Malware Analysis Report

2025-01-02 02:55

Sample ID 220224-m8hersebdq
Target a834a21c79f7a4ce5bf5c72ffb03fe6a643181ddf3c014b9acfc07ce7c19ce06
SHA256 a834a21c79f7a4ce5bf5c72ffb03fe6a643181ddf3c014b9acfc07ce7c19ce06
Tags
sakula persistence rat trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

a834a21c79f7a4ce5bf5c72ffb03fe6a643181ddf3c014b9acfc07ce7c19ce06

Threat Level: Known bad

The file a834a21c79f7a4ce5bf5c72ffb03fe6a643181ddf3c014b9acfc07ce7c19ce06 was found to be: Known bad.

Malicious Activity Summary

sakula persistence rat trojan

Sakula family

Sakula

Sakula Payload

Executes dropped EXE

Deletes itself

Checks computer location settings

Loads dropped DLL

Adds Run key to start application

Enumerates physical storage devices

Runs ping.exe

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2022-02-24 11:07

Signatures

Sakula Payload

Description Indicator Process Target
N/A N/A N/A N/A

Sakula family

sakula

Analysis: behavioral1

Detonation Overview

Submitted

2022-02-24 11:07

Reported

2022-02-24 11:10

Platform

win7-en-20211208

Max time kernel

150s

Max time network

153s

Command Line

"C:\Users\Admin\AppData\Local\Temp\a834a21c79f7a4ce5bf5c72ffb03fe6a643181ddf3c014b9acfc07ce7c19ce06.exe"

Signatures

Sakula

trojan rat sakula

Sakula Payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe N/A

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" C:\Users\Admin\AppData\Local\Temp\a834a21c79f7a4ce5bf5c72ffb03fe6a643181ddf3c014b9acfc07ce7c19ce06.exe N/A

Enumerates physical storage devices

Runs ping.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\a834a21c79f7a4ce5bf5c72ffb03fe6a643181ddf3c014b9acfc07ce7c19ce06.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1612 wrote to memory of 820 N/A C:\Users\Admin\AppData\Local\Temp\a834a21c79f7a4ce5bf5c72ffb03fe6a643181ddf3c014b9acfc07ce7c19ce06.exe C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
PID 1612 wrote to memory of 820 N/A C:\Users\Admin\AppData\Local\Temp\a834a21c79f7a4ce5bf5c72ffb03fe6a643181ddf3c014b9acfc07ce7c19ce06.exe C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
PID 1612 wrote to memory of 820 N/A C:\Users\Admin\AppData\Local\Temp\a834a21c79f7a4ce5bf5c72ffb03fe6a643181ddf3c014b9acfc07ce7c19ce06.exe C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
PID 1612 wrote to memory of 820 N/A C:\Users\Admin\AppData\Local\Temp\a834a21c79f7a4ce5bf5c72ffb03fe6a643181ddf3c014b9acfc07ce7c19ce06.exe C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
PID 1612 wrote to memory of 1156 N/A C:\Users\Admin\AppData\Local\Temp\a834a21c79f7a4ce5bf5c72ffb03fe6a643181ddf3c014b9acfc07ce7c19ce06.exe C:\Windows\SysWOW64\cmd.exe
PID 1612 wrote to memory of 1156 N/A C:\Users\Admin\AppData\Local\Temp\a834a21c79f7a4ce5bf5c72ffb03fe6a643181ddf3c014b9acfc07ce7c19ce06.exe C:\Windows\SysWOW64\cmd.exe
PID 1612 wrote to memory of 1156 N/A C:\Users\Admin\AppData\Local\Temp\a834a21c79f7a4ce5bf5c72ffb03fe6a643181ddf3c014b9acfc07ce7c19ce06.exe C:\Windows\SysWOW64\cmd.exe
PID 1612 wrote to memory of 1156 N/A C:\Users\Admin\AppData\Local\Temp\a834a21c79f7a4ce5bf5c72ffb03fe6a643181ddf3c014b9acfc07ce7c19ce06.exe C:\Windows\SysWOW64\cmd.exe
PID 1156 wrote to memory of 740 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 1156 wrote to memory of 740 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 1156 wrote to memory of 740 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 1156 wrote to memory of 740 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE

