Malware Analysis Report

2025-01-02 02:54

Sample ID 220224-m81w4sebej
Target b04ebbf7600432ec350fb3a11cb9ee849d0e2a2d305131a5cfc2b5d299c00767
SHA256 b04ebbf7600432ec350fb3a11cb9ee849d0e2a2d305131a5cfc2b5d299c00767
Tags
sakula persistence rat trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

b04ebbf7600432ec350fb3a11cb9ee849d0e2a2d305131a5cfc2b5d299c00767

Threat Level: Known bad

The file b04ebbf7600432ec350fb3a11cb9ee849d0e2a2d305131a5cfc2b5d299c00767 was found to be: Known bad.

Malicious Activity Summary

sakula persistence rat trojan

Sakula

Sakula family

Sakula Payload

Executes dropped EXE

Checks computer location settings

Deletes itself

Loads dropped DLL

Adds Run key to start application

Enumerates physical storage devices

Runs ping.exe

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2022-02-24 11:08

Signatures

Sakula Payload

Description Indicator Process Target
N/A N/A N/A N/A

Sakula family

sakula

Analysis: behavioral3

Detonation Overview

Submitted

2022-02-24 11:08

Reported

2022-02-24 11:11

Platform

win10v2004-en-20220113

Max time kernel

149s

Max time network

153s

Command Line

"C:\Users\Admin\AppData\Local\Temp\b04ebbf7600432ec350fb3a11cb9ee849d0e2a2d305131a5cfc2b5d299c00767.exe"

Signatures

Sakula

trojan rat sakula

Sakula Payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\b04ebbf7600432ec350fb3a11cb9ee849d0e2a2d305131a5cfc2b5d299c00767.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" C:\Users\Admin\AppData\Local\Temp\b04ebbf7600432ec350fb3a11cb9ee849d0e2a2d305131a5cfc2b5d299c00767.exe N/A

Enumerates physical storage devices

Runs ping.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\b04ebbf7600432ec350fb3a11cb9ee849d0e2a2d305131a5cfc2b5d299c00767.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\b04ebbf7600432ec350fb3a11cb9ee849d0e2a2d305131a5cfc2b5d299c00767.exe

"C:\Users\Admin\AppData\Local\Temp\b04ebbf7600432ec350fb3a11cb9ee849d0e2a2d305131a5cfc2b5d299c00767.exe"

C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe

C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\b04ebbf7600432ec350fb3a11cb9ee849d0e2a2d305131a5cfc2b5d299c00767.exe"

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1

Network

Country Destination Domain Proto
US 8.8.8.8:53 citrix.vipreclod.com udp
US 8.8.8.8:53 citrix.vipreclod.com udp
US 8.8.8.8:53 citrix.vipreclod.com udp
US 8.8.8.8:53 citrix.vipreclod.com udp
TH 184.22.175.13:80 tcp
DE 67.24.27.254:80 tcp
DE 67.24.27.254:80 tcp
TH 184.22.175.13:80 tcp

Files

C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe

MD5 5695b593999e39cd82425b58790baf0f
SHA1 2ad19a745a7769275f740c7aa55b77e33076e1a1
SHA256 f8e5de58e3c14a1b62469ec2efeac0c63c6bd3a200169e249316c99f5a1b887c
SHA512 233fd570b22f14f470983f02b782c8f06cd2d3d28f3f036ed40290d7a33ce5d842575ef31304581bd23d22270c9b844bd5960bfd2414f515d71da58c0bbaf8b3

C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe

MD5 5695b593999e39cd82425b58790baf0f
SHA1 2ad19a745a7769275f740c7aa55b77e33076e1a1
SHA256 f8e5de58e3c14a1b62469ec2efeac0c63c6bd3a200169e249316c99f5a1b887c
SHA512 233fd570b22f14f470983f02b782c8f06cd2d3d28f3f036ed40290d7a33ce5d842575ef31304581bd23d22270c9b844bd5960bfd2414f515d71da58c0bbaf8b3

