sakula | a5394fc377a2f0e8f4260a40cb0a38f0a5b9e91466243e5e777ede07b65da2ab

Analysis

max time kernel
144s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20231020-en
resource tags

arch:x64arch:x86image:win10v2004-20231020-enlocale:en-usos:windows10-2004-x64system
submitted
22-10-2023 17:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

NEAS.f57221068bf350b5139860fa859ea350.exe
Size

37KB
MD5

f57221068bf350b5139860fa859ea350
SHA1

3d51a6a32f709934197d480ab2d3136cb5e2629f
SHA256

a5394fc377a2f0e8f4260a40cb0a38f0a5b9e91466243e5e777ede07b65da2ab
SHA512

13e97b64d4a970100e64f55dd18d6a1bff5969d57945c136a296cbe7b3c925bbab170919454decf19bb802274d9324c56e00fc24ca49f340cc43cbce0aebdd4f
SSDEEP

768:D7Xezc/T6Zp14hyYtoVxYF9mH8VQ1PcPW/M9zx:n6zqhyYtkYWRPTEzx

Score

10^/10

sakula persistence rat trojan

Malware Config

Extracted

Family

sakula

http://www.we11point.com:443/view.asp?cookie=%s&type=%d&vid=%d

http://www.we11point.com:443/photo/%s.jpg?vid=%d

Signatures

Sakula
Sakula is a remote access trojan with various capabilities.
trojan rat sakula
Executes dropped EXE 1 IoCs

Processes:

MediaCenter.exe

pid process

2860 MediaCenter.exe

pid	process
2860	MediaCenter.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

reg.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe"	reg.exe

Modifies registry key 1 TTPs 1 IoCs

Modify Registry
T1112

Processes:

reg.exe

pid process

3892 reg.exe
Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

3708 PING.EXE

pid	process
3892	reg.exe

pid	process
3708	PING.EXE

Suspicious use of WriteProcessMemory 15 IoCs

Processes:

NEAS.f57221068bf350b5139860fa859ea350.execmd.execmd.exe

description	pid	process	target process
PID 2208 wrote to memory of 4324	2208	NEAS.f57221068bf350b5139860fa859ea350.exe	cmd.exe
PID 2208 wrote to memory of 4324	2208	NEAS.f57221068bf350b5139860fa859ea350.exe	cmd.exe
PID 2208 wrote to memory of 4324	2208	NEAS.f57221068bf350b5139860fa859ea350.exe	cmd.exe
PID 2208 wrote to memory of 2860	2208	NEAS.f57221068bf350b5139860fa859ea350.exe	MediaCenter.exe
PID 2208 wrote to memory of 2860	2208	NEAS.f57221068bf350b5139860fa859ea350.exe	MediaCenter.exe
PID 2208 wrote to memory of 2860	2208	NEAS.f57221068bf350b5139860fa859ea350.exe	MediaCenter.exe
PID 4324 wrote to memory of 3892	4324	cmd.exe	reg.exe
PID 4324 wrote to memory of 3892	4324	cmd.exe	reg.exe
PID 4324 wrote to memory of 3892	4324	cmd.exe	reg.exe
PID 2208 wrote to memory of 4600	2208	NEAS.f57221068bf350b5139860fa859ea350.exe	cmd.exe
PID 2208 wrote to memory of 4600	2208	NEAS.f57221068bf350b5139860fa859ea350.exe	cmd.exe
PID 2208 wrote to memory of 4600	2208	NEAS.f57221068bf350b5139860fa859ea350.exe	cmd.exe
PID 4600 wrote to memory of 3708	4600	cmd.exe	PING.EXE
PID 4600 wrote to memory of 3708	4600	cmd.exe	PING.EXE
PID 4600 wrote to memory of 3708	4600	cmd.exe	PING.EXE

C:\Users\Admin\AppData\Local\Temp\NEAS.f57221068bf350b5139860fa859ea350.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.f57221068bf350b5139860fa859ea350.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2208

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v "MicroMedia" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:4324

C:\Windows\SysWOW64\reg.exe
reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v "MicroMedia" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe"
3⤵
- Adds Run key to start application
- Modifies registry key
PID:3892

C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
2⤵
- Executes dropped EXE
PID:2860

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c ping 127.0.0.1 & del "C:\Users\Admin\AppData\Local\Temp\NEAS.f57221068bf350b5139860fa859ea350.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:4600

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1
3⤵
- Runs ping.exe
PID:3708

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Remote System Discovery

T1018

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
Filesize
37KB

MD5
0d08c57e3df197a7bbf02117d0db35c0

SHA1
6da4f730ca7e96e05a65920140a17b8158a7415d

SHA256
3d1b0d410135f8f806af30a0c49d7eb8c2f898b7c24f864bce048c59f03c6672

SHA512
312b3a713709f83b0c34b9764e0166f3f256a3324ccb7ad667b74b1e17279d177fac13368a65e43b2b0b222774dd0781d730b89f5f53fdad437aeea103cfd855

Download Submit
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
Filesize
37KB

MD5
0d08c57e3df197a7bbf02117d0db35c0

SHA1
6da4f730ca7e96e05a65920140a17b8158a7415d

SHA256
3d1b0d410135f8f806af30a0c49d7eb8c2f898b7c24f864bce048c59f03c6672

SHA512
312b3a713709f83b0c34b9764e0166f3f256a3324ccb7ad667b74b1e17279d177fac13368a65e43b2b0b222774dd0781d730b89f5f53fdad437aeea103cfd855

Download Submit
memory/2208-0-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2208-5-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download