Processes

C:\Users\Admin\AppData\Local\Temp\a834a21c79f7a4ce5bf5c72ffb03fe6a643181ddf3c014b9acfc07ce7c19ce06.exe

"C:\Users\Admin\AppData\Local\Temp\a834a21c79f7a4ce5bf5c72ffb03fe6a643181ddf3c014b9acfc07ce7c19ce06.exe"

C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe

C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\a834a21c79f7a4ce5bf5c72ffb03fe6a643181ddf3c014b9acfc07ce7c19ce06.exe"

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1

Network

Country Destination Domain Proto
US 8.8.8.8:53 citrix.vipreclod.com udp
TH 184.22.175.13:80 tcp
TH 184.22.175.13:80 tcp
TH 184.22.175.13:80 tcp
TH 184.22.175.13:80 tcp

Files

memory/1612-54-0x0000000075AC1000-0x0000000075AC3000-memory.dmp

\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe

MD5 0fc31547299648fe96ab85e2015d6842
SHA1 499f2b6df2a1ab51952908a1aa2aa6fd88097158
SHA256 9f1479d2a302d96b2e024f94cc3b3bc077b47d7037b3f811eab23e7d59c95e14
SHA512 08efe9a45add00ae740131f32b4b19d99b0cde1f4440920bf5d1d5fae09411637488ff522441629d71d3949bf77205bf75b92b71205bc1f2778c305a359a7839

\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe

MD5 0fc31547299648fe96ab85e2015d6842
SHA1 499f2b6df2a1ab51952908a1aa2aa6fd88097158
SHA256 9f1479d2a302d96b2e024f94cc3b3bc077b47d7037b3f811eab23e7d59c95e14
SHA512 08efe9a45add00ae740131f32b4b19d99b0cde1f4440920bf5d1d5fae09411637488ff522441629d71d3949bf77205bf75b92b71205bc1f2778c305a359a7839

C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe

MD5 0fc31547299648fe96ab85e2015d6842
SHA1 499f2b6df2a1ab51952908a1aa2aa6fd88097158
SHA256 9f1479d2a302d96b2e024f94cc3b3bc077b47d7037b3f811eab23e7d59c95e14
SHA512 08efe9a45add00ae740131f32b4b19d99b0cde1f4440920bf5d1d5fae09411637488ff522441629d71d3949bf77205bf75b92b71205bc1f2778c305a359a7839

Analysis: behavioral2

Detonation Overview

Submitted

2022-02-24 11:07

Reported

2022-02-24 11:10

Platform

win10-20220223-en

Max time kernel

139s

Max time network

148s

Command Line

"C:\Users\Admin\AppData\Local\Temp\a834a21c79f7a4ce5bf5c72ffb03fe6a643181ddf3c014b9acfc07ce7c19ce06.exe"

Signatures

Sakula

trojan rat sakula

Sakula Payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" C:\Users\Admin\AppData\Local\Temp\a834a21c79f7a4ce5bf5c72ffb03fe6a643181ddf3c014b9acfc07ce7c19ce06.exe N/A

Enumerates physical storage devices

Runs ping.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\a834a21c79f7a4ce5bf5c72ffb03fe6a643181ddf3c014b9acfc07ce7c19ce06.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\a834a21c79f7a4ce5bf5c72ffb03fe6a643181ddf3c014b9acfc07ce7c19ce06.exe

"C:\Users\Admin\AppData\Local\Temp\a834a21c79f7a4ce5bf5c72ffb03fe6a643181ddf3c014b9acfc07ce7c19ce06.exe"

C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe

C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\a834a21c79f7a4ce5bf5c72ffb03fe6a643181ddf3c014b9acfc07ce7c19ce06.exe"

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1

Network

Country Destination Domain Proto
US 8.8.8.8:53 citrix.vipreclod.com udp
US 8.8.8.8:53 citrix.vipreclod.com udp
US 8.8.8.8:53 citrix.vipreclod.com udp
US 8.8.8.8:53 citrix.vipreclod.com udp
TH 184.22.175.13:80 tcp
TH 184.22.175.13:80 tcp

Files

C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe

MD5 d9547fb7b67b879c6203d386bf018717
SHA1 4dc8355d2c632e5a5ad166c313c1ba2a0a539333
SHA256 c7ea191bf51d3dbe4bfc656a45e55dd2b37fbf53a8a9f6b5e3a24fae07c7a470
SHA512 c109b637543767029d0603e56ac80339822ba0b542b4627e23abd78dc6fdde1c68881500c7239377ad30e5e8f917f19876429627cf43e381b8ef91b879d1541f

