Malware Analysis Report

2024-12-07 22:07

Sample ID 220323-lkdw1abge7
Target 82fee0c6b3b147b3127d5395013fa78f1563cf7afadedd762631720c095e912c
SHA256 82fee0c6b3b147b3127d5395013fa78f1563cf7afadedd762631720c095e912c
Tags
sakula persistence rat trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

82fee0c6b3b147b3127d5395013fa78f1563cf7afadedd762631720c095e912c

Threat Level: Known bad

The file 82fee0c6b3b147b3127d5395013fa78f1563cf7afadedd762631720c095e912c was found to be: Known bad.

Malicious Activity Summary

sakula persistence rat trojan

Sakula

Executes dropped EXE

Deletes itself

Loads dropped DLL

Adds Run key to start application

Suspicious use of WriteProcessMemory

Modifies registry key

Runs ping.exe

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2022-03-23 09:35

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2022-03-23 09:35

Reported

2022-03-23 09:43

Platform

win7-20220311-en

Max time kernel

4294187s

Max time network

131s

Command Line

"C:\Users\Admin\AppData\Local\Temp\82fee0c6b3b147b3127d5395013fa78f1563cf7afadedd762631720c095e912c.exe"

Signatures

Sakula

trojan rat sakula

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe N/A

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" C:\Windows\SysWOW64\reg.exe N/A

Modifies registry key

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\reg.exe N/A

Runs ping.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2032 wrote to memory of 2000 N/A C:\Users\Admin\AppData\Local\Temp\82fee0c6b3b147b3127d5395013fa78f1563cf7afadedd762631720c095e912c.exe C:\Windows\SysWOW64\cmd.exe
PID 2032 wrote to memory of 2000 N/A C:\Users\Admin\AppData\Local\Temp\82fee0c6b3b147b3127d5395013fa78f1563cf7afadedd762631720c095e912c.exe C:\Windows\SysWOW64\cmd.exe
PID 2032 wrote to memory of 2000 N/A C:\Users\Admin\AppData\Local\Temp\82fee0c6b3b147b3127d5395013fa78f1563cf7afadedd762631720c095e912c.exe C:\Windows\SysWOW64\cmd.exe
PID 2032 wrote to memory of 2000 N/A C:\Users\Admin\AppData\Local\Temp\82fee0c6b3b147b3127d5395013fa78f1563cf7afadedd762631720c095e912c.exe C:\Windows\SysWOW64\cmd.exe
PID 2032 wrote to memory of 2008 N/A C:\Users\Admin\AppData\Local\Temp\82fee0c6b3b147b3127d5395013fa78f1563cf7afadedd762631720c095e912c.exe C:\Windows\SysWOW64\cmd.exe
PID 2032 wrote to memory of 2008 N/A C:\Users\Admin\AppData\Local\Temp\82fee0c6b3b147b3127d5395013fa78f1563cf7afadedd762631720c095e912c.exe C:\Windows\SysWOW64\cmd.exe
PID 2032 wrote to memory of 2008 N/A C:\Users\Admin\AppData\Local\Temp\82fee0c6b3b147b3127d5395013fa78f1563cf7afadedd762631720c095e912c.exe C:\Windows\SysWOW64\cmd.exe
PID 2032 wrote to memory of 2008 N/A C:\Users\Admin\AppData\Local\Temp\82fee0c6b3b147b3127d5395013fa78f1563cf7afadedd762631720c095e912c.exe C:\Windows\SysWOW64\cmd.exe
PID 2032 wrote to memory of 1684 N/A C:\Users\Admin\AppData\Local\Temp\82fee0c6b3b147b3127d5395013fa78f1563cf7afadedd762631720c095e912c.exe C:\Windows\SysWOW64\cmd.exe
PID 2032 wrote to memory of 1684 N/A C:\Users\Admin\AppData\Local\Temp\82fee0c6b3b147b3127d5395013fa78f1563cf7afadedd762631720c095e912c.exe C:\Windows\SysWOW64\cmd.exe
PID 2032 wrote to memory of 1684 N/A C:\Users\Admin\AppData\Local\Temp\82fee0c6b3b147b3127d5395013fa78f1563cf7afadedd762631720c095e912c.exe C:\Windows\SysWOW64\cmd.exe
PID 2032 wrote to memory of 1684 N/A C:\Users\Admin\AppData\Local\Temp\82fee0c6b3b147b3127d5395013fa78f1563cf7afadedd762631720c095e912c.exe C:\Windows\SysWOW64\cmd.exe
PID 2000 wrote to memory of 1460 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2000 wrote to memory of 1460 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2000 wrote to memory of 1460 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2000 wrote to memory of 1460 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1684 wrote to memory of 628 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 1684 wrote to memory of 628 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 1684 wrote to memory of 628 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 1684 wrote to memory of 628 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 2008 wrote to memory of 1212 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
PID 2008 wrote to memory of 1212 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
PID 2008 wrote to memory of 1212 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
PID 2008 wrote to memory of 1212 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe

Processes

C:\Users\Admin\AppData\Local\Temp\82fee0c6b3b147b3127d5395013fa78f1563cf7afadedd762631720c095e912c.exe

"C:\Users\Admin\AppData\Local\Temp\82fee0c6b3b147b3127d5395013fa78f1563cf7afadedd762631720c095e912c.exe"

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v "MicroMedia" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe"

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe"

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c ping 127.0.0.1 & del "C:\Users\Admin\AppData\Local\Temp\82fee0c6b3b147b3127d5395013fa78f1563cf7afadedd762631720c095e912c.exe"

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1

C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe

C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe

C:\Windows\SysWOW64\reg.exe

reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v "MicroMedia" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 vpn.premrera.com udp
US 208.91.197.27:443 vpn.premrera.com tcp
US 208.91.197.27:443 vpn.premrera.com tcp
US 208.91.197.27:443 vpn.premrera.com tcp
US 208.91.197.27:443 vpn.premrera.com tcp
US 208.91.197.27:443 vpn.premrera.com tcp
US 208.91.197.27:443 vpn.premrera.com tcp
US 208.91.197.27:443 vpn.premrera.com tcp
US 208.91.197.27:443 vpn.premrera.com tcp
US 208.91.197.27:443 vpn.premrera.com tcp
US 208.91.197.27:443 vpn.premrera.com tcp
US 208.91.197.27:443 vpn.premrera.com tcp
US 208.91.197.27:443 vpn.premrera.com tcp

Files

memory/2032-54-0x0000000075801000-0x0000000075803000-memory.dmp

memory/2000-55-0x0000000000000000-mapping.dmp

memory/2008-56-0x0000000000000000-mapping.dmp

memory/2032-58-0x0000000000400000-0x000000000040B000-memory.dmp

memory/1684-57-0x0000000000000000-mapping.dmp

memory/1460-61-0x0000000000000000-mapping.dmp

memory/1212-64-0x0000000000000000-mapping.dmp

\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe

MD5 2c2983840dcd9b2202b769c9289a7f02
SHA1 d10dcbeaeccaa7affccd9d5f22b033f2a228c1a3
SHA256 0b4827160a3ec31d012d21c372f0088b6078f129918a351a92965d15e4f86abf
SHA512 8853e638be92f9ce2ce62e951e318ea449642fe6cefff6ba078dc605ad10338b6cafd0997de9a88e3ebc7b4e199c05833a69e975e1f4f64b76b0700796fb75e5

memory/628-62-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe

MD5 2c2983840dcd9b2202b769c9289a7f02
SHA1 d10dcbeaeccaa7affccd9d5f22b033f2a228c1a3
SHA256 0b4827160a3ec31d012d21c372f0088b6078f129918a351a92965d15e4f86abf
SHA512 8853e638be92f9ce2ce62e951e318ea449642fe6cefff6ba078dc605ad10338b6cafd0997de9a88e3ebc7b4e199c05833a69e975e1f4f64b76b0700796fb75e5

\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe

MD5 2c2983840dcd9b2202b769c9289a7f02
SHA1 d10dcbeaeccaa7affccd9d5f22b033f2a228c1a3
SHA256 0b4827160a3ec31d012d21c372f0088b6078f129918a351a92965d15e4f86abf
SHA512 8853e638be92f9ce2ce62e951e318ea449642fe6cefff6ba078dc605ad10338b6cafd0997de9a88e3ebc7b4e199c05833a69e975e1f4f64b76b0700796fb75e5

C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe

MD5 2c2983840dcd9b2202b769c9289a7f02
SHA1 d10dcbeaeccaa7affccd9d5f22b033f2a228c1a3
SHA256 0b4827160a3ec31d012d21c372f0088b6078f129918a351a92965d15e4f86abf
SHA512 8853e638be92f9ce2ce62e951e318ea449642fe6cefff6ba078dc605ad10338b6cafd0997de9a88e3ebc7b4e199c05833a69e975e1f4f64b76b0700796fb75e5

Analysis: behavioral2

Detonation Overview

Submitted

2022-03-23 09:35

Reported

2022-03-23 09:43

Platform

win10v2004-en-20220113

Max time kernel

138s

Max time network

142s

Command Line

"C:\Users\Admin\AppData\Local\Temp\82fee0c6b3b147b3127d5395013fa78f1563cf7afadedd762631720c095e912c.exe"

Signatures

Sakula

trojan rat sakula

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" C:\Windows\SysWOW64\reg.exe N/A

