Malware Analysis Report

2025-01-02 02:57

Sample ID 220224-m9mqwaebep
Target 995e26d3c24d06f40dd6771fa55d0127639a50e59249c593cb21ee3ea9401cfa
SHA256 995e26d3c24d06f40dd6771fa55d0127639a50e59249c593cb21ee3ea9401cfa
Tags
sakula persistence rat trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

995e26d3c24d06f40dd6771fa55d0127639a50e59249c593cb21ee3ea9401cfa

Threat Level: Known bad

The file 995e26d3c24d06f40dd6771fa55d0127639a50e59249c593cb21ee3ea9401cfa was found to be: Known bad.

Malicious Activity Summary

sakula persistence rat trojan

Sakula family

Sakula Payload

Sakula

Executes dropped EXE

Checks computer location settings

Deletes itself

Loads dropped DLL

Adds Run key to start application

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Runs ping.exe

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2022-02-24 11:10

Signatures

Sakula Payload

Description Indicator Process Target
N/A N/A N/A N/A

Sakula family

sakula

Analysis: behavioral1

Detonation Overview

Submitted

2022-02-24 11:09

Reported

2022-02-24 11:12

Platform

win7-20220223-en

Max time kernel

4294182s

Max time network

125s

Command Line

"C:\Users\Admin\AppData\Local\Temp\995e26d3c24d06f40dd6771fa55d0127639a50e59249c593cb21ee3ea9401cfa.exe"

Signatures

Sakula

trojan rat sakula

Sakula Payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe N/A

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" C:\Users\Admin\AppData\Local\Temp\995e26d3c24d06f40dd6771fa55d0127639a50e59249c593cb21ee3ea9401cfa.exe N/A

Enumerates physical storage devices

Runs ping.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\995e26d3c24d06f40dd6771fa55d0127639a50e59249c593cb21ee3ea9401cfa.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1692 wrote to memory of 1528 N/A C:\Users\Admin\AppData\Local\Temp\995e26d3c24d06f40dd6771fa55d0127639a50e59249c593cb21ee3ea9401cfa.exe C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
PID 1692 wrote to memory of 1528 N/A C:\Users\Admin\AppData\Local\Temp\995e26d3c24d06f40dd6771fa55d0127639a50e59249c593cb21ee3ea9401cfa.exe C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
PID 1692 wrote to memory of 1528 N/A C:\Users\Admin\AppData\Local\Temp\995e26d3c24d06f40dd6771fa55d0127639a50e59249c593cb21ee3ea9401cfa.exe C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
PID 1692 wrote to memory of 1528 N/A C:\Users\Admin\AppData\Local\Temp\995e26d3c24d06f40dd6771fa55d0127639a50e59249c593cb21ee3ea9401cfa.exe C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
PID 1692 wrote to memory of 2004 N/A C:\Users\Admin\AppData\Local\Temp\995e26d3c24d06f40dd6771fa55d0127639a50e59249c593cb21ee3ea9401cfa.exe C:\Windows\SysWOW64\cmd.exe
PID 1692 wrote to memory of 2004 N/A C:\Users\Admin\AppData\Local\Temp\995e26d3c24d06f40dd6771fa55d0127639a50e59249c593cb21ee3ea9401cfa.exe C:\Windows\SysWOW64\cmd.exe
PID 1692 wrote to memory of 2004 N/A C:\Users\Admin\AppData\Local\Temp\995e26d3c24d06f40dd6771fa55d0127639a50e59249c593cb21ee3ea9401cfa.exe C:\Windows\SysWOW64\cmd.exe
PID 1692 wrote to memory of 2004 N/A C:\Users\Admin\AppData\Local\Temp\995e26d3c24d06f40dd6771fa55d0127639a50e59249c593cb21ee3ea9401cfa.exe C:\Windows\SysWOW64\cmd.exe
PID 2004 wrote to memory of 1280 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 2004 wrote to memory of 1280 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 2004 wrote to memory of 1280 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 2004 wrote to memory of 1280 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE

