Malware Analysis Report

2024-12-07 22:06

Sample ID 220323-ljlv8abgd2
Target 68fa207396aceaa34681470cd5d195a463d60bb5b22b7eb5de9cd08b7593e745
SHA256 68fa207396aceaa34681470cd5d195a463d60bb5b22b7eb5de9cd08b7593e745
Tags
sakula persistence rat trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

68fa207396aceaa34681470cd5d195a463d60bb5b22b7eb5de9cd08b7593e745

Threat Level: Known bad

The file 68fa207396aceaa34681470cd5d195a463d60bb5b22b7eb5de9cd08b7593e745 was found to be: Known bad.

Malicious Activity Summary

sakula persistence rat trojan

Sakula family

Sakula Payload

Sakula

Executes dropped EXE

Checks computer location settings

Deletes itself

Loads dropped DLL

Adds Run key to start application

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

Runs ping.exe

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2022-03-23 09:33

Signatures

Sakula Payload

Description Indicator Process Target
N/A N/A N/A N/A

Sakula family

sakula

Analysis: behavioral1

Detonation Overview

Submitted

2022-03-23 09:33

Reported

2022-03-23 09:43

Platform

win7-20220310-en

Max time kernel

4294192s

Max time network

153s

Command Line

"C:\Users\Admin\AppData\Local\Temp\68fa207396aceaa34681470cd5d195a463d60bb5b22b7eb5de9cd08b7593e745.exe"

Signatures

Sakula

trojan rat sakula

Sakula Payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe N/A

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" C:\Users\Admin\AppData\Local\Temp\68fa207396aceaa34681470cd5d195a463d60bb5b22b7eb5de9cd08b7593e745.exe N/A

Enumerates physical storage devices

Runs ping.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\68fa207396aceaa34681470cd5d195a463d60bb5b22b7eb5de9cd08b7593e745.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1500 wrote to memory of 628 N/A C:\Users\Admin\AppData\Local\Temp\68fa207396aceaa34681470cd5d195a463d60bb5b22b7eb5de9cd08b7593e745.exe C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
PID 1500 wrote to memory of 628 N/A C:\Users\Admin\AppData\Local\Temp\68fa207396aceaa34681470cd5d195a463d60bb5b22b7eb5de9cd08b7593e745.exe C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
PID 1500 wrote to memory of 628 N/A C:\Users\Admin\AppData\Local\Temp\68fa207396aceaa34681470cd5d195a463d60bb5b22b7eb5de9cd08b7593e745.exe C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
PID 1500 wrote to memory of 628 N/A C:\Users\Admin\AppData\Local\Temp\68fa207396aceaa34681470cd5d195a463d60bb5b22b7eb5de9cd08b7593e745.exe C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
PID 1500 wrote to memory of 1700 N/A C:\Users\Admin\AppData\Local\Temp\68fa207396aceaa34681470cd5d195a463d60bb5b22b7eb5de9cd08b7593e745.exe C:\Windows\SysWOW64\cmd.exe
PID 1500 wrote to memory of 1700 N/A C:\Users\Admin\AppData\Local\Temp\68fa207396aceaa34681470cd5d195a463d60bb5b22b7eb5de9cd08b7593e745.exe C:\Windows\SysWOW64\cmd.exe
PID 1500 wrote to memory of 1700 N/A C:\Users\Admin\AppData\Local\Temp\68fa207396aceaa34681470cd5d195a463d60bb5b22b7eb5de9cd08b7593e745.exe C:\Windows\SysWOW64\cmd.exe
PID 1500 wrote to memory of 1700 N/A C:\Users\Admin\AppData\Local\Temp\68fa207396aceaa34681470cd5d195a463d60bb5b22b7eb5de9cd08b7593e745.exe C:\Windows\SysWOW64\cmd.exe
PID 1700 wrote to memory of 608 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 1700 wrote to memory of 608 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 1700 wrote to memory of 608 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 1700 wrote to memory of 608 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE

Processes

C:\Users\Admin\AppData\Local\Temp\68fa207396aceaa34681470cd5d195a463d60bb5b22b7eb5de9cd08b7593e745.exe

"C:\Users\Admin\AppData\Local\Temp\68fa207396aceaa34681470cd5d195a463d60bb5b22b7eb5de9cd08b7593e745.exe"

C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe

C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\68fa207396aceaa34681470cd5d195a463d60bb5b22b7eb5de9cd08b7593e745.exe"

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1

Network

Country Destination Domain Proto
US 8.8.8.8:53 citrix.vipreclod.com udp
TH 184.22.175.13:80 tcp
TH 184.22.175.13:80 tcp

Files

memory/1500-54-0x0000000075AA1000-0x0000000075AA3000-memory.dmp

\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe

MD5 e3d168fdc4fcfc97d34a414b3c6cc5e8
SHA1 e58a1b82ab38a42bff3abb18509b5044bfc2adec
SHA256 8b4a3a200a3fb972bb319850d4ec3f90b3ae55b32e8b2406d392d056d70f0066
SHA512 37434f782ab0d48b42330ff62dabaf9508ccb425de462f2603a4e490cdb51db97f44102c7394ea95799a2dd9b824dd74aff6f1b4754811538ab219a222fa451c

