Malware Analysis Report

2025-01-02 02:52

Sample ID 220320-gnyclahgf3
Target 280622602950739b9b13be1aa783a895f674e85d0dccf78d6350bcaa214361a7
SHA256 280622602950739b9b13be1aa783a895f674e85d0dccf78d6350bcaa214361a7
Tags
sakula persistence rat trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

280622602950739b9b13be1aa783a895f674e85d0dccf78d6350bcaa214361a7

Threat Level: Known bad

The file 280622602950739b9b13be1aa783a895f674e85d0dccf78d6350bcaa214361a7 was found to be: Known bad.

Malicious Activity Summary

sakula persistence rat trojan

Sakula

Executes dropped EXE

Deletes itself

Loads dropped DLL

Adds Run key to start application

Drops file in System32 directory

Runs ping.exe

Suspicious use of WriteProcessMemory

Modifies registry key

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2022-03-20 05:57

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2022-03-20 05:57

Reported

2022-03-20 21:21

Platform

win7-20220311-en

Max time kernel

4294195s

Max time network

155s

Command Line

"C:\Users\Admin\AppData\Local\Temp\280622602950739b9b13be1aa783a895f674e85d0dccf78d6350bcaa214361a7.exe"

Signatures

Sakula

trojan rat sakula

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe N/A

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" C:\Windows\SysWOW64\reg.exe N/A

Modifies registry key

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\reg.exe N/A

Runs ping.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 972 wrote to memory of 1696 N/A C:\Users\Admin\AppData\Local\Temp\280622602950739b9b13be1aa783a895f674e85d0dccf78d6350bcaa214361a7.exe C:\Windows\SysWOW64\cmd.exe
PID 972 wrote to memory of 1696 N/A C:\Users\Admin\AppData\Local\Temp\280622602950739b9b13be1aa783a895f674e85d0dccf78d6350bcaa214361a7.exe C:\Windows\SysWOW64\cmd.exe
PID 972 wrote to memory of 1696 N/A C:\Users\Admin\AppData\Local\Temp\280622602950739b9b13be1aa783a895f674e85d0dccf78d6350bcaa214361a7.exe C:\Windows\SysWOW64\cmd.exe
PID 972 wrote to memory of 1696 N/A C:\Users\Admin\AppData\Local\Temp\280622602950739b9b13be1aa783a895f674e85d0dccf78d6350bcaa214361a7.exe C:\Windows\SysWOW64\cmd.exe
PID 972 wrote to memory of 1672 N/A C:\Users\Admin\AppData\Local\Temp\280622602950739b9b13be1aa783a895f674e85d0dccf78d6350bcaa214361a7.exe C:\Windows\SysWOW64\cmd.exe
PID 972 wrote to memory of 1672 N/A C:\Users\Admin\AppData\Local\Temp\280622602950739b9b13be1aa783a895f674e85d0dccf78d6350bcaa214361a7.exe C:\Windows\SysWOW64\cmd.exe
PID 972 wrote to memory of 1672 N/A C:\Users\Admin\AppData\Local\Temp\280622602950739b9b13be1aa783a895f674e85d0dccf78d6350bcaa214361a7.exe C:\Windows\SysWOW64\cmd.exe
PID 972 wrote to memory of 1672 N/A C:\Users\Admin\AppData\Local\Temp\280622602950739b9b13be1aa783a895f674e85d0dccf78d6350bcaa214361a7.exe C:\Windows\SysWOW64\cmd.exe
PID 972 wrote to memory of 1980 N/A C:\Users\Admin\AppData\Local\Temp\280622602950739b9b13be1aa783a895f674e85d0dccf78d6350bcaa214361a7.exe C:\Windows\SysWOW64\cmd.exe
PID 972 wrote to memory of 1980 N/A C:\Users\Admin\AppData\Local\Temp\280622602950739b9b13be1aa783a895f674e85d0dccf78d6350bcaa214361a7.exe C:\Windows\SysWOW64\cmd.exe
PID 972 wrote to memory of 1980 N/A C:\Users\Admin\AppData\Local\Temp\280622602950739b9b13be1aa783a895f674e85d0dccf78d6350bcaa214361a7.exe C:\Windows\SysWOW64\cmd.exe
PID 972 wrote to memory of 1980 N/A C:\Users\Admin\AppData\Local\Temp\280622602950739b9b13be1aa783a895f674e85d0dccf78d6350bcaa214361a7.exe C:\Windows\SysWOW64\cmd.exe
PID 1980 wrote to memory of 1020 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 1980 wrote to memory of 1020 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 1980 wrote to memory of 1020 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 1980 wrote to memory of 1020 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 1672 wrote to memory of 1932 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
PID 1672 wrote to memory of 1932 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
PID 1672 wrote to memory of 1932 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
PID 1672 wrote to memory of 1932 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
PID 1696 wrote to memory of 1476 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1696 wrote to memory of 1476 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1696 wrote to memory of 1476 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1696 wrote to memory of 1476 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe

