Malware Analysis Report

2025-01-02 02:58

Sample ID 220323-ljlv8agbcn
Target 9e975ba0e67a3a13556a92152af9d9d7b1443aebde4332c54b63bb8e05ae3a0e
SHA256 9e975ba0e67a3a13556a92152af9d9d7b1443aebde4332c54b63bb8e05ae3a0e
Tags
sakula persistence rat trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

9e975ba0e67a3a13556a92152af9d9d7b1443aebde4332c54b63bb8e05ae3a0e

Threat Level: Known bad

The file 9e975ba0e67a3a13556a92152af9d9d7b1443aebde4332c54b63bb8e05ae3a0e was found to be: Known bad.

Malicious Activity Summary

sakula persistence rat trojan

Sakula Payload

Sakula family

Sakula

Executes dropped EXE

Checks computer location settings

Loads dropped DLL

Deletes itself

Adds Run key to start application

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

Runs ping.exe

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2022-03-23 09:33

Signatures

Sakula Payload

Description Indicator Process Target
N/A N/A N/A N/A

Sakula family

sakula

Analysis: behavioral1

Detonation Overview

Submitted

2022-03-23 09:33

Reported

2022-03-23 09:40

Platform

win7-20220310-en

Max time kernel

4294196s

Max time network

153s

Command Line

"C:\Users\Admin\AppData\Local\Temp\9e975ba0e67a3a13556a92152af9d9d7b1443aebde4332c54b63bb8e05ae3a0e.exe"

Signatures

Sakula

trojan rat sakula

Sakula Payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe N/A

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" C:\Users\Admin\AppData\Local\Temp\9e975ba0e67a3a13556a92152af9d9d7b1443aebde4332c54b63bb8e05ae3a0e.exe N/A

Enumerates physical storage devices

Runs ping.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\9e975ba0e67a3a13556a92152af9d9d7b1443aebde4332c54b63bb8e05ae3a0e.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 856 wrote to memory of 1960 N/A C:\Users\Admin\AppData\Local\Temp\9e975ba0e67a3a13556a92152af9d9d7b1443aebde4332c54b63bb8e05ae3a0e.exe C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
PID 856 wrote to memory of 1960 N/A C:\Users\Admin\AppData\Local\Temp\9e975ba0e67a3a13556a92152af9d9d7b1443aebde4332c54b63bb8e05ae3a0e.exe C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
PID 856 wrote to memory of 1960 N/A C:\Users\Admin\AppData\Local\Temp\9e975ba0e67a3a13556a92152af9d9d7b1443aebde4332c54b63bb8e05ae3a0e.exe C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
PID 856 wrote to memory of 1960 N/A C:\Users\Admin\AppData\Local\Temp\9e975ba0e67a3a13556a92152af9d9d7b1443aebde4332c54b63bb8e05ae3a0e.exe C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
PID 856 wrote to memory of 1548 N/A C:\Users\Admin\AppData\Local\Temp\9e975ba0e67a3a13556a92152af9d9d7b1443aebde4332c54b63bb8e05ae3a0e.exe C:\Windows\SysWOW64\cmd.exe
PID 856 wrote to memory of 1548 N/A C:\Users\Admin\AppData\Local\Temp\9e975ba0e67a3a13556a92152af9d9d7b1443aebde4332c54b63bb8e05ae3a0e.exe C:\Windows\SysWOW64\cmd.exe
PID 856 wrote to memory of 1548 N/A C:\Users\Admin\AppData\Local\Temp\9e975ba0e67a3a13556a92152af9d9d7b1443aebde4332c54b63bb8e05ae3a0e.exe C:\Windows\SysWOW64\cmd.exe
PID 856 wrote to memory of 1548 N/A C:\Users\Admin\AppData\Local\Temp\9e975ba0e67a3a13556a92152af9d9d7b1443aebde4332c54b63bb8e05ae3a0e.exe C:\Windows\SysWOW64\cmd.exe
PID 1548 wrote to memory of 556 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 1548 wrote to memory of 556 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 1548 wrote to memory of 556 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 1548 wrote to memory of 556 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE

Processes

C:\Users\Admin\AppData\Local\Temp\9e975ba0e67a3a13556a92152af9d9d7b1443aebde4332c54b63bb8e05ae3a0e.exe

"C:\Users\Admin\AppData\Local\Temp\9e975ba0e67a3a13556a92152af9d9d7b1443aebde4332c54b63bb8e05ae3a0e.exe"

C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe

C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\9e975ba0e67a3a13556a92152af9d9d7b1443aebde4332c54b63bb8e05ae3a0e.exe"

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1

Network

Country Destination Domain Proto
US 8.8.8.8:53 citrix.vipreclod.com udp
TH 184.22.175.13:80 tcp
TH 184.22.175.13:80 tcp