C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe

MD5 d9547fb7b67b879c6203d386bf018717
SHA1 4dc8355d2c632e5a5ad166c313c1ba2a0a539333
SHA256 c7ea191bf51d3dbe4bfc656a45e55dd2b37fbf53a8a9f6b5e3a24fae07c7a470
SHA512 c109b637543767029d0603e56ac80339822ba0b542b4627e23abd78dc6fdde1c68881500c7239377ad30e5e8f917f19876429627cf43e381b8ef91b879d1541f

Analysis: behavioral3

Detonation Overview

Submitted

2022-02-24 11:07

Reported

2022-02-24 11:10

Platform

win10v2004-en-20220112

Max time kernel

131s

Max time network

153s

Command Line

"C:\Users\Admin\AppData\Local\Temp\a834a21c79f7a4ce5bf5c72ffb03fe6a643181ddf3c014b9acfc07ce7c19ce06.exe"

Signatures

Sakula

trojan rat sakula

Sakula Payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\a834a21c79f7a4ce5bf5c72ffb03fe6a643181ddf3c014b9acfc07ce7c19ce06.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" C:\Users\Admin\AppData\Local\Temp\a834a21c79f7a4ce5bf5c72ffb03fe6a643181ddf3c014b9acfc07ce7c19ce06.exe N/A

Enumerates physical storage devices

Runs ping.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\a834a21c79f7a4ce5bf5c72ffb03fe6a643181ddf3c014b9acfc07ce7c19ce06.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\a834a21c79f7a4ce5bf5c72ffb03fe6a643181ddf3c014b9acfc07ce7c19ce06.exe

"C:\Users\Admin\AppData\Local\Temp\a834a21c79f7a4ce5bf5c72ffb03fe6a643181ddf3c014b9acfc07ce7c19ce06.exe"

C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe

C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\a834a21c79f7a4ce5bf5c72ffb03fe6a643181ddf3c014b9acfc07ce7c19ce06.exe"

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1

Network

Country Destination Domain Proto
US 8.238.20.254:80 tcp
US 8.238.20.254:80 tcp
NL 104.80.224.57:443 tcp
US 8.8.8.8:53 citrix.vipreclod.com udp
US 8.8.8.8:53 geo.prod.do.dsp.mp.microsoft.com udp
IE 51.104.162.168:443 geo.prod.do.dsp.mp.microsoft.com tcp
US 8.8.8.8:53 kv801.prod.do.dsp.mp.microsoft.com udp
NL 184.29.205.60:443 kv801.prod.do.dsp.mp.microsoft.com tcp
US 8.8.8.8:53 cp801.prod.do.dsp.mp.microsoft.com udp
NL 184.29.205.60:443 cp801.prod.do.dsp.mp.microsoft.com tcp
NL 184.29.205.60:443 cp801.prod.do.dsp.mp.microsoft.com tcp
US 8.8.8.8:53 citrix.vipreclod.com udp
US 8.8.8.8:53 citrix.vipreclod.com udp
US 8.8.8.8:53 citrix.vipreclod.com udp
TH 184.22.175.13:80 tcp
TH 184.22.175.13:80 tcp

Files

C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe

MD5 45da7f49a36c0a15ab325674d8ca8382
SHA1 1d609d979aa00a969dd83227ef20bc71dc8d3017
SHA256 f927a971c5282c59f6ca94eb1086a323fc53cb9b354a446a0f58325e8bcdc46b
SHA512 aaabffff54efb518a998342d8c32c61c709a331db308175443064fd246170a3eb8c1cd583c8beaeab5561eb8d07c33e2c198dec1889454583a1cc60cf9cfd888

C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe

MD5 45da7f49a36c0a15ab325674d8ca8382
SHA1 1d609d979aa00a969dd83227ef20bc71dc8d3017
SHA256 f927a971c5282c59f6ca94eb1086a323fc53cb9b354a446a0f58325e8bcdc46b
SHA512 aaabffff54efb518a998342d8c32c61c709a331db308175443064fd246170a3eb8c1cd583c8beaeab5561eb8d07c33e2c198dec1889454583a1cc60cf9cfd888