\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe

MD5 e3d168fdc4fcfc97d34a414b3c6cc5e8
SHA1 e58a1b82ab38a42bff3abb18509b5044bfc2adec
SHA256 8b4a3a200a3fb972bb319850d4ec3f90b3ae55b32e8b2406d392d056d70f0066
SHA512 37434f782ab0d48b42330ff62dabaf9508ccb425de462f2603a4e490cdb51db97f44102c7394ea95799a2dd9b824dd74aff6f1b4754811538ab219a222fa451c

memory/628-57-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe

MD5 e3d168fdc4fcfc97d34a414b3c6cc5e8
SHA1 e58a1b82ab38a42bff3abb18509b5044bfc2adec
SHA256 8b4a3a200a3fb972bb319850d4ec3f90b3ae55b32e8b2406d392d056d70f0066
SHA512 37434f782ab0d48b42330ff62dabaf9508ccb425de462f2603a4e490cdb51db97f44102c7394ea95799a2dd9b824dd74aff6f1b4754811538ab219a222fa451c

memory/1700-60-0x0000000000000000-mapping.dmp

memory/608-61-0x0000000000000000-mapping.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2022-03-23 09:33

Reported

2022-03-23 09:44

Platform

win10v2004-20220310-en

Max time kernel

168s

Max time network

179s

Command Line

"C:\Users\Admin\AppData\Local\Temp\68fa207396aceaa34681470cd5d195a463d60bb5b22b7eb5de9cd08b7593e745.exe"

Signatures

Sakula

trojan rat sakula

Sakula Payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2403053463-4052593947-3703345493-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\68fa207396aceaa34681470cd5d195a463d60bb5b22b7eb5de9cd08b7593e745.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" C:\Users\Admin\AppData\Local\Temp\68fa207396aceaa34681470cd5d195a463d60bb5b22b7eb5de9cd08b7593e745.exe N/A

Enumerates physical storage devices

Runs ping.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\68fa207396aceaa34681470cd5d195a463d60bb5b22b7eb5de9cd08b7593e745.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\68fa207396aceaa34681470cd5d195a463d60bb5b22b7eb5de9cd08b7593e745.exe

"C:\Users\Admin\AppData\Local\Temp\68fa207396aceaa34681470cd5d195a463d60bb5b22b7eb5de9cd08b7593e745.exe"

C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe

C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\68fa207396aceaa34681470cd5d195a463d60bb5b22b7eb5de9cd08b7593e745.exe"

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1

Network

Country Destination Domain Proto
US 93.184.221.240:80 tcp
US 93.184.221.240:80 tcp
US 8.8.8.8:53 citrix.vipreclod.com udp
NL 104.110.191.140:80 tcp
NL 104.110.191.140:80 tcp
NL 104.110.191.140:80 tcp
US 8.8.8.8:53 licensing.mp.microsoft.com udp
US 20.96.63.25:443 licensing.mp.microsoft.com tcp
US 8.8.8.8:53 citrix.vipreclod.com udp
US 8.8.8.8:53 storesdk.dsx.mp.microsoft.com udp
NL 104.80.225.205:443 storesdk.dsx.mp.microsoft.com tcp
US 8.8.8.8:53 licensing.mp.microsoft.com udp
US 20.96.63.25:443 licensing.mp.microsoft.com tcp
NL 104.80.225.205:443 storesdk.dsx.mp.microsoft.com tcp
US 20.96.63.25:443 licensing.mp.microsoft.com tcp
US 8.8.8.8:53 citrix.vipreclod.com udp
US 8.8.8.8:53 citrix.vipreclod.com udp
TH 184.22.175.13:80 tcp
US 8.8.8.8:53 store-images.s-microsoft.com udp
NL 104.123.41.133:80 store-images.s-microsoft.com tcp
NL 104.123.41.133:80 store-images.s-microsoft.com tcp
NL 104.123.41.133:80 store-images.s-microsoft.com tcp
US 8.8.8.8:53 licensing.mp.microsoft.com udp
US 20.96.63.25:443 licensing.mp.microsoft.com tcp
US 8.8.8.8:53 tsfe.trafficshaping.dsp.mp.microsoft.com udp
IE 20.54.110.119:443 tsfe.trafficshaping.dsp.mp.microsoft.com tcp
US 8.8.8.8:53 dl.delivery.mp.microsoft.com udp
US 209.197.3.8:80 dl.delivery.mp.microsoft.com tcp
US 209.197.3.8:80 dl.delivery.mp.microsoft.com tcp
US 8.8.8.8:53 tlu.dl.delivery.mp.microsoft.com udp
NL 104.110.191.136:80 tlu.dl.delivery.mp.microsoft.com tcp
NL 104.110.191.136:80 tlu.dl.delivery.mp.microsoft.com tcp

Files

C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe

MD5 b1b9f21e43caab08a344476f11ca7d82
SHA1 7f19a400cd78d6f3e4b75f366714af141438bb4e
SHA256 15b679c3b8606fc0e3929c61c75e430d401bfa1fa4c54aa55c92bed48f5e0902
SHA512 3b6c5f7b2626eaf03bbfb5faa9f21ba1f98c5f979ac5b74b37abfaf5a862d1d8f926a15cef8692d1fde8d75c964a9ce77e6b47d76129647c6758c6db18219242

memory/1424-134-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe

MD5 b1b9f21e43caab08a344476f11ca7d82
SHA1 7f19a400cd78d6f3e4b75f366714af141438bb4e
SHA256 15b679c3b8606fc0e3929c61c75e430d401bfa1fa4c54aa55c92bed48f5e0902
SHA512 3b6c5f7b2626eaf03bbfb5faa9f21ba1f98c5f979ac5b74b37abfaf5a862d1d8f926a15cef8692d1fde8d75c964a9ce77e6b47d76129647c6758c6db18219242

memory/3784-137-0x0000000000000000-mapping.dmp

memory/3324-138-0x0000000000000000-mapping.dmp