Malware Analysis Report

2025-01-02 02:56

Sample ID 220224-m9g6dschc7
Target 932249c923c8f7977c12785238e68d4b2030471fc9edbda0ec326ced3bab755f
SHA256 932249c923c8f7977c12785238e68d4b2030471fc9edbda0ec326ced3bab755f
Tags
sakula persistence rat trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

932249c923c8f7977c12785238e68d4b2030471fc9edbda0ec326ced3bab755f

Threat Level: Known bad

The file 932249c923c8f7977c12785238e68d4b2030471fc9edbda0ec326ced3bab755f was found to be: Known bad.

Malicious Activity Summary

sakula persistence rat trojan

Sakula family

Sakula

Sakula Payload

Executes dropped EXE

Loads dropped DLL

Checks computer location settings

Deletes itself

Adds Run key to start application

Enumerates physical storage devices

Runs ping.exe

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2022-02-24 11:09

Signatures

Sakula Payload

Description Indicator Process Target
N/A N/A N/A N/A

Sakula family

sakula

Analysis: behavioral1

Detonation Overview

Submitted

2022-02-24 11:09

Reported

2022-02-24 11:12

Platform

win7-20220223-en

Max time kernel

4294206s

Max time network

124s

Command Line

"C:\Users\Admin\AppData\Local\Temp\932249c923c8f7977c12785238e68d4b2030471fc9edbda0ec326ced3bab755f.exe"

Signatures

Sakula

trojan rat sakula

Sakula Payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe N/A

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" C:\Users\Admin\AppData\Local\Temp\932249c923c8f7977c12785238e68d4b2030471fc9edbda0ec326ced3bab755f.exe N/A

Enumerates physical storage devices

Runs ping.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\932249c923c8f7977c12785238e68d4b2030471fc9edbda0ec326ced3bab755f.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1808 wrote to memory of 2024 N/A C:\Users\Admin\AppData\Local\Temp\932249c923c8f7977c12785238e68d4b2030471fc9edbda0ec326ced3bab755f.exe C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
PID 1808 wrote to memory of 2024 N/A C:\Users\Admin\AppData\Local\Temp\932249c923c8f7977c12785238e68d4b2030471fc9edbda0ec326ced3bab755f.exe C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
PID 1808 wrote to memory of 2024 N/A C:\Users\Admin\AppData\Local\Temp\932249c923c8f7977c12785238e68d4b2030471fc9edbda0ec326ced3bab755f.exe C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
PID 1808 wrote to memory of 2024 N/A C:\Users\Admin\AppData\Local\Temp\932249c923c8f7977c12785238e68d4b2030471fc9edbda0ec326ced3bab755f.exe C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
PID 1808 wrote to memory of 1216 N/A C:\Users\Admin\AppData\Local\Temp\932249c923c8f7977c12785238e68d4b2030471fc9edbda0ec326ced3bab755f.exe C:\Windows\SysWOW64\cmd.exe
PID 1808 wrote to memory of 1216 N/A C:\Users\Admin\AppData\Local\Temp\932249c923c8f7977c12785238e68d4b2030471fc9edbda0ec326ced3bab755f.exe C:\Windows\SysWOW64\cmd.exe
PID 1808 wrote to memory of 1216 N/A C:\Users\Admin\AppData\Local\Temp\932249c923c8f7977c12785238e68d4b2030471fc9edbda0ec326ced3bab755f.exe C:\Windows\SysWOW64\cmd.exe
PID 1808 wrote to memory of 1216 N/A C:\Users\Admin\AppData\Local\Temp\932249c923c8f7977c12785238e68d4b2030471fc9edbda0ec326ced3bab755f.exe C:\Windows\SysWOW64\cmd.exe
PID 1216 wrote to memory of 696 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 1216 wrote to memory of 696 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 1216 wrote to memory of 696 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 1216 wrote to memory of 696 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE

Processes

C:\Users\Admin\AppData\Local\Temp\932249c923c8f7977c12785238e68d4b2030471fc9edbda0ec326ced3bab755f.exe

