sakula | 26be8a8d061e3681dca81b85fe8421e2dcf114fb74f1c4963d75686e16be846e

Analysis

max time kernel
156s
max time network
177s
platform
windows10-2004_x64
resource
win10v2004-20231020-en
resource tags

arch:x64arch:x86image:win10v2004-20231020-enlocale:en-usos:windows10-2004-x64system
submitted
10-11-2023 19:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

NEAS.fa6f2a81cfe58c75464b718232600590.exe
Size

37KB
MD5

fa6f2a81cfe58c75464b718232600590
SHA1

76593acd52de4f0e82afffaa801d710f5582b22a
SHA256

26be8a8d061e3681dca81b85fe8421e2dcf114fb74f1c4963d75686e16be846e
SHA512

90f7e9f6f04dbaf8112a33caeedc55ca3c87f7c76042ad484b26be2c6a3813e95c3cc5d783ee01625e15234356001e168acd0e9412db45456da9c3ad212da4bc
SSDEEP

768:D7Xezc/T6Zp14hyYtoVxYF9mH8VQ1PcPW/M9zJ:n6zqhyYtkYWRPTEzJ

Score

10^/10

sakula persistence rat trojan

Malware Config

Extracted

Family

sakula

http://www.we11point.com:443/view.asp?cookie=%s&type=%d&vid=%d

http://www.we11point.com:443/photo/%s.jpg?vid=%d

Signatures

Sakula
Sakula is a remote access trojan with various capabilities.
trojan rat sakula
Executes dropped EXE 1 IoCs

Processes:

MediaCenter.exe

pid process

1960 MediaCenter.exe

pid	process
1960	MediaCenter.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

reg.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe"	reg.exe

Modifies registry key 1 TTPs 1 IoCs

Modify Registry
T1112

Processes:

reg.exe

pid process

4220 reg.exe
Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

2336 PING.EXE

pid	process
4220	reg.exe

pid	process
2336	PING.EXE

Suspicious use of WriteProcessMemory 15 IoCs

Processes:

NEAS.fa6f2a81cfe58c75464b718232600590.execmd.execmd.exe

description	pid	process	target process
PID 844 wrote to memory of 2124	844	NEAS.fa6f2a81cfe58c75464b718232600590.exe	cmd.exe
PID 844 wrote to memory of 2124	844	NEAS.fa6f2a81cfe58c75464b718232600590.exe	cmd.exe
PID 844 wrote to memory of 2124	844	NEAS.fa6f2a81cfe58c75464b718232600590.exe	cmd.exe
PID 844 wrote to memory of 1960	844	NEAS.fa6f2a81cfe58c75464b718232600590.exe	MediaCenter.exe
PID 844 wrote to memory of 1960	844	NEAS.fa6f2a81cfe58c75464b718232600590.exe	MediaCenter.exe
PID 844 wrote to memory of 1960	844	NEAS.fa6f2a81cfe58c75464b718232600590.exe	MediaCenter.exe
PID 2124 wrote to memory of 4220	2124	cmd.exe	reg.exe
PID 2124 wrote to memory of 4220	2124	cmd.exe	reg.exe
PID 2124 wrote to memory of 4220	2124	cmd.exe	reg.exe
PID 844 wrote to memory of 1448	844	NEAS.fa6f2a81cfe58c75464b718232600590.exe	cmd.exe
PID 844 wrote to memory of 1448	844	NEAS.fa6f2a81cfe58c75464b718232600590.exe	cmd.exe
PID 844 wrote to memory of 1448	844	NEAS.fa6f2a81cfe58c75464b718232600590.exe	cmd.exe
PID 1448 wrote to memory of 2336	1448	cmd.exe	PING.EXE
PID 1448 wrote to memory of 2336	1448	cmd.exe	PING.EXE
PID 1448 wrote to memory of 2336	1448	cmd.exe	PING.EXE

C:\Users\Admin\AppData\Local\Temp\NEAS.fa6f2a81cfe58c75464b718232600590.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.fa6f2a81cfe58c75464b718232600590.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:844

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v "MicroMedia" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:2124

C:\Windows\SysWOW64\reg.exe
reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v "MicroMedia" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe"
3⤵
- Adds Run key to start application
- Modifies registry key
PID:4220

C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
2⤵
- Executes dropped EXE
PID:1960

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c ping 127.0.0.1 & del "C:\Users\Admin\AppData\Local\Temp\NEAS.fa6f2a81cfe58c75464b718232600590.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:1448

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1
3⤵
- Runs ping.exe
PID:2336

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Remote System Discovery

T1018

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
Filesize
37KB

MD5
c3dc5e14ed81ed866847d51986a68d9d

SHA1
7540c32c0d5bf33ec87405660ad44df3329aa3ee

SHA256
79ded2d9de33594feb97b2bd1f02fddb7f999ee9242b9172e80a4e86773dd9fa

SHA512
10c4afd60f70e323d30827c605bd329ba9da3d9e8aba0a4b2b2ea436eb4053899a884ae60bb815781773ca499e2f79ae13933cc74fa234ce7d393be0ebbf1076

Download Submit
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
Filesize
37KB

MD5
c3dc5e14ed81ed866847d51986a68d9d

SHA1
7540c32c0d5bf33ec87405660ad44df3329aa3ee

SHA256
79ded2d9de33594feb97b2bd1f02fddb7f999ee9242b9172e80a4e86773dd9fa

SHA512
10c4afd60f70e323d30827c605bd329ba9da3d9e8aba0a4b2b2ea436eb4053899a884ae60bb815781773ca499e2f79ae13933cc74fa234ce7d393be0ebbf1076

Download Submit
memory/844-1-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/1960-5-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download