Malware Analysis Report

2025-01-02 02:52

Sample ID 220323-ljw17agbdk
Target 2670229271fa85f2b2b16b586a4c73853fcc8e6bebf3e5c909e29eb21e539825
SHA256 2670229271fa85f2b2b16b586a4c73853fcc8e6bebf3e5c909e29eb21e539825
Tags
sakula persistence rat trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

2670229271fa85f2b2b16b586a4c73853fcc8e6bebf3e5c909e29eb21e539825

Threat Level: Known bad

The file 2670229271fa85f2b2b16b586a4c73853fcc8e6bebf3e5c909e29eb21e539825 was found to be: Known bad.

Malicious Activity Summary

sakula persistence rat trojan

Sakula

Executes dropped EXE

Deletes itself

Loads dropped DLL

Checks computer location settings

Adds Run key to start application

Enumerates physical storage devices

Runs ping.exe

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2022-03-23 09:34

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2022-03-23 09:34

Reported

2022-03-23 09:40

Platform

win7-20220311-en

Max time kernel

4294198s

Max time network

149s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2670229271fa85f2b2b16b586a4c73853fcc8e6bebf3e5c909e29eb21e539825.exe"

Signatures

Sakula

trojan rat sakula

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe N/A

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" C:\Users\Admin\AppData\Local\Temp\2670229271fa85f2b2b16b586a4c73853fcc8e6bebf3e5c909e29eb21e539825.exe N/A

Enumerates physical storage devices

Runs ping.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2670229271fa85f2b2b16b586a4c73853fcc8e6bebf3e5c909e29eb21e539825.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1248 wrote to memory of 1328 N/A C:\Users\Admin\AppData\Local\Temp\2670229271fa85f2b2b16b586a4c73853fcc8e6bebf3e5c909e29eb21e539825.exe C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
PID 1248 wrote to memory of 1328 N/A C:\Users\Admin\AppData\Local\Temp\2670229271fa85f2b2b16b586a4c73853fcc8e6bebf3e5c909e29eb21e539825.exe C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
PID 1248 wrote to memory of 1328 N/A C:\Users\Admin\AppData\Local\Temp\2670229271fa85f2b2b16b586a4c73853fcc8e6bebf3e5c909e29eb21e539825.exe C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
PID 1248 wrote to memory of 1328 N/A C:\Users\Admin\AppData\Local\Temp\2670229271fa85f2b2b16b586a4c73853fcc8e6bebf3e5c909e29eb21e539825.exe C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
PID 1248 wrote to memory of 1984 N/A C:\Users\Admin\AppData\Local\Temp\2670229271fa85f2b2b16b586a4c73853fcc8e6bebf3e5c909e29eb21e539825.exe C:\Windows\SysWOW64\cmd.exe
PID 1248 wrote to memory of 1984 N/A C:\Users\Admin\AppData\Local\Temp\2670229271fa85f2b2b16b586a4c73853fcc8e6bebf3e5c909e29eb21e539825.exe C:\Windows\SysWOW64\cmd.exe
PID 1248 wrote to memory of 1984 N/A C:\Users\Admin\AppData\Local\Temp\2670229271fa85f2b2b16b586a4c73853fcc8e6bebf3e5c909e29eb21e539825.exe C:\Windows\SysWOW64\cmd.exe
PID 1248 wrote to memory of 1984 N/A C:\Users\Admin\AppData\Local\Temp\2670229271fa85f2b2b16b586a4c73853fcc8e6bebf3e5c909e29eb21e539825.exe C:\Windows\SysWOW64\cmd.exe
PID 1984 wrote to memory of 1512 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 1984 wrote to memory of 1512 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 1984 wrote to memory of 1512 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 1984 wrote to memory of 1512 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE

Processes

C:\Users\Admin\AppData\Local\Temp\2670229271fa85f2b2b16b586a4c73853fcc8e6bebf3e5c909e29eb21e539825.exe

"C:\Users\Admin\AppData\Local\Temp\2670229271fa85f2b2b16b586a4c73853fcc8e6bebf3e5c909e29eb21e539825.exe"

C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe

C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\2670229271fa85f2b2b16b586a4c73853fcc8e6bebf3e5c909e29eb21e539825.exe"

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1

Network

Country Destination Domain Proto
US 8.8.8.8:53 citrix.vipreclod.com udp
TH 184.22.175.13:80 tcp
TH 184.22.175.13:80 tcp
TH 184.22.175.13:80 tcp

