sakula | f00a881478ad56594918e540141374332c15574ad4491d8475a3067db32867dd

Analysis

max time kernel
131s
max time network
148s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
19-12-2023 12:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2b7044d1887a308585a8e27e0c8897c9.exe
Size

80KB
MD5

2b7044d1887a308585a8e27e0c8897c9
SHA1

8baa4f9f57f45e81c2fb211ca8ecbd68a87ccdab
SHA256

f00a881478ad56594918e540141374332c15574ad4491d8475a3067db32867dd
SHA512

c899005c984b2b8e43b210e8eb1cb3910d7179e7080e2fec3c633ce6550eca3ca093534935b0676192f95eb39c2e3bd46dd41d5b1b179006b86d3cd3a60197cb
SSDEEP

1536:hoaj1hJL1S9t0MIeboal8bCKxo7h0RP0jwHVz30rtroO:S0hpgz6xGhTjwHN30BEO

Score

10^/10

sakula persistence rat trojan

Malware Config

Signatures

Sakula
Sakula is a remote access trojan with various capabilities.
trojan rat sakula

Sakula payload 1 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe	family_sakula

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

2b7044d1887a308585a8e27e0c8897c9.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\Control Panel\International\Geo\Nation	2b7044d1887a308585a8e27e0c8897c9.exe

Executes dropped EXE 1 IoCs

Processes:

MediaCenter.exe

pid process

1752 MediaCenter.exe

pid	process
1752	MediaCenter.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

2b7044d1887a308585a8e27e0c8897c9.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe"	2b7044d1887a308585a8e27e0c8897c9.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

4240 PING.EXE
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

2b7044d1887a308585a8e27e0c8897c9.exe

description pid process

Token: SeIncBasePriorityPrivilege 736 2b7044d1887a308585a8e27e0c8897c9.exe

pid	process
4240	PING.EXE

description	pid	process
Token: SeIncBasePriorityPrivilege	736	2b7044d1887a308585a8e27e0c8897c9.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

2b7044d1887a308585a8e27e0c8897c9.execmd.exe

description	pid	process	target process
PID 736 wrote to memory of 1752	736	2b7044d1887a308585a8e27e0c8897c9.exe	MediaCenter.exe
PID 736 wrote to memory of 1752	736	2b7044d1887a308585a8e27e0c8897c9.exe	MediaCenter.exe
PID 736 wrote to memory of 1752	736	2b7044d1887a308585a8e27e0c8897c9.exe	MediaCenter.exe
PID 736 wrote to memory of 3268	736	2b7044d1887a308585a8e27e0c8897c9.exe	cmd.exe
PID 736 wrote to memory of 3268	736	2b7044d1887a308585a8e27e0c8897c9.exe	cmd.exe
PID 736 wrote to memory of 3268	736	2b7044d1887a308585a8e27e0c8897c9.exe	cmd.exe
PID 3268 wrote to memory of 4240	3268	cmd.exe	PING.EXE
PID 3268 wrote to memory of 4240	3268	cmd.exe	PING.EXE
PID 3268 wrote to memory of 4240	3268	cmd.exe	PING.EXE

C:\Users\Admin\AppData\Local\Temp\2b7044d1887a308585a8e27e0c8897c9.exe
"C:\Users\Admin\AppData\Local\Temp\2b7044d1887a308585a8e27e0c8897c9.exe"
1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:736

C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
2⤵
- Executes dropped EXE
PID:1752

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\2b7044d1887a308585a8e27e0c8897c9.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:3268

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1
3⤵
- Runs ping.exe
PID:4240

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
Filesize
80KB

MD5
ce6f8f0c846d3121d083da839e7fb294

SHA1
d96eb91a0f5a1d01267ef3e850c1978ae091260c

SHA256
cf2f6e7c4335ab202e66a7141e4988fefc2374c04a0823a1ae15fe78467bf81b

SHA512
d84cb2d463ca1e311dcd0e3587afc9841345325b7effd28a4b0fa4661986fe7fc021ff491cbffe5152fa0496dbe62f5184be775edb552b298ade6c471b039fd1

Download Submit