Analysis: behavioral1

Detonation Overview

Submitted

2022-02-24 11:08

Reported

2022-02-24 11:11

Platform

win7-20220223-en

Max time kernel

4294178s

Max time network

121s

Command Line

"C:\Users\Admin\AppData\Local\Temp\b04ebbf7600432ec350fb3a11cb9ee849d0e2a2d305131a5cfc2b5d299c00767.exe"

Signatures

Sakula

trojan rat sakula

Sakula Payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe N/A

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" C:\Users\Admin\AppData\Local\Temp\b04ebbf7600432ec350fb3a11cb9ee849d0e2a2d305131a5cfc2b5d299c00767.exe N/A

Enumerates physical storage devices

Runs ping.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\b04ebbf7600432ec350fb3a11cb9ee849d0e2a2d305131a5cfc2b5d299c00767.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1056 wrote to memory of 1940 N/A C:\Users\Admin\AppData\Local\Temp\b04ebbf7600432ec350fb3a11cb9ee849d0e2a2d305131a5cfc2b5d299c00767.exe C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
PID 1056 wrote to memory of 1940 N/A C:\Users\Admin\AppData\Local\Temp\b04ebbf7600432ec350fb3a11cb9ee849d0e2a2d305131a5cfc2b5d299c00767.exe C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
PID 1056 wrote to memory of 1940 N/A C:\Users\Admin\AppData\Local\Temp\b04ebbf7600432ec350fb3a11cb9ee849d0e2a2d305131a5cfc2b5d299c00767.exe C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
PID 1056 wrote to memory of 1940 N/A C:\Users\Admin\AppData\Local\Temp\b04ebbf7600432ec350fb3a11cb9ee849d0e2a2d305131a5cfc2b5d299c00767.exe C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
PID 1056 wrote to memory of 1700 N/A C:\Users\Admin\AppData\Local\Temp\b04ebbf7600432ec350fb3a11cb9ee849d0e2a2d305131a5cfc2b5d299c00767.exe C:\Windows\SysWOW64\cmd.exe
PID 1056 wrote to memory of 1700 N/A C:\Users\Admin\AppData\Local\Temp\b04ebbf7600432ec350fb3a11cb9ee849d0e2a2d305131a5cfc2b5d299c00767.exe C:\Windows\SysWOW64\cmd.exe
PID 1056 wrote to memory of 1700 N/A C:\Users\Admin\AppData\Local\Temp\b04ebbf7600432ec350fb3a11cb9ee849d0e2a2d305131a5cfc2b5d299c00767.exe C:\Windows\SysWOW64\cmd.exe
PID 1056 wrote to memory of 1700 N/A C:\Users\Admin\AppData\Local\Temp\b04ebbf7600432ec350fb3a11cb9ee849d0e2a2d305131a5cfc2b5d299c00767.exe C:\Windows\SysWOW64\cmd.exe
PID 1700 wrote to memory of 2032 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 1700 wrote to memory of 2032 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 1700 wrote to memory of 2032 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 1700 wrote to memory of 2032 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE

Processes

C:\Users\Admin\AppData\Local\Temp\b04ebbf7600432ec350fb3a11cb9ee849d0e2a2d305131a5cfc2b5d299c00767.exe

"C:\Users\Admin\AppData\Local\Temp\b04ebbf7600432ec350fb3a11cb9ee849d0e2a2d305131a5cfc2b5d299c00767.exe"

C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe

C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\b04ebbf7600432ec350fb3a11cb9ee849d0e2a2d305131a5cfc2b5d299c00767.exe"

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1

Network

Country Destination Domain Proto
US 8.8.8.8:53 citrix.vipreclod.com udp
TH 184.22.175.13:80 tcp
TH 184.22.175.13:80 tcp