Processes

C:\Users\Admin\AppData\Local\Temp\995e26d3c24d06f40dd6771fa55d0127639a50e59249c593cb21ee3ea9401cfa.exe

"C:\Users\Admin\AppData\Local\Temp\995e26d3c24d06f40dd6771fa55d0127639a50e59249c593cb21ee3ea9401cfa.exe"

C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe

C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\995e26d3c24d06f40dd6771fa55d0127639a50e59249c593cb21ee3ea9401cfa.exe"

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1

Network

Country Destination Domain Proto
US 8.8.8.8:53 citrix.vipreclod.com udp
TH 184.22.175.13:80 tcp
TH 184.22.175.13:80 tcp

Files

memory/1692-54-0x0000000076731000-0x0000000076733000-memory.dmp

\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe

MD5 d47d2dbf6dac4a6e63177740c1997b9e
SHA1 d6fdec33c9cc89892c9cc16217471d48a48cb132
SHA256 99412832c2597154e7d28d2e71839322d83c400ab4929be2f62284a1860f6e6e
SHA512 59528be3bbe877ea67d57567553f0a7b8e769738af4fb4a9ec6b329339e90283a611cec473236de937552570e4a25d8425e090a86f5dd7101276b67b84826fab

\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe

MD5 d47d2dbf6dac4a6e63177740c1997b9e
SHA1 d6fdec33c9cc89892c9cc16217471d48a48cb132
SHA256 99412832c2597154e7d28d2e71839322d83c400ab4929be2f62284a1860f6e6e
SHA512 59528be3bbe877ea67d57567553f0a7b8e769738af4fb4a9ec6b329339e90283a611cec473236de937552570e4a25d8425e090a86f5dd7101276b67b84826fab

C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe

MD5 d47d2dbf6dac4a6e63177740c1997b9e
SHA1 d6fdec33c9cc89892c9cc16217471d48a48cb132
SHA256 99412832c2597154e7d28d2e71839322d83c400ab4929be2f62284a1860f6e6e
SHA512 59528be3bbe877ea67d57567553f0a7b8e769738af4fb4a9ec6b329339e90283a611cec473236de937552570e4a25d8425e090a86f5dd7101276b67b84826fab

Analysis: behavioral2

Detonation Overview

Submitted

2022-02-24 11:09

Reported

2022-02-24 11:12

Platform

win10-en-20211208

Max time kernel

146s

Max time network

154s

Command Line

"C:\Users\Admin\AppData\Local\Temp\995e26d3c24d06f40dd6771fa55d0127639a50e59249c593cb21ee3ea9401cfa.exe"

Signatures

Sakula

trojan rat sakula

Sakula Payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" C:\Users\Admin\AppData\Local\Temp\995e26d3c24d06f40dd6771fa55d0127639a50e59249c593cb21ee3ea9401cfa.exe N/A

Enumerates physical storage devices

Runs ping.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\995e26d3c24d06f40dd6771fa55d0127639a50e59249c593cb21ee3ea9401cfa.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\995e26d3c24d06f40dd6771fa55d0127639a50e59249c593cb21ee3ea9401cfa.exe

"C:\Users\Admin\AppData\Local\Temp\995e26d3c24d06f40dd6771fa55d0127639a50e59249c593cb21ee3ea9401cfa.exe"

C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe

C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\995e26d3c24d06f40dd6771fa55d0127639a50e59249c593cb21ee3ea9401cfa.exe"

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1

Network

Country Destination Domain Proto
US 8.8.8.8:53 citrix.vipreclod.com udp
US 8.8.8.8:53 citrix.vipreclod.com udp
US 8.8.8.8:53 citrix.vipreclod.com udp
US 8.8.8.8:53 citrix.vipreclod.com udp
TH 184.22.175.13:80 tcp
TH 184.22.175.13:80 tcp

