sakula | d478e209178aa7b10018e4b0307e48566f1851b9934e13387516f39fe179b9ab

Analysis

max time kernel
148s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
20-12-2023 12:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b22159318412b6e0ed004b2bb69d57bb.exe
Size

4.5MB
MD5

b22159318412b6e0ed004b2bb69d57bb
SHA1

48f2b5265b83a71541e4a0cb23c796a81dc11856
SHA256

d478e209178aa7b10018e4b0307e48566f1851b9934e13387516f39fe179b9ab
SHA512

6193ab544bf773da09741d604133590c2964b2bb27ff2b612a5934b0010fa3dd658a64231ee3e986ae96b9246b58fa9ba71d75bd99d592b9126a1427bbcfac66
SSDEEP

24576:0+9mrnE2Zjll/6b8h3UZrgEu8CkBW+M3nXvIMfhlG144EE/f5DBMY1:0Y2ZjlkWEZw8Jk+EXvIMfP4FRaY1

Score

10^/10

sakula persistence rat trojan

Malware Config

Signatures

Sakula
Sakula is a remote access trojan with various capabilities.
trojan rat sakula

Sakula payload 2 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe	family_sakula
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe	family_sakula

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

b22159318412b6e0ed004b2bb69d57bb.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\Control Panel\International\Geo\Nation	b22159318412b6e0ed004b2bb69d57bb.exe

Executes dropped EXE 1 IoCs

Processes:

MediaCenter.exe

pid process

3652 MediaCenter.exe

pid	process
3652	MediaCenter.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

b22159318412b6e0ed004b2bb69d57bb.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe"	b22159318412b6e0ed004b2bb69d57bb.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

4844 PING.EXE
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

b22159318412b6e0ed004b2bb69d57bb.exe

description pid process

Token: SeIncBasePriorityPrivilege 2560 b22159318412b6e0ed004b2bb69d57bb.exe

pid	process
4844	PING.EXE

description	pid	process
Token: SeIncBasePriorityPrivilege	2560	b22159318412b6e0ed004b2bb69d57bb.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

b22159318412b6e0ed004b2bb69d57bb.execmd.exe

description	pid	process	target process
PID 2560 wrote to memory of 3652	2560	b22159318412b6e0ed004b2bb69d57bb.exe	MediaCenter.exe
PID 2560 wrote to memory of 3652	2560	b22159318412b6e0ed004b2bb69d57bb.exe	MediaCenter.exe
PID 2560 wrote to memory of 3652	2560	b22159318412b6e0ed004b2bb69d57bb.exe	MediaCenter.exe
PID 2560 wrote to memory of 4892	2560	b22159318412b6e0ed004b2bb69d57bb.exe	cmd.exe
PID 2560 wrote to memory of 4892	2560	b22159318412b6e0ed004b2bb69d57bb.exe	cmd.exe
PID 2560 wrote to memory of 4892	2560	b22159318412b6e0ed004b2bb69d57bb.exe	cmd.exe
PID 4892 wrote to memory of 4844	4892	cmd.exe	PING.EXE
PID 4892 wrote to memory of 4844	4892	cmd.exe	PING.EXE
PID 4892 wrote to memory of 4844	4892	cmd.exe	PING.EXE

C:\Users\Admin\AppData\Local\Temp\b22159318412b6e0ed004b2bb69d57bb.exe
"C:\Users\Admin\AppData\Local\Temp\b22159318412b6e0ed004b2bb69d57bb.exe"
1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2560

C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
2⤵
- Executes dropped EXE
PID:3652

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\b22159318412b6e0ed004b2bb69d57bb.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:4892

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1
3⤵
- Runs ping.exe
PID:4844

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
Filesize
765KB

MD5
8f4ad74a1ca4eaf51be27506bf1763c8

SHA1
ae5c80068faac7bf96b42fce69ffefa6a1d352b0

SHA256
490fe70b2b055ba954e6f7c10e2d9de6359f3a0dded26c1a2ef77dbf439946f5

SHA512
1d95fd1961d10862969a089d7770924baa3b03f6d94a0428da6c0db3f6218028022a4f4ddeb32b5fb6c523491b9a0d751dd9462cc6fb331099c19a7533e5ce15

Download Submit
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
Filesize
842KB

MD5
d9ee83ef674ce7268657c39d1ef05e4f

SHA1
acb3f0f12bf75077a8913b51d6114f9a09402689

SHA256
130fe259aa13fda078b631a9e637218ba6b48df2efb5a31390127f29313c92d2

SHA512
df2ab0f712d92d02449764f469cbdd6d8d4fce27810d9f5a0ec0084e8307b0e97bbd0802d760d2f63bfdc0a700ec1183c2c6160b23dae08d57e620de836cb29c

Download Submit