Files

memory/856-54-0x0000000075CA1000-0x0000000075CA3000-memory.dmp

\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe

MD5 56d8cbefa3586bf8475a689dd4b1cd0f
SHA1 303d63e77cc792cf602f21f403e97823bbc7669d
SHA256 7372099220b2d6e9b6735fbfe14a03716616dd5c76111e3762bcbf9713104569
SHA512 367d543c43165471e18a3afde4b1e4d69867f548e83fe795271995379e147a587ee11d7f4002dcfb8f6299f9d305e89b21ee37fe0be50a31f8893982316472a5

\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe

MD5 56d8cbefa3586bf8475a689dd4b1cd0f
SHA1 303d63e77cc792cf602f21f403e97823bbc7669d
SHA256 7372099220b2d6e9b6735fbfe14a03716616dd5c76111e3762bcbf9713104569
SHA512 367d543c43165471e18a3afde4b1e4d69867f548e83fe795271995379e147a587ee11d7f4002dcfb8f6299f9d305e89b21ee37fe0be50a31f8893982316472a5

memory/1960-57-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe

MD5 56d8cbefa3586bf8475a689dd4b1cd0f
SHA1 303d63e77cc792cf602f21f403e97823bbc7669d
SHA256 7372099220b2d6e9b6735fbfe14a03716616dd5c76111e3762bcbf9713104569
SHA512 367d543c43165471e18a3afde4b1e4d69867f548e83fe795271995379e147a587ee11d7f4002dcfb8f6299f9d305e89b21ee37fe0be50a31f8893982316472a5

memory/1548-60-0x0000000000000000-mapping.dmp

memory/556-61-0x0000000000000000-mapping.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2022-03-23 09:33

Reported

2022-03-23 09:41

Platform

win10v2004-20220310-en

Max time kernel

164s

Max time network

169s

Command Line

"C:\Users\Admin\AppData\Local\Temp\9e975ba0e67a3a13556a92152af9d9d7b1443aebde4332c54b63bb8e05ae3a0e.exe"

Signatures

Sakula

trojan rat sakula

Sakula Payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2403053463-4052593947-3703345493-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\9e975ba0e67a3a13556a92152af9d9d7b1443aebde4332c54b63bb8e05ae3a0e.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" C:\Users\Admin\AppData\Local\Temp\9e975ba0e67a3a13556a92152af9d9d7b1443aebde4332c54b63bb8e05ae3a0e.exe N/A

Enumerates physical storage devices

Runs ping.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\9e975ba0e67a3a13556a92152af9d9d7b1443aebde4332c54b63bb8e05ae3a0e.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\9e975ba0e67a3a13556a92152af9d9d7b1443aebde4332c54b63bb8e05ae3a0e.exe

"C:\Users\Admin\AppData\Local\Temp\9e975ba0e67a3a13556a92152af9d9d7b1443aebde4332c54b63bb8e05ae3a0e.exe"

C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe

C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\9e975ba0e67a3a13556a92152af9d9d7b1443aebde4332c54b63bb8e05ae3a0e.exe"

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1

Network

Country Destination Domain Proto
US 93.184.220.29:80 tcp
US 8.8.8.8:53 licensing.mp.microsoft.com udp
US 20.96.63.25:443 licensing.mp.microsoft.com tcp
US 8.8.8.8:53 citrix.vipreclod.com udp
US 8.8.8.8:53 storesdk.dsx.mp.microsoft.com udp
NL 104.80.225.205:443 storesdk.dsx.mp.microsoft.com tcp
US 20.96.63.25:443 licensing.mp.microsoft.com tcp
US 20.96.63.25:443 licensing.mp.microsoft.com tcp
US 20.96.63.25:443 licensing.mp.microsoft.com tcp
US 8.8.8.8:53 citrix.vipreclod.com udp
US 8.8.8.8:53 citrix.vipreclod.com udp
US 8.8.8.8:53 citrix.vipreclod.com udp
TH 184.22.175.13:80 tcp
TH 184.22.175.13:80 tcp

Files

memory/5028-134-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe

MD5 674ace169e348ea908cc1ee992285155
SHA1 240e622550bde8509b8b1b02c3901a5a60c9fdd2
SHA256 f54229335490bbf67a06c718bbe825fa29b2b807b5ff6d8595f46af9026c9cfa
SHA512 2a24f79f6c2218e306d189a971f7642319c206c46582502b1c4a372ed4eb46542d953e7d72146502ac0e8e0e8d4d8abdf695e6849571e5b8dae4d8a287e1f1cc

C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe

MD5 674ace169e348ea908cc1ee992285155
SHA1 240e622550bde8509b8b1b02c3901a5a60c9fdd2
SHA256 f54229335490bbf67a06c718bbe825fa29b2b807b5ff6d8595f46af9026c9cfa
SHA512 2a24f79f6c2218e306d189a971f7642319c206c46582502b1c4a372ed4eb46542d953e7d72146502ac0e8e0e8d4d8abdf695e6849571e5b8dae4d8a287e1f1cc

memory/3336-137-0x0000000000000000-mapping.dmp

memory/760-138-0x0000000000000000-mapping.dmp