"C:\Users\Admin\AppData\Local\Temp\932249c923c8f7977c12785238e68d4b2030471fc9edbda0ec326ced3bab755f.exe"

C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe

C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\932249c923c8f7977c12785238e68d4b2030471fc9edbda0ec326ced3bab755f.exe"

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1

Network

Country Destination Domain Proto
US 8.8.8.8:53 www.polarroute.com udp
US 204.11.56.48:80 www.polarroute.com tcp
US 204.11.56.48:80 www.polarroute.com tcp
US 204.11.56.48:80 www.polarroute.com tcp
US 204.11.56.48:80 www.polarroute.com tcp
US 8.8.8.8:53 www.northpoleroute.com udp

Files

memory/1808-54-0x0000000075751000-0x0000000075753000-memory.dmp

\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe

MD5 98da0e8ab25903c5ae4ddffbfb3b6c79
SHA1 583cc6900179de0b282c0c10d28d617c56b2920c
SHA256 6f2babb486fd8f38733e33d4070dd3435c6f7ab9d953d784d8f456fabb1bf5c7
SHA512 2e20b708b38055b8f58d794cb5731fcb35b542a83cbdd5887e9ea8397646dd24bb609db81af1ac29776485e198950627ea2bc06c9770f5586714469cfd9a79a8

C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe

MD5 98da0e8ab25903c5ae4ddffbfb3b6c79
SHA1 583cc6900179de0b282c0c10d28d617c56b2920c
SHA256 6f2babb486fd8f38733e33d4070dd3435c6f7ab9d953d784d8f456fabb1bf5c7
SHA512 2e20b708b38055b8f58d794cb5731fcb35b542a83cbdd5887e9ea8397646dd24bb609db81af1ac29776485e198950627ea2bc06c9770f5586714469cfd9a79a8

Analysis: behavioral2

Detonation Overview

Submitted

2022-02-24 11:09

Reported

2022-02-24 11:12

Platform

win10-20220223-en

Max time kernel

146s

Max time network

149s

Command Line

"C:\Users\Admin\AppData\Local\Temp\932249c923c8f7977c12785238e68d4b2030471fc9edbda0ec326ced3bab755f.exe"

Signatures

Sakula

trojan rat sakula

Sakula Payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" C:\Users\Admin\AppData\Local\Temp\932249c923c8f7977c12785238e68d4b2030471fc9edbda0ec326ced3bab755f.exe N/A

Enumerates physical storage devices

Runs ping.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\932249c923c8f7977c12785238e68d4b2030471fc9edbda0ec326ced3bab755f.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\932249c923c8f7977c12785238e68d4b2030471fc9edbda0ec326ced3bab755f.exe

"C:\Users\Admin\AppData\Local\Temp\932249c923c8f7977c12785238e68d4b2030471fc9edbda0ec326ced3bab755f.exe"

C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe

C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\932249c923c8f7977c12785238e68d4b2030471fc9edbda0ec326ced3bab755f.exe"

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1

Network

Country Destination Domain Proto
US 8.8.8.8:53 www.polarroute.com udp
US 204.11.56.48:80 www.polarroute.com tcp
US 204.11.56.48:80 www.polarroute.com tcp
US 204.11.56.48:80 www.polarroute.com tcp
US 204.11.56.48:80 www.polarroute.com tcp
US 8.8.8.8:53 www.northpoleroute.com udp
US 8.8.8.8:53 www.northpoleroute.com udp
US 8.8.8.8:53 www.northpoleroute.com udp
US 8.8.8.8:53 www.northpoleroute.com udp

Files

C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe

MD5 c2e862da09422df3820d9b409de06941
SHA1 03ebdd05a340aecc1a48370c85e11013061da670
SHA256 5ae04731509be2c1fbb82eacd51cd3c5f512a7b43709ba941f30a1f2182ed744
SHA512 092cb8efcff065d76bc47656a34d41cb17c53f582f4fa7f939210953bc271709681863742989894a7d19687407c475dbc33e496e6cef1f0f20a6adbda2f85fa1