Processes

C:\Users\Admin\AppData\Local\Temp\280622602950739b9b13be1aa783a895f674e85d0dccf78d6350bcaa214361a7.exe

"C:\Users\Admin\AppData\Local\Temp\280622602950739b9b13be1aa783a895f674e85d0dccf78d6350bcaa214361a7.exe"

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v "MicroMedia" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe"

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe"

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c ping 127.0.0.1 & del "C:\Users\Admin\AppData\Local\Temp\280622602950739b9b13be1aa783a895f674e85d0dccf78d6350bcaa214361a7.exe"

C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe

C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1

C:\Windows\SysWOW64\reg.exe

reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v "MicroMedia" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 vpn.premrera.com udp
US 208.91.197.27:443 vpn.premrera.com tcp
US 208.91.197.27:443 vpn.premrera.com tcp
US 208.91.197.27:443 vpn.premrera.com tcp
US 208.91.197.27:443 vpn.premrera.com tcp
US 208.91.197.27:443 vpn.premrera.com tcp
US 208.91.197.27:443 vpn.premrera.com tcp
US 208.91.197.27:443 vpn.premrera.com tcp
US 208.91.197.27:443 vpn.premrera.com tcp

Files

memory/972-54-0x00000000760A1000-0x00000000760A3000-memory.dmp

memory/972-55-0x0000000000400000-0x000000000040B000-memory.dmp

\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe

MD5 43538c79814a61bd1141e791048705ae
SHA1 1999162d5fd2295fb01d6ae83b729dc3f67cf398
SHA256 2dba1a5af19ce59338da6489f7dd9ebdab90275f8d52623f2e4a8c3ec4b48c23
SHA512 35ec806d0368fdc226b8efa667c3c5dbed87a11ef61d9831776d92d0bc27945da1970b63c7153080521765a05735a7cd907c4fd29fe4bd133e610148d1e7bf98

C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe

MD5 43538c79814a61bd1141e791048705ae
SHA1 1999162d5fd2295fb01d6ae83b729dc3f67cf398
SHA256 2dba1a5af19ce59338da6489f7dd9ebdab90275f8d52623f2e4a8c3ec4b48c23
SHA512 35ec806d0368fdc226b8efa667c3c5dbed87a11ef61d9831776d92d0bc27945da1970b63c7153080521765a05735a7cd907c4fd29fe4bd133e610148d1e7bf98

\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe

MD5 43538c79814a61bd1141e791048705ae
SHA1 1999162d5fd2295fb01d6ae83b729dc3f67cf398
SHA256 2dba1a5af19ce59338da6489f7dd9ebdab90275f8d52623f2e4a8c3ec4b48c23
SHA512 35ec806d0368fdc226b8efa667c3c5dbed87a11ef61d9831776d92d0bc27945da1970b63c7153080521765a05735a7cd907c4fd29fe4bd133e610148d1e7bf98

C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe

MD5 43538c79814a61bd1141e791048705ae
SHA1 1999162d5fd2295fb01d6ae83b729dc3f67cf398
SHA256 2dba1a5af19ce59338da6489f7dd9ebdab90275f8d52623f2e4a8c3ec4b48c23
SHA512 35ec806d0368fdc226b8efa667c3c5dbed87a11ef61d9831776d92d0bc27945da1970b63c7153080521765a05735a7cd907c4fd29fe4bd133e610148d1e7bf98

Analysis: behavioral2

Detonation Overview

Submitted

2022-03-20 05:57

Reported

2022-03-20 21:20

Platform

win10v2004-20220310-en

Max time kernel

147s

Max time network

168s

Command Line

"C:\Users\Admin\AppData\Local\Temp\280622602950739b9b13be1aa783a895f674e85d0dccf78d6350bcaa214361a7.exe"

Signatures

Sakula

trojan rat sakula

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run C:\Windows\SysWOW64\reg.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\InstallService\{C579840E-7AAB-4BE5-878F-E9F2F0A572D9}.catalogItem C:\Windows\System32\svchost.exe N/A
File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\InstallService\{6E7307F9-E79A-441A-A7F5-77E96C761E3C}.catalogItem C:\Windows\System32\svchost.exe N/A

