid process

4928 MediaCenter.exe

pid	process
4928	MediaCenter.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

reg.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe"	reg.exe

Modifies registry key 1 TTPs 1 IoCs

Modify Registry
T1112

Processes:

reg.exe

pid process

3304 reg.exe
Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

4516 PING.EXE

pid	process
3304	reg.exe

pid	process
4516	PING.EXE

Suspicious use of WriteProcessMemory 15 IoCs

Processes:

7e9c917a00d385169f54f0302f39adb0_exe32.execmd.execmd.exe

description	pid	process	target process
PID 2292 wrote to memory of 1968	2292	7e9c917a00d385169f54f0302f39adb0_exe32.exe	cmd.exe
PID 2292 wrote to memory of 1968	2292	7e9c917a00d385169f54f0302f39adb0_exe32.exe	cmd.exe
PID 2292 wrote to memory of 1968	2292	7e9c917a00d385169f54f0302f39adb0_exe32.exe	cmd.exe
PID 2292 wrote to memory of 4928	2292	7e9c917a00d385169f54f0302f39adb0_exe32.exe	MediaCenter.exe
PID 2292 wrote to memory of 4928	2292	7e9c917a00d385169f54f0302f39adb0_exe32.exe	MediaCenter.exe
PID 2292 wrote to memory of 4928	2292	7e9c917a00d385169f54f0302f39adb0_exe32.exe	MediaCenter.exe
PID 1968 wrote to memory of 3304	1968	cmd.exe	reg.exe
PID 1968 wrote to memory of 3304	1968	cmd.exe	reg.exe
PID 1968 wrote to memory of 3304	1968	cmd.exe	reg.exe
PID 2292 wrote to memory of 2680	2292	7e9c917a00d385169f54f0302f39adb0_exe32.exe	cmd.exe
PID 2292 wrote to memory of 2680	2292	7e9c917a00d385169f54f0302f39adb0_exe32.exe	cmd.exe
PID 2292 wrote to memory of 2680	2292	7e9c917a00d385169f54f0302f39adb0_exe32.exe	cmd.exe
PID 2680 wrote to memory of 4516	2680	cmd.exe	PING.EXE
PID 2680 wrote to memory of 4516	2680	cmd.exe	PING.EXE
PID 2680 wrote to memory of 4516	2680	cmd.exe	PING.EXE

C:\Users\Admin\AppData\Local\Temp\7e9c917a00d385169f54f0302f39adb0_exe32.exe
"C:\Users\Admin\AppData\Local\Temp\7e9c917a00d385169f54f0302f39adb0_exe32.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2292

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v "MicroMedia" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:1968

C:\Windows\SysWOW64\reg.exe
reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v "MicroMedia" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe"
3⤵
- Adds Run key to start application
- Modifies registry key
PID:3304

C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
2⤵
- Executes dropped EXE
PID:4928

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c ping 127.0.0.1 & del "C:\Users\Admin\AppData\Local\Temp\7e9c917a00d385169f54f0302f39adb0_exe32.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:2680

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1
3⤵
- Runs ping.exe
PID:4516

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Remote System Discovery

T1018

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
Filesize
67KB

MD5
fc924aab1fb46bda3717763f199fddf9

SHA1
99c757316f971ec28bc2706c5cda6026cc3e0bd2

SHA256
aaf160d344c990e4e9760a8842b4f7a19035a18266c045975fa673016e5527e3

SHA512
f22ae603a444b90ea228419d3d0477f457fa00f5d13575a96ab5717317b1f878d555a49bc9c4ebdb0a2cea95ae9837ea859a7f7720c46f634d1aebb744fb9997

Download Submit
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
Filesize
67KB

MD5
fc924aab1fb46bda3717763f199fddf9

SHA1
99c757316f971ec28bc2706c5cda6026cc3e0bd2

SHA256
aaf160d344c990e4e9760a8842b4f7a19035a18266c045975fa673016e5527e3

SHA512
f22ae603a444b90ea228419d3d0477f457fa00f5d13575a96ab5717317b1f878d555a49bc9c4ebdb0a2cea95ae9837ea859a7f7720c46f634d1aebb744fb9997

Download Submit
memory/2292-0-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/2292-1-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/2292-2-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/4928-7-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download