Files

C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe

MD5 a6fcda567f3ffe12d8338498968404af
SHA1 34890d1bfbcbbf0438082d51dc7dbf4c63c22b23
SHA256 b455783a2d6ce87a8efafb90b90d7dd1ce462798b49f495e22be278c560da872
SHA512 8b32dfc8f9154b398938006a9652cadc3e5bce6d643e37843f8c849a0c3ef277cc93047b52806522df975522e5c63a59f7b3b57bd2a792b45603a92cd251041e

C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe

MD5 a6fcda567f3ffe12d8338498968404af
SHA1 34890d1bfbcbbf0438082d51dc7dbf4c63c22b23
SHA256 b455783a2d6ce87a8efafb90b90d7dd1ce462798b49f495e22be278c560da872
SHA512 8b32dfc8f9154b398938006a9652cadc3e5bce6d643e37843f8c849a0c3ef277cc93047b52806522df975522e5c63a59f7b3b57bd2a792b45603a92cd251041e

Analysis: behavioral3

Detonation Overview

Submitted

2022-02-24 11:09

Reported

2022-02-24 11:12

Platform

win10v2004-en-20220113

Max time kernel

137s

Max time network

141s

Command Line

"C:\Users\Admin\AppData\Local\Temp\995e26d3c24d06f40dd6771fa55d0127639a50e59249c593cb21ee3ea9401cfa.exe"

Signatures

Sakula

trojan rat sakula

Sakula Payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\995e26d3c24d06f40dd6771fa55d0127639a50e59249c593cb21ee3ea9401cfa.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" C:\Users\Admin\AppData\Local\Temp\995e26d3c24d06f40dd6771fa55d0127639a50e59249c593cb21ee3ea9401cfa.exe N/A

Enumerates physical storage devices

Runs ping.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\995e26d3c24d06f40dd6771fa55d0127639a50e59249c593cb21ee3ea9401cfa.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\995e26d3c24d06f40dd6771fa55d0127639a50e59249c593cb21ee3ea9401cfa.exe

"C:\Users\Admin\AppData\Local\Temp\995e26d3c24d06f40dd6771fa55d0127639a50e59249c593cb21ee3ea9401cfa.exe"

C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe

C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\995e26d3c24d06f40dd6771fa55d0127639a50e59249c593cb21ee3ea9401cfa.exe"

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1

Network

Country Destination Domain Proto
US 8.8.8.8:53 citrix.vipreclod.com udp
US 8.8.8.8:53 citrix.vipreclod.com udp
NL 104.110.191.140:80 tcp
NL 104.110.191.140:80 tcp
US 8.8.8.8:53 citrix.vipreclod.com udp
US 8.8.8.8:53 citrix.vipreclod.com udp
TH 184.22.175.13:80 tcp
TH 184.22.175.13:80 tcp

Files

C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe

MD5 09a30137ce61df288e18c8428e6bfffe
SHA1 8a8a1b16a783a0902ccb02d76ac7b4b04d9dc359
SHA256 dd5db5e5f740959c4844f38926e57b68acddb1b65c3eb0de05c14a578b84b7de
SHA512 6d8cb3b28034d3cb1c82b15fe5474795840a409a54274f3ec8f37c46d0c883f8848c41e8bd42405e197187bb25c6112cd7a69cf743921e60cd067469c8fc6c54

C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe

MD5 09a30137ce61df288e18c8428e6bfffe
SHA1 8a8a1b16a783a0902ccb02d76ac7b4b04d9dc359
SHA256 dd5db5e5f740959c4844f38926e57b68acddb1b65c3eb0de05c14a578b84b7de
SHA512 6d8cb3b28034d3cb1c82b15fe5474795840a409a54274f3ec8f37c46d0c883f8848c41e8bd42405e197187bb25c6112cd7a69cf743921e60cd067469c8fc6c54