Modifies registry key

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\reg.exe N/A

Runs ping.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3464 wrote to memory of 3016 N/A C:\Users\Admin\AppData\Local\Temp\280622602950739b9b13be1aa783a895f674e85d0dccf78d6350bcaa214361a7.exe C:\Windows\SysWOW64\cmd.exe
PID 3464 wrote to memory of 3016 N/A C:\Users\Admin\AppData\Local\Temp\280622602950739b9b13be1aa783a895f674e85d0dccf78d6350bcaa214361a7.exe C:\Windows\SysWOW64\cmd.exe
PID 3464 wrote to memory of 3016 N/A C:\Users\Admin\AppData\Local\Temp\280622602950739b9b13be1aa783a895f674e85d0dccf78d6350bcaa214361a7.exe C:\Windows\SysWOW64\cmd.exe
PID 3464 wrote to memory of 3984 N/A C:\Users\Admin\AppData\Local\Temp\280622602950739b9b13be1aa783a895f674e85d0dccf78d6350bcaa214361a7.exe C:\Windows\SysWOW64\cmd.exe
PID 3464 wrote to memory of 3984 N/A C:\Users\Admin\AppData\Local\Temp\280622602950739b9b13be1aa783a895f674e85d0dccf78d6350bcaa214361a7.exe C:\Windows\SysWOW64\cmd.exe
PID 3464 wrote to memory of 3984 N/A C:\Users\Admin\AppData\Local\Temp\280622602950739b9b13be1aa783a895f674e85d0dccf78d6350bcaa214361a7.exe C:\Windows\SysWOW64\cmd.exe
PID 3464 wrote to memory of 2448 N/A C:\Users\Admin\AppData\Local\Temp\280622602950739b9b13be1aa783a895f674e85d0dccf78d6350bcaa214361a7.exe C:\Windows\SysWOW64\cmd.exe
PID 3464 wrote to memory of 2448 N/A C:\Users\Admin\AppData\Local\Temp\280622602950739b9b13be1aa783a895f674e85d0dccf78d6350bcaa214361a7.exe C:\Windows\SysWOW64\cmd.exe
PID 3464 wrote to memory of 2448 N/A C:\Users\Admin\AppData\Local\Temp\280622602950739b9b13be1aa783a895f674e85d0dccf78d6350bcaa214361a7.exe C:\Windows\SysWOW64\cmd.exe
PID 3016 wrote to memory of 3764 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 3016 wrote to memory of 3764 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 3016 wrote to memory of 3764 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2448 wrote to memory of 3744 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 2448 wrote to memory of 3744 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 2448 wrote to memory of 3744 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 3984 wrote to memory of 3716 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
PID 3984 wrote to memory of 3716 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
PID 3984 wrote to memory of 3716 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe

Processes

C:\Users\Admin\AppData\Local\Temp\280622602950739b9b13be1aa783a895f674e85d0dccf78d6350bcaa214361a7.exe

"C:\Users\Admin\AppData\Local\Temp\280622602950739b9b13be1aa783a895f674e85d0dccf78d6350bcaa214361a7.exe"

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k netsvcs -p

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v "MicroMedia" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe"

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe"

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c ping 127.0.0.1 & del "C:\Users\Admin\AppData\Local\Temp\280622602950739b9b13be1aa783a895f674e85d0dccf78d6350bcaa214361a7.exe"

C:\Windows\SysWOW64\reg.exe

reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v "MicroMedia" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe"

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1

C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe

C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe

Network

Country Destination Domain Proto
US 93.184.220.29:80 tcp
US 93.184.220.29:80 tcp
US 8.8.8.8:53 licensing.mp.microsoft.com udp
US 20.96.63.25:443 licensing.mp.microsoft.com tcp
US 8.8.8.8:53 storesdk.dsx.mp.microsoft.com udp
NL 104.80.225.205:443 storesdk.dsx.mp.microsoft.com tcp
US 8.8.8.8:53 licensing.mp.microsoft.com udp
US 20.96.63.25:443 licensing.mp.microsoft.com tcp
NL 13.69.109.131:443 tcp
NL 104.80.225.205:443 storesdk.dsx.mp.microsoft.com tcp
US 8.8.8.8:53 licensing.mp.microsoft.com udp
US 20.96.63.25:443 licensing.mp.microsoft.com tcp
US 8.8.8.8:53 vpn.premrera.com udp
US 208.91.197.27:443 vpn.premrera.com tcp
US 208.91.197.27:443 vpn.premrera.com tcp
US 208.91.197.27:443 vpn.premrera.com tcp
US 208.91.197.27:443 vpn.premrera.com tcp
US 208.91.197.27:443 vpn.premrera.com tcp
US 208.91.197.27:443 vpn.premrera.com tcp

Files

memory/3464-134-0x0000000000400000-0x000000000040B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe

MD5 410422fe8bff1a11fd69980ea879fa4f
SHA1 3743d56d27603e856377660c98d5f63dcc6cf9a8
SHA256 e22ee7b25c493600004b75b2039426f50ae30b2e845f8c417b4aa9a9cc7d12fd
SHA512 e243a77ea7d6c4d69ab485463bbfe105ca133b3f847ec88605fa4fdf5c261602ec44dad8790f8bb05bd674917880c59dcaaa31695cef81b4e4ac0f6910c2b281

C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe

MD5 410422fe8bff1a11fd69980ea879fa4f
SHA1 3743d56d27603e856377660c98d5f63dcc6cf9a8
SHA256 e22ee7b25c493600004b75b2039426f50ae30b2e845f8c417b4aa9a9cc7d12fd
SHA512 e243a77ea7d6c4d69ab485463bbfe105ca133b3f847ec88605fa4fdf5c261602ec44dad8790f8bb05bd674917880c59dcaaa31695cef81b4e4ac0f6910c2b281

memory/3716-137-0x0000000000400000-0x000000000040B000-memory.dmp