Files

memory/1248-54-0x0000000076071000-0x0000000076073000-memory.dmp

\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe

MD5 13492cf6bb76b848c7ebcfc9955ad553
SHA1 2544b4937bc1054fdab25664c2251cf289141878
SHA256 0332c7ac7bd6b9f31ad646279984b41ce55d3cfb33122b08284a5c2bbff1ee24
SHA512 c2485b9d3a4af8ba2d07bb4c405c9fdcf43fa632098472d5227c4b485a0a57430f0ca7560422a8db0c92167fbc9be449a31b896c350ee7ccf1d494d6cb2eb7be

\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe

MD5 13492cf6bb76b848c7ebcfc9955ad553
SHA1 2544b4937bc1054fdab25664c2251cf289141878
SHA256 0332c7ac7bd6b9f31ad646279984b41ce55d3cfb33122b08284a5c2bbff1ee24
SHA512 c2485b9d3a4af8ba2d07bb4c405c9fdcf43fa632098472d5227c4b485a0a57430f0ca7560422a8db0c92167fbc9be449a31b896c350ee7ccf1d494d6cb2eb7be

memory/1328-57-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe

MD5 13492cf6bb76b848c7ebcfc9955ad553
SHA1 2544b4937bc1054fdab25664c2251cf289141878
SHA256 0332c7ac7bd6b9f31ad646279984b41ce55d3cfb33122b08284a5c2bbff1ee24
SHA512 c2485b9d3a4af8ba2d07bb4c405c9fdcf43fa632098472d5227c4b485a0a57430f0ca7560422a8db0c92167fbc9be449a31b896c350ee7ccf1d494d6cb2eb7be

memory/1984-60-0x0000000000000000-mapping.dmp

memory/1512-61-0x0000000000000000-mapping.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2022-03-23 09:34

Reported

2022-03-23 09:40

Platform

win10v2004-en-20220113

Max time kernel

134s

Max time network

145s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2670229271fa85f2b2b16b586a4c73853fcc8e6bebf3e5c909e29eb21e539825.exe"

Signatures

Sakula

trojan rat sakula

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\2670229271fa85f2b2b16b586a4c73853fcc8e6bebf3e5c909e29eb21e539825.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" C:\Users\Admin\AppData\Local\Temp\2670229271fa85f2b2b16b586a4c73853fcc8e6bebf3e5c909e29eb21e539825.exe N/A

Enumerates physical storage devices

Runs ping.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2670229271fa85f2b2b16b586a4c73853fcc8e6bebf3e5c909e29eb21e539825.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\2670229271fa85f2b2b16b586a4c73853fcc8e6bebf3e5c909e29eb21e539825.exe

"C:\Users\Admin\AppData\Local\Temp\2670229271fa85f2b2b16b586a4c73853fcc8e6bebf3e5c909e29eb21e539825.exe"

C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe

C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\2670229271fa85f2b2b16b586a4c73853fcc8e6bebf3e5c909e29eb21e539825.exe"

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1

Network

Country Destination Domain Proto
US 209.197.3.8:80 tcp
US 209.197.3.8:80 tcp
US 8.8.8.8:53 citrix.vipreclod.com udp
US 8.8.8.8:53 citrix.vipreclod.com udp
NL 8.248.1.254:80 tcp
NL 8.238.21.254:80 tcp
US 8.8.8.8:53 citrix.vipreclod.com udp
US 8.8.8.8:53 citrix.vipreclod.com udp
TH 184.22.175.13:80 tcp
CH 173.222.108.210:80 tcp
TH 184.22.175.13:80 tcp

Files

memory/2112-130-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe

MD5 975106accb5f0ab415e66adfc5b275c6
SHA1 1aedb7755fbfe0ba100c1da7b30fe2fb83be2f71
SHA256 a04329334ffd7ed4c944ea5e37b7f1dc2d69f4fac34b3e5538e757f018aa0bae
SHA512 aa13e23bd8e479ce1d0303414ac1c8421e21d3e62291e9147c11845b9cc2086e22b53da5e5e96802f6a8952ed66301293b631c1580da8620575db6f48874b984

C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe

MD5 975106accb5f0ab415e66adfc5b275c6
SHA1 1aedb7755fbfe0ba100c1da7b30fe2fb83be2f71
SHA256 a04329334ffd7ed4c944ea5e37b7f1dc2d69f4fac34b3e5538e757f018aa0bae
SHA512 aa13e23bd8e479ce1d0303414ac1c8421e21d3e62291e9147c11845b9cc2086e22b53da5e5e96802f6a8952ed66301293b631c1580da8620575db6f48874b984

memory/4248-133-0x0000000000000000-mapping.dmp

memory/4372-134-0x0000000000000000-mapping.dmp