sakula | 7d02989b9ff0c2f7cb5e11d85f04aa008387c8350cd4c02e81d06eaeb2d0277f

Analysis

max time kernel
142s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20231020-en
resource tags

arch:x64arch:x86image:win10v2004-20231020-enlocale:en-usos:windows10-2004-x64system
submitted
05-11-2023 19:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

NEAS.ad43c1acf427547b5ae5835be4b231d0.exe
Size

72KB
MD5

ad43c1acf427547b5ae5835be4b231d0
SHA1

c461e84230957c09c7caa390a483aa9e494fe570
SHA256

7d02989b9ff0c2f7cb5e11d85f04aa008387c8350cd4c02e81d06eaeb2d0277f
SHA512

85e06ee0d1d040e59377adba211216fd98477aaf088920e3c7e040d5ec52446e9a8e90ca24a63e45ebba2d92e212aca1d403bbbc809f26c32491f5c6f2c6a6b2
SSDEEP

768:q7Xezc/T6Zp14hyYtoVxYF9mHfCBJTAIO3OtYVW6QptwyV:G6zqhyYtkYW/CPnO3ajwyV

Score

10^/10

sakula persistence rat trojan

Malware Config

Extracted

Family

sakula

http://www.we11point.com:443/view.asp?cookie=%s&type=%d&vid=%d

http://www.we11point.com:443/photo/%s.jpg?vid=%d

Signatures

Sakula
Sakula is a remote access trojan with various capabilities.
trojan rat sakula
Executes dropped EXE 1 IoCs

Processes:

MediaCenter.exe

pid process

2436 MediaCenter.exe

pid	process
2436	MediaCenter.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

reg.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe"	reg.exe

Modifies registry key 1 TTPs 1 IoCs

Modify Registry
T1112

Processes:

reg.exe

pid process

4144 reg.exe
Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

1668 PING.EXE

pid	process
4144	reg.exe

pid	process
1668	PING.EXE

Suspicious use of WriteProcessMemory 15 IoCs

Processes:

NEAS.ad43c1acf427547b5ae5835be4b231d0.execmd.execmd.exe

description	pid	process	target process
PID 3972 wrote to memory of 1344	3972	NEAS.ad43c1acf427547b5ae5835be4b231d0.exe	cmd.exe
PID 3972 wrote to memory of 1344	3972	NEAS.ad43c1acf427547b5ae5835be4b231d0.exe	cmd.exe
PID 3972 wrote to memory of 1344	3972	NEAS.ad43c1acf427547b5ae5835be4b231d0.exe	cmd.exe
PID 3972 wrote to memory of 2436	3972	NEAS.ad43c1acf427547b5ae5835be4b231d0.exe	MediaCenter.exe
PID 3972 wrote to memory of 2436	3972	NEAS.ad43c1acf427547b5ae5835be4b231d0.exe	MediaCenter.exe
PID 3972 wrote to memory of 2436	3972	NEAS.ad43c1acf427547b5ae5835be4b231d0.exe	MediaCenter.exe
PID 1344 wrote to memory of 4144	1344	cmd.exe	reg.exe
PID 1344 wrote to memory of 4144	1344	cmd.exe	reg.exe
PID 1344 wrote to memory of 4144	1344	cmd.exe	reg.exe
PID 3972 wrote to memory of 3148	3972	NEAS.ad43c1acf427547b5ae5835be4b231d0.exe	cmd.exe
PID 3972 wrote to memory of 3148	3972	NEAS.ad43c1acf427547b5ae5835be4b231d0.exe	cmd.exe
PID 3972 wrote to memory of 3148	3972	NEAS.ad43c1acf427547b5ae5835be4b231d0.exe	cmd.exe
PID 3148 wrote to memory of 1668	3148	cmd.exe	PING.EXE
PID 3148 wrote to memory of 1668	3148	cmd.exe	PING.EXE
PID 3148 wrote to memory of 1668	3148	cmd.exe	PING.EXE

C:\Users\Admin\AppData\Local\Temp\NEAS.ad43c1acf427547b5ae5835be4b231d0.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.ad43c1acf427547b5ae5835be4b231d0.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3972

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v "MicroMedia" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:1344

C:\Windows\SysWOW64\reg.exe
reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v "MicroMedia" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe"
3⤵
- Adds Run key to start application
- Modifies registry key
PID:4144

C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
2⤵
- Executes dropped EXE
PID:2436

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c ping 127.0.0.1 & del "C:\Users\Admin\AppData\Local\Temp\NEAS.ad43c1acf427547b5ae5835be4b231d0.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:3148

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1
3⤵
- Runs ping.exe
PID:1668

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Remote System Discovery

T1018

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
Filesize
72KB

MD5
c36143ed6ad7add7bcca6d8e319a38f2

SHA1
23e3cc57d507e9cb6e1175d871c2ce492728e079

SHA256
fc6de70877dc267e086d54263f87a0dd25490c03acdb3d5c049d5120a24180b9

SHA512
d6e9d4fc7f2f31c729a75e506067178ffdb5f53f2a504506a979d87efd85738af7b9c66a7ed51ac042356d126e25f5c31eb726d43634f2b932d259242c4d3140

Download Submit
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
Filesize
72KB

MD5
c36143ed6ad7add7bcca6d8e319a38f2

SHA1
23e3cc57d507e9cb6e1175d871c2ce492728e079

SHA256
fc6de70877dc267e086d54263f87a0dd25490c03acdb3d5c049d5120a24180b9

SHA512
d6e9d4fc7f2f31c729a75e506067178ffdb5f53f2a504506a979d87efd85738af7b9c66a7ed51ac042356d126e25f5c31eb726d43634f2b932d259242c4d3140

Download Submit
memory/2436-7-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/3972-0-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/3972-1-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/3972-2-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download