Modifies registry key

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\reg.exe N/A

Runs ping.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1928 wrote to memory of 3568 N/A C:\Users\Admin\AppData\Local\Temp\82fee0c6b3b147b3127d5395013fa78f1563cf7afadedd762631720c095e912c.exe C:\Windows\SysWOW64\cmd.exe
PID 1928 wrote to memory of 3568 N/A C:\Users\Admin\AppData\Local\Temp\82fee0c6b3b147b3127d5395013fa78f1563cf7afadedd762631720c095e912c.exe C:\Windows\SysWOW64\cmd.exe
PID 1928 wrote to memory of 3568 N/A C:\Users\Admin\AppData\Local\Temp\82fee0c6b3b147b3127d5395013fa78f1563cf7afadedd762631720c095e912c.exe C:\Windows\SysWOW64\cmd.exe
PID 1928 wrote to memory of 4708 N/A C:\Users\Admin\AppData\Local\Temp\82fee0c6b3b147b3127d5395013fa78f1563cf7afadedd762631720c095e912c.exe C:\Windows\SysWOW64\cmd.exe
PID 1928 wrote to memory of 4708 N/A C:\Users\Admin\AppData\Local\Temp\82fee0c6b3b147b3127d5395013fa78f1563cf7afadedd762631720c095e912c.exe C:\Windows\SysWOW64\cmd.exe
PID 1928 wrote to memory of 4708 N/A C:\Users\Admin\AppData\Local\Temp\82fee0c6b3b147b3127d5395013fa78f1563cf7afadedd762631720c095e912c.exe C:\Windows\SysWOW64\cmd.exe
PID 1928 wrote to memory of 4712 N/A C:\Users\Admin\AppData\Local\Temp\82fee0c6b3b147b3127d5395013fa78f1563cf7afadedd762631720c095e912c.exe C:\Windows\SysWOW64\cmd.exe
PID 1928 wrote to memory of 4712 N/A C:\Users\Admin\AppData\Local\Temp\82fee0c6b3b147b3127d5395013fa78f1563cf7afadedd762631720c095e912c.exe C:\Windows\SysWOW64\cmd.exe
PID 1928 wrote to memory of 4712 N/A C:\Users\Admin\AppData\Local\Temp\82fee0c6b3b147b3127d5395013fa78f1563cf7afadedd762631720c095e912c.exe C:\Windows\SysWOW64\cmd.exe
PID 3568 wrote to memory of 2928 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 3568 wrote to memory of 2928 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 3568 wrote to memory of 2928 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 4712 wrote to memory of 4608 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 4712 wrote to memory of 4608 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 4712 wrote to memory of 4608 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 4708 wrote to memory of 4632 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
PID 4708 wrote to memory of 4632 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
PID 4708 wrote to memory of 4632 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe

Processes

C:\Users\Admin\AppData\Local\Temp\82fee0c6b3b147b3127d5395013fa78f1563cf7afadedd762631720c095e912c.exe

"C:\Users\Admin\AppData\Local\Temp\82fee0c6b3b147b3127d5395013fa78f1563cf7afadedd762631720c095e912c.exe"

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v "MicroMedia" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe"

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe"

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c ping 127.0.0.1 & del "C:\Users\Admin\AppData\Local\Temp\82fee0c6b3b147b3127d5395013fa78f1563cf7afadedd762631720c095e912c.exe"

C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe

C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe

C:\Windows\SysWOW64\reg.exe

reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v "MicroMedia" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe"

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1

Network

Country Destination Domain Proto
US 72.21.81.240:80 tcp
US 72.21.81.240:80 tcp
US 8.8.8.8:53 vpn.premrera.com udp
US 208.91.197.27:443 vpn.premrera.com tcp
US 208.91.197.27:443 vpn.premrera.com tcp
US 208.91.197.27:443 vpn.premrera.com tcp
US 208.91.197.27:443 vpn.premrera.com tcp
US 208.91.197.27:443 vpn.premrera.com tcp
US 208.91.197.27:443 vpn.premrera.com tcp
US 208.91.197.27:443 vpn.premrera.com tcp
US 208.91.197.27:443 vpn.premrera.com tcp

Files

memory/3568-130-0x0000000000000000-mapping.dmp

memory/4708-131-0x0000000000000000-mapping.dmp

memory/4712-132-0x0000000000000000-mapping.dmp

memory/1928-133-0x0000000000400000-0x000000000040B000-memory.dmp

memory/4608-135-0x0000000000000000-mapping.dmp

memory/2928-134-0x0000000000000000-mapping.dmp

memory/4632-136-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe

MD5 cc5d547a6d864d58be6b6a3d6647d5e7
SHA1 39cf078ece8ffd3bcb60ede0e1f90e27bd2062d1
SHA256 4b08b4433fa610191cf62e9566cf0557b13fb712d92bc7caa314a9e046e1bc73
SHA512 310a6d0823abc5d5bc16b3e0a0cd0c4b7a17db23de390fd78aad914b76957a1b3f87659b5db2c73ce31b1dcc2898f135c38ed90afd800297a3da65a414f9c08c

C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe

MD5 cc5d547a6d864d58be6b6a3d6647d5e7
SHA1 39cf078ece8ffd3bcb60ede0e1f90e27bd2062d1
SHA256 4b08b4433fa610191cf62e9566cf0557b13fb712d92bc7caa314a9e046e1bc73
SHA512 310a6d0823abc5d5bc16b3e0a0cd0c4b7a17db23de390fd78aad914b76957a1b3f87659b5db2c73ce31b1dcc2898f135c38ed90afd800297a3da65a414f9c08c