sakula | b3f1d81a5f5e79891da3e17298157d2fbb7891fe87fa74bf36dc90673895e4be

Analysis

max time kernel
153s
max time network
170s
platform
windows10-2004_x64
resource
win10v2004-20231023-en
resource tags

arch:x64arch:x86image:win10v2004-20231023-enlocale:en-usos:windows10-2004-x64system
submitted
11-11-2023 02:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

NEAS.b8525a8bfe1b7d28eae8d22095d9fc20.exe
Size

38KB
MD5

b8525a8bfe1b7d28eae8d22095d9fc20
SHA1

a47d464fe96ac008ba33cb1cb473fccc1db257b5
SHA256

b3f1d81a5f5e79891da3e17298157d2fbb7891fe87fa74bf36dc90673895e4be
SHA512

1ca200abdce7cda32e6f52276c9361daa8f30fe78e707783296d2bed54ee9fae9b1761596607265a9b5b97d4734b2b6541183f3d04880a5dd75a6698a76bbf37
SSDEEP

768:47Xezc/T6Zp14hyYtoVxYF9mH3l4ezcV0:w6zqhyYtkYWXlX9

Score

10^/10

sakula persistence rat trojan

Malware Config

Extracted

Family

sakula

http://www.we11point.com:443/view.asp?cookie=%s&type=%d&vid=%d

http://www.we11point.com:443/photo/%s.jpg?vid=%d

Signatures

Sakula
Sakula is a remote access trojan with various capabilities.
trojan rat sakula
Executes dropped EXE 1 IoCs

Processes:

MediaCenter.exe

pid process

1856 MediaCenter.exe

pid	process
1856	MediaCenter.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

reg.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe"	reg.exe

Modifies registry key 1 TTPs 1 IoCs

Modify Registry
T1112

Processes:

reg.exe

pid process

2644 reg.exe
Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

3240 PING.EXE

pid	process
2644	reg.exe

pid	process
3240	PING.EXE

Suspicious use of WriteProcessMemory 15 IoCs

Processes:

NEAS.b8525a8bfe1b7d28eae8d22095d9fc20.execmd.execmd.exe

description	pid	process	target process
PID 456 wrote to memory of 2292	456	NEAS.b8525a8bfe1b7d28eae8d22095d9fc20.exe	cmd.exe
PID 456 wrote to memory of 2292	456	NEAS.b8525a8bfe1b7d28eae8d22095d9fc20.exe	cmd.exe
PID 456 wrote to memory of 2292	456	NEAS.b8525a8bfe1b7d28eae8d22095d9fc20.exe	cmd.exe
PID 456 wrote to memory of 1856	456	NEAS.b8525a8bfe1b7d28eae8d22095d9fc20.exe	MediaCenter.exe
PID 456 wrote to memory of 1856	456	NEAS.b8525a8bfe1b7d28eae8d22095d9fc20.exe	MediaCenter.exe
PID 456 wrote to memory of 1856	456	NEAS.b8525a8bfe1b7d28eae8d22095d9fc20.exe	MediaCenter.exe
PID 2292 wrote to memory of 2644	2292	cmd.exe	reg.exe
PID 2292 wrote to memory of 2644	2292	cmd.exe	reg.exe
PID 2292 wrote to memory of 2644	2292	cmd.exe	reg.exe
PID 456 wrote to memory of 4396	456	NEAS.b8525a8bfe1b7d28eae8d22095d9fc20.exe	cmd.exe
PID 456 wrote to memory of 4396	456	NEAS.b8525a8bfe1b7d28eae8d22095d9fc20.exe	cmd.exe
PID 456 wrote to memory of 4396	456	NEAS.b8525a8bfe1b7d28eae8d22095d9fc20.exe	cmd.exe
PID 4396 wrote to memory of 3240	4396	cmd.exe	PING.EXE
PID 4396 wrote to memory of 3240	4396	cmd.exe	PING.EXE
PID 4396 wrote to memory of 3240	4396	cmd.exe	PING.EXE

C:\Users\Admin\AppData\Local\Temp\NEAS.b8525a8bfe1b7d28eae8d22095d9fc20.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.b8525a8bfe1b7d28eae8d22095d9fc20.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:456

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v "MicroMedia" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:2292

C:\Windows\SysWOW64\reg.exe
reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v "MicroMedia" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe"
3⤵
- Adds Run key to start application
- Modifies registry key
PID:2644

C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
2⤵
- Executes dropped EXE
PID:1856

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c ping 127.0.0.1 & del "C:\Users\Admin\AppData\Local\Temp\NEAS.b8525a8bfe1b7d28eae8d22095d9fc20.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:4396

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1
3⤵
- Runs ping.exe
PID:3240

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Remote System Discovery

T1018

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
Filesize
38KB

MD5
d9ea4d478f176389cc3d50844e2aae92

SHA1
59512d39c2b797d7a1766cc4483d8deed005f92e

SHA256
21e8222dd889772b9ac7a80a19b26ba6807b313809f275f5eb866903206cb3a0

SHA512
16a71d71b38c56387cbc894601e729f7c88e64106f67cf08b9ae46300ae5de6f88b7b72ddcd5965ed02a22373170320cc97c58a7361e7b59611cfa0a34d46b09

Download Submit
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
Filesize
38KB

MD5
d9ea4d478f176389cc3d50844e2aae92

SHA1
59512d39c2b797d7a1766cc4483d8deed005f92e

SHA256
21e8222dd889772b9ac7a80a19b26ba6807b313809f275f5eb866903206cb3a0

SHA512
16a71d71b38c56387cbc894601e729f7c88e64106f67cf08b9ae46300ae5de6f88b7b72ddcd5965ed02a22373170320cc97c58a7361e7b59611cfa0a34d46b09

Download Submit
memory/456-0-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/456-1-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/456-6-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/1856-7-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/1856-8-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download