Files

memory/1056-54-0x0000000074E61000-0x0000000074E63000-memory.dmp

\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe

MD5 22b178a1c90f83c2dd53973692de0b53
SHA1 fbc5216b06ee39d7b22537e63db48a9ee9230d72
SHA256 29436fe1cce31180109e412f2387ff8a4b992b73bb9338cd6c853be45f1d8278
SHA512 002da9e67a22357c5e2988a6c14a43b60dc0de3c30875faf67d347efc6abb812784516cd71e5552d9865f06288e8228cf7cde71f1b0f3ae4aca4fbeb516a5f1d

\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe

MD5 22b178a1c90f83c2dd53973692de0b53
SHA1 fbc5216b06ee39d7b22537e63db48a9ee9230d72
SHA256 29436fe1cce31180109e412f2387ff8a4b992b73bb9338cd6c853be45f1d8278
SHA512 002da9e67a22357c5e2988a6c14a43b60dc0de3c30875faf67d347efc6abb812784516cd71e5552d9865f06288e8228cf7cde71f1b0f3ae4aca4fbeb516a5f1d

C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe

MD5 22b178a1c90f83c2dd53973692de0b53
SHA1 fbc5216b06ee39d7b22537e63db48a9ee9230d72
SHA256 29436fe1cce31180109e412f2387ff8a4b992b73bb9338cd6c853be45f1d8278
SHA512 002da9e67a22357c5e2988a6c14a43b60dc0de3c30875faf67d347efc6abb812784516cd71e5552d9865f06288e8228cf7cde71f1b0f3ae4aca4fbeb516a5f1d

Analysis: behavioral2

Detonation Overview

Submitted

2022-02-24 11:08

Reported

2022-02-24 11:11

Platform

win10-20220223-en

Max time kernel

143s

Max time network

145s

Command Line

"C:\Users\Admin\AppData\Local\Temp\b04ebbf7600432ec350fb3a11cb9ee849d0e2a2d305131a5cfc2b5d299c00767.exe"

Signatures

Sakula

trojan rat sakula

Sakula Payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" C:\Users\Admin\AppData\Local\Temp\b04ebbf7600432ec350fb3a11cb9ee849d0e2a2d305131a5cfc2b5d299c00767.exe N/A

Enumerates physical storage devices

Runs ping.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\b04ebbf7600432ec350fb3a11cb9ee849d0e2a2d305131a5cfc2b5d299c00767.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\b04ebbf7600432ec350fb3a11cb9ee849d0e2a2d305131a5cfc2b5d299c00767.exe

"C:\Users\Admin\AppData\Local\Temp\b04ebbf7600432ec350fb3a11cb9ee849d0e2a2d305131a5cfc2b5d299c00767.exe"

C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe

C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\b04ebbf7600432ec350fb3a11cb9ee849d0e2a2d305131a5cfc2b5d299c00767.exe"

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1

Network

Country Destination Domain Proto
US 8.8.8.8:53 citrix.vipreclod.com udp
US 8.8.8.8:53 citrix.vipreclod.com udp
US 8.8.8.8:53 citrix.vipreclod.com udp
US 8.8.8.8:53 citrix.vipreclod.com udp
TH 184.22.175.13:80 tcp
TH 184.22.175.13:80 tcp

Files

C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe

MD5 53f3f9789867e56ec8de622edc63505b
SHA1 826cc4b7b379c459078015ab2b6cd2ece2cc4d1f
SHA256 fc79334ba4c21cb1df083d87a9391945c8e538f40d5bbf2741f2cf80c32156e8
SHA512 cdbbb0d58f68cdb34370f7b573ea2cc6e635037980bffc331575ec09e7d8c404437cefe2fd1b2c48c50d0edb9c9ec9dcf8a7f180e994ba601fab8865a23f244d

C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe

MD5 53f3f9789867e56ec8de622edc63505b
SHA1 826cc4b7b379c459078015ab2b6cd2ece2cc4d1f
SHA256 fc79334ba4c21cb1df083d87a9391945c8e538f40d5bbf2741f2cf80c32156e8
SHA512 cdbbb0d58f68cdb34370f7b573ea2cc6e635037980bffc331575ec09e7d8c404437cefe2fd1b2c48c50d0edb9c9ec9dcf8a7f180e994ba601fab8865a23f244d