sakula | 1bd433962f23ac292f0e28f5c97cee817a4ad0d7462e50f4b7dde0974a587a3c

Resubmissions

13-01-2025 03:28

250113-d1f3astlgw 10

12-01-2025 13:08

250112-qdqdnstkdz 10

Analysis

max time kernel
890s
max time network
888s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
13-01-2025 03:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1bd433962f23ac292f0e28f5c97cee817a4ad0d7462e50f4b7dde0974a587a3c.exe
Size

63KB
MD5

c798e56eadccbe80c166b9b7bfceaf05
SHA1

60a9a6db2cabaec6476544dd1e9ddf2256c3497d
SHA256

1bd433962f23ac292f0e28f5c97cee817a4ad0d7462e50f4b7dde0974a587a3c
SHA512

f3269d5a59f6f6d7817be2ee9a7c8954642c90df2fea3ffe9ac221d33925595ed48c22f4c2c69ecbd1a6691d7c45e8f417a874a6c3b2cca96f5fe0e41f7c97b8
SSDEEP

1536:zoxBP0D61Oj3+5FdOa52C8pdo95j6hZ2MzNDCkrs:0PPUj3+5FMIn8To94wa7s

Score

10^/10

sakula discovery persistence rat trojan upx

Malware Config

Extracted

Family

sakula

www.polarroute.com

Signatures

Sakula
Sakula is a remote access trojan with various capabilities.
trojan rat sakula
Sakula family
sakula

Sakula payload 3 IoCs

resource	yara_rule
behavioral1/memory/2908-1-0x0000000000400000-0x0000000000424000-memory.dmp	family_sakula
behavioral1/memory/3024-13-0x0000000000400000-0x0000000000424000-memory.dmp	family_sakula
behavioral1/memory/2908-21-0x0000000000400000-0x0000000000424000-memory.dmp	family_sakula

Deletes itself 1 IoCs

pid	Process
2676	cmd.exe

Executes dropped EXE 1 IoCs

pid	Process
3024	MediaCenter.exe

Loads dropped DLL 1 IoCs

pid	Process
2908	1bd433962f23ac292f0e28f5c97cee817a4ad0d7462e50f4b7dde0974a587a3c.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe"	1bd433962f23ac292f0e28f5c97cee817a4ad0d7462e50f4b7dde0974a587a3c.exe

UPX packed file 5 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2908-1-0x0000000000400000-0x0000000000424000-memory.dmp	upx
behavioral1/files/0x0009000000015d6e-5.dat	upx
behavioral1/memory/3024-7-0x0000000000400000-0x0000000000424000-memory.dmp	upx
behavioral1/memory/3024-13-0x0000000000400000-0x0000000000424000-memory.dmp	upx
behavioral1/memory/2908-21-0x0000000000400000-0x0000000000424000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	1bd433962f23ac292f0e28f5c97cee817a4ad0d7462e50f4b7dde0974a587a3c.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MediaCenter.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
2676	cmd.exe
2632	PING.EXE

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
2632	PING.EXE

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2908	1bd433962f23ac292f0e28f5c97cee817a4ad0d7462e50f4b7dde0974a587a3c.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2908 wrote to memory of 3024	2908	1bd433962f23ac292f0e28f5c97cee817a4ad0d7462e50f4b7dde0974a587a3c.exe	28
PID 2908 wrote to memory of 3024	2908	1bd433962f23ac292f0e28f5c97cee817a4ad0d7462e50f4b7dde0974a587a3c.exe	28
PID 2908 wrote to memory of 3024	2908	1bd433962f23ac292f0e28f5c97cee817a4ad0d7462e50f4b7dde0974a587a3c.exe	28
PID 2908 wrote to memory of 3024	2908	1bd433962f23ac292f0e28f5c97cee817a4ad0d7462e50f4b7dde0974a587a3c.exe	28
PID 2908 wrote to memory of 2676	2908	1bd433962f23ac292f0e28f5c97cee817a4ad0d7462e50f4b7dde0974a587a3c.exe	32
PID 2908 wrote to memory of 2676	2908	1bd433962f23ac292f0e28f5c97cee817a4ad0d7462e50f4b7dde0974a587a3c.exe	32
PID 2908 wrote to memory of 2676	2908	1bd433962f23ac292f0e28f5c97cee817a4ad0d7462e50f4b7dde0974a587a3c.exe	32
PID 2908 wrote to memory of 2676	2908	1bd433962f23ac292f0e28f5c97cee817a4ad0d7462e50f4b7dde0974a587a3c.exe	32
PID 2676 wrote to memory of 2632	2676	cmd.exe	34
PID 2676 wrote to memory of 2632	2676	cmd.exe	34
PID 2676 wrote to memory of 2632	2676	cmd.exe	34
PID 2676 wrote to memory of 2632	2676	cmd.exe	34

C:\Users\Admin\AppData\Local\Temp\1bd433962f23ac292f0e28f5c97cee817a4ad0d7462e50f4b7dde0974a587a3c.exe
C:\Users\Admin\AppData\Local\Temp\1bd433962f23ac292f0e28f5c97cee817a4ad0d7462e50f4b7dde0974a587a3c.exe cmd /c %SIGILL% "SIGTERM|DELETE|SIGKILL"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2908
- C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
  C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:3024
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\1bd433962f23ac292f0e28f5c97cee817a4ad0d7462e50f4b7dde0974a587a3c.exe"
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  - System Network Configuration Discovery: Internet Connection Discovery
  - Suspicious use of WriteProcessMemory
  PID:2676
- - C:\Windows\SysWOW64\PING.EXE
    ping 127.0.0.1
    3⤵
    - System Location Discovery: System Language Discovery
    - System Network Configuration Discovery: Internet Connection Discovery
    - Runs ping.exe
    PID:2632

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Remote System Discovery

T1018

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe

Filesize
63KB

MD5
3b4a0ece8a304dc22daddd870badbdd8

SHA1
c92e66960e198decee58b4d2e64ec494a6cb0897

SHA256
8d5219ce8694fab28d3d1911e3aae6f41dbfe3b47aa21ef12ee2625ef37233c0

SHA512
b8ecb7dce3c7bc6304a9d868b951700395a2a60dc6a6e0aea65c0269426b8981b7bb530a7fae5620f5c406e9849226eea8cbbf4d0c19fb3d1113158398a03268

Download Submit
memory/2908-1-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2908-6-0x0000000000230000-0x0000000000254000-memory.dmp

Filesize
144KB

Download
memory/2908-12-0x0000000000230000-0x0000000000254000-memory.dmp

Filesize
144KB

Download
memory/2908-21-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/3024-7-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/3024-13-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download

Resubmissions

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads