sakula | f5e1b3bcf04e4100a069bc84dd092d7fd7c9bb92efd8f34525651d63a5c8967a

Analysis

max time kernel
121s
max time network
124s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
19-12-2023 11:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

15978f016058de282291cce05e394fc7.exe
Size

3.9MB
MD5

15978f016058de282291cce05e394fc7
SHA1

500b3f5d840422651d20ff1189baa8f30957f1e6
SHA256

f5e1b3bcf04e4100a069bc84dd092d7fd7c9bb92efd8f34525651d63a5c8967a
SHA512

498657589d32430084a137edf3eadf70d162391f5d4dae89f7598a3cb5e56b48cefdc98d36abd014a1ca3cc75f563cb74e6dd3ccae7b79661bef60379049e2a3
SSDEEP

24576:j0Xx/6oTNa1h3Qh3O+ZrIb1Eu8CTPq30pYZMmjjTjuSE5DBMYL:j+5TY76HZ68kQ0paMmjjTjzeaYL

Score

10^/10

sakula persistence rat trojan

Malware Config

Signatures

Sakula
Sakula is a remote access trojan with various capabilities.
trojan rat sakula

Sakula payload 1 IoCs

Processes:

resource	yara_rule
\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe	family_sakula

Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

2160 cmd.exe
Executes dropped EXE 1 IoCs

Processes:

MediaCenter.exe

pid process

2832 MediaCenter.exe
Loads dropped DLL 2 IoCs

Processes:

15978f016058de282291cce05e394fc7.exe

pid process

2612 15978f016058de282291cce05e394fc7.exe
2612 15978f016058de282291cce05e394fc7.exe

pid	process
2160	cmd.exe

pid	process
2832	MediaCenter.exe

pid	process
2612	15978f016058de282291cce05e394fc7.exe
2612	15978f016058de282291cce05e394fc7.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

15978f016058de282291cce05e394fc7.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe"	15978f016058de282291cce05e394fc7.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

2536 PING.EXE
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

15978f016058de282291cce05e394fc7.exe

description pid process

Token: SeIncBasePriorityPrivilege 2612 15978f016058de282291cce05e394fc7.exe

pid	process
2536	PING.EXE

description	pid	process
Token: SeIncBasePriorityPrivilege	2612	15978f016058de282291cce05e394fc7.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

15978f016058de282291cce05e394fc7.execmd.exe

description	pid	process	target process
PID 2612 wrote to memory of 2832	2612	15978f016058de282291cce05e394fc7.exe	MediaCenter.exe
PID 2612 wrote to memory of 2832	2612	15978f016058de282291cce05e394fc7.exe	MediaCenter.exe
PID 2612 wrote to memory of 2832	2612	15978f016058de282291cce05e394fc7.exe	MediaCenter.exe
PID 2612 wrote to memory of 2832	2612	15978f016058de282291cce05e394fc7.exe	MediaCenter.exe
PID 2612 wrote to memory of 2160	2612	15978f016058de282291cce05e394fc7.exe	cmd.exe
PID 2612 wrote to memory of 2160	2612	15978f016058de282291cce05e394fc7.exe	cmd.exe
PID 2612 wrote to memory of 2160	2612	15978f016058de282291cce05e394fc7.exe	cmd.exe
PID 2612 wrote to memory of 2160	2612	15978f016058de282291cce05e394fc7.exe	cmd.exe
PID 2160 wrote to memory of 2536	2160	cmd.exe	PING.EXE
PID 2160 wrote to memory of 2536	2160	cmd.exe	PING.EXE
PID 2160 wrote to memory of 2536	2160	cmd.exe	PING.EXE
PID 2160 wrote to memory of 2536	2160	cmd.exe	PING.EXE

C:\Users\Admin\AppData\Local\Temp\15978f016058de282291cce05e394fc7.exe
"C:\Users\Admin\AppData\Local\Temp\15978f016058de282291cce05e394fc7.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2612

C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
2⤵
- Executes dropped EXE
PID:2832

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\15978f016058de282291cce05e394fc7.exe"
2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:2160

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1
3⤵
- Runs ping.exe
PID:2536

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
Filesize
3.9MB

MD5
dc840dbbb5473df0afd843e72dad39f3

SHA1
03e36835aa25b09221998545f3e557a997a3cb3e

SHA256
54c6e07df4a2ffe084cd47225b261ba888bbf006bc0181ae4ee9c3e3a7516e16

SHA512
93412df2911757866feb834e6151aca0fed4e4538330ac04fbea16b5855d1c5299296ff4fb99c084307bf92dd8a5f6ddd6bab866b610fd4e01b544bc4d4876f4

Download Submit