C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe

MD5 c2e862da09422df3820d9b409de06941
SHA1 03ebdd05a340aecc1a48370c85e11013061da670
SHA256 5ae04731509be2c1fbb82eacd51cd3c5f512a7b43709ba941f30a1f2182ed744
SHA512 092cb8efcff065d76bc47656a34d41cb17c53f582f4fa7f939210953bc271709681863742989894a7d19687407c475dbc33e496e6cef1f0f20a6adbda2f85fa1

Analysis: behavioral3

Detonation Overview

Submitted

2022-02-24 11:09

Reported

2022-02-24 11:12

Platform

win10v2004-en-20220112

Max time kernel

155s

Max time network

159s

Command Line

"C:\Users\Admin\AppData\Local\Temp\932249c923c8f7977c12785238e68d4b2030471fc9edbda0ec326ced3bab755f.exe"

Signatures

Sakula

trojan rat sakula

Sakula Payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\932249c923c8f7977c12785238e68d4b2030471fc9edbda0ec326ced3bab755f.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" C:\Users\Admin\AppData\Local\Temp\932249c923c8f7977c12785238e68d4b2030471fc9edbda0ec326ced3bab755f.exe N/A

Enumerates physical storage devices

Runs ping.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\932249c923c8f7977c12785238e68d4b2030471fc9edbda0ec326ced3bab755f.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\932249c923c8f7977c12785238e68d4b2030471fc9edbda0ec326ced3bab755f.exe

"C:\Users\Admin\AppData\Local\Temp\932249c923c8f7977c12785238e68d4b2030471fc9edbda0ec326ced3bab755f.exe"

C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe

C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\932249c923c8f7977c12785238e68d4b2030471fc9edbda0ec326ced3bab755f.exe"

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1

Network

Country Destination Domain Proto
US 209.197.3.8:80 tcp
US 8.8.8.8:53 www.polarroute.com udp
US 204.11.56.48:80 www.polarroute.com tcp
US 93.184.221.240:80 tcp
US 8.8.8.8:53 geo.prod.do.dsp.mp.microsoft.com udp
US 52.179.219.14:443 geo.prod.do.dsp.mp.microsoft.com tcp
US 8.8.8.8:53 kv801.prod.do.dsp.mp.microsoft.com udp
NL 184.29.205.60:443 kv801.prod.do.dsp.mp.microsoft.com tcp
US 8.8.8.8:53 cp801.prod.do.dsp.mp.microsoft.com udp
NL 184.29.205.60:443 cp801.prod.do.dsp.mp.microsoft.com tcp
NL 184.29.205.60:443 cp801.prod.do.dsp.mp.microsoft.com tcp
US 204.11.56.48:80 www.polarroute.com tcp
US 204.11.56.48:80 www.polarroute.com tcp
US 204.11.56.48:80 www.polarroute.com tcp
US 8.8.8.8:53 www.northpoleroute.com udp
US 8.8.8.8:53 www.northpoleroute.com udp
US 8.8.8.8:53 www.northpoleroute.com udp
US 8.8.8.8:53 www.northpoleroute.com udp

Files

C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe

MD5 282a73d11a00b85f6f164269003ea2bf
SHA1 345816b1cee6644550dc6dfb594325e1306812c4
SHA256 166205190eaa668e7ad67de7e0368de986d9699f4d41f2a3e7f1b39e55b4c9c4
SHA512 f0f84637896eba2019bc90f2c7737095d2a178effef88164c9bc0f45528e5c19dae1d4739a89c37a8655784f2f7bdb7e6eac88c3d7bd9753b09d08c2e6c35e30

C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe

MD5 282a73d11a00b85f6f164269003ea2bf
SHA1 345816b1cee6644550dc6dfb594325e1306812c4
SHA256 166205190eaa668e7ad67de7e0368de986d9699f4d41f2a3e7f1b39e55b4c9c4
SHA512 f0f84637896eba2019bc90f2c7737095d2a178effef88164c9bc0f45528e5c19dae1d4739a89c37a8655784f2f7bdb7e6eac88c3d7bd9753b09d08c2e6c35e30