Malware Analysis Report

2025-01-02 02:52

Sample ID 220323-lkdw1abge8
Target 6699ed985b80cf027b8ac2e914cbe85e97d2ba27962aad45c0f128eece97e630
SHA256 6699ed985b80cf027b8ac2e914cbe85e97d2ba27962aad45c0f128eece97e630
Tags
sakula persistence rat trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

6699ed985b80cf027b8ac2e914cbe85e97d2ba27962aad45c0f128eece97e630

Threat Level: Known bad

The file 6699ed985b80cf027b8ac2e914cbe85e97d2ba27962aad45c0f128eece97e630 was found to be: Known bad.

Malicious Activity Summary

sakula persistence rat trojan

Sakula

Executes dropped EXE

Deletes itself

Loads dropped DLL

Adds Run key to start application

Runs ping.exe

Suspicious use of WriteProcessMemory

Modifies registry key

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2022-03-23 09:35

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2022-03-23 09:35

Reported

2022-03-23 09:43

Platform

win7-20220311-en

Max time kernel

4294180s

Max time network

124s

Command Line

"C:\Users\Admin\AppData\Local\Temp\6699ed985b80cf027b8ac2e914cbe85e97d2ba27962aad45c0f128eece97e630.exe"

Signatures

Sakula

trojan rat sakula

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe N/A

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" C:\Windows\SysWOW64\reg.exe N/A

Modifies registry key

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\reg.exe N/A

Runs ping.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 968 wrote to memory of 1900 N/A C:\Users\Admin\AppData\Local\Temp\6699ed985b80cf027b8ac2e914cbe85e97d2ba27962aad45c0f128eece97e630.exe C:\Windows\SysWOW64\cmd.exe
PID 968 wrote to memory of 1900 N/A C:\Users\Admin\AppData\Local\Temp\6699ed985b80cf027b8ac2e914cbe85e97d2ba27962aad45c0f128eece97e630.exe C:\Windows\SysWOW64\cmd.exe
PID 968 wrote to memory of 1900 N/A C:\Users\Admin\AppData\Local\Temp\6699ed985b80cf027b8ac2e914cbe85e97d2ba27962aad45c0f128eece97e630.exe C:\Windows\SysWOW64\cmd.exe
PID 968 wrote to memory of 1900 N/A C:\Users\Admin\AppData\Local\Temp\6699ed985b80cf027b8ac2e914cbe85e97d2ba27962aad45c0f128eece97e630.exe C:\Windows\SysWOW64\cmd.exe
PID 968 wrote to memory of 1904 N/A C:\Users\Admin\AppData\Local\Temp\6699ed985b80cf027b8ac2e914cbe85e97d2ba27962aad45c0f128eece97e630.exe C:\Windows\SysWOW64\cmd.exe
PID 968 wrote to memory of 1904 N/A C:\Users\Admin\AppData\Local\Temp\6699ed985b80cf027b8ac2e914cbe85e97d2ba27962aad45c0f128eece97e630.exe C:\Windows\SysWOW64\cmd.exe
PID 968 wrote to memory of 1904 N/A C:\Users\Admin\AppData\Local\Temp\6699ed985b80cf027b8ac2e914cbe85e97d2ba27962aad45c0f128eece97e630.exe C:\Windows\SysWOW64\cmd.exe
PID 968 wrote to memory of 1904 N/A C:\Users\Admin\AppData\Local\Temp\6699ed985b80cf027b8ac2e914cbe85e97d2ba27962aad45c0f128eece97e630.exe C:\Windows\SysWOW64\cmd.exe
PID 968 wrote to memory of 1980 N/A C:\Users\Admin\AppData\Local\Temp\6699ed985b80cf027b8ac2e914cbe85e97d2ba27962aad45c0f128eece97e630.exe C:\Windows\SysWOW64\cmd.exe
PID 968 wrote to memory of 1980 N/A C:\Users\Admin\AppData\Local\Temp\6699ed985b80cf027b8ac2e914cbe85e97d2ba27962aad45c0f128eece97e630.exe C:\Windows\SysWOW64\cmd.exe
PID 968 wrote to memory of 1980 N/A C:\Users\Admin\AppData\Local\Temp\6699ed985b80cf027b8ac2e914cbe85e97d2ba27962aad45c0f128eece97e630.exe C:\Windows\SysWOW64\cmd.exe
PID 968 wrote to memory of 1980 N/A C:\Users\Admin\AppData\Local\Temp\6699ed985b80cf027b8ac2e914cbe85e97d2ba27962aad45c0f128eece97e630.exe C:\Windows\SysWOW64\cmd.exe
PID 1904 wrote to memory of 564 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
PID 1904 wrote to memory of 564 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
PID 1904 wrote to memory of 564 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
PID 1904 wrote to memory of 564 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
PID 1900 wrote to memory of 1056 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1900 wrote to memory of 1056 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1900 wrote to memory of 1056 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1900 wrote to memory of 1056 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1980 wrote to memory of 1488 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 1980 wrote to memory of 1488 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 1980 wrote to memory of 1488 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 1980 wrote to memory of 1488 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE

Processes

C:\Users\Admin\AppData\Local\Temp\6699ed985b80cf027b8ac2e914cbe85e97d2ba27962aad45c0f128eece97e630.exe

"C:\Users\Admin\AppData\Local\Temp\6699ed985b80cf027b8ac2e914cbe85e97d2ba27962aad45c0f128eece97e630.exe"

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v "MicroMedia" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe"

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe"

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c ping 127.0.0.1 & del "C:\Users\Admin\AppData\Local\Temp\6699ed985b80cf027b8ac2e914cbe85e97d2ba27962aad45c0f128eece97e630.exe"

C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe

C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1

C:\Windows\SysWOW64\reg.exe

reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v "MicroMedia" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe"

Network

Country Destination Domain Proto
NL 62.197.136.163:2405 tcp
US 8.8.8.8:53 vpn.premrera.com udp
US 208.91.197.27:443 vpn.premrera.com tcp
US 173.254.226.212:443 tcp
US 173.254.226.212:443 tcp

Files

memory/968-54-0x00000000763D1000-0x00000000763D3000-memory.dmp

memory/1900-55-0x0000000000000000-mapping.dmp

memory/1904-56-0x0000000000000000-mapping.dmp

memory/1980-57-0x0000000000000000-mapping.dmp

memory/968-58-0x0000000000400000-0x000000000040B000-memory.dmp

\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe

MD5 778de3633cb2456865de56d5e4cf4271
SHA1 e05e3b6b1d9aa630cef3d0d02ab52e952648a716
SHA256 cc8d847d921e3997c060e85c9146c1605b90bd4a90d4d2e01d76c719081fc7f4
SHA512 b116002ab2176d2787499277e6eb1f0b415f581112479a6368aaf0e6a960f8f6a6da026d5513cb9b9d05a46a095bb3a8ea364256fe99d3d7252ac695aa0c301d

memory/564-62-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe

MD5 778de3633cb2456865de56d5e4cf4271
SHA1 e05e3b6b1d9aa630cef3d0d02ab52e952648a716
SHA256 cc8d847d921e3997c060e85c9146c1605b90bd4a90d4d2e01d76c719081fc7f4
SHA512 b116002ab2176d2787499277e6eb1f0b415f581112479a6368aaf0e6a960f8f6a6da026d5513cb9b9d05a46a095bb3a8ea364256fe99d3d7252ac695aa0c301d

\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe

MD5 778de3633cb2456865de56d5e4cf4271
SHA1 e05e3b6b1d9aa630cef3d0d02ab52e952648a716
SHA256 cc8d847d921e3997c060e85c9146c1605b90bd4a90d4d2e01d76c719081fc7f4
SHA512 b116002ab2176d2787499277e6eb1f0b415f581112479a6368aaf0e6a960f8f6a6da026d5513cb9b9d05a46a095bb3a8ea364256fe99d3d7252ac695aa0c301d

memory/1488-65-0x0000000000000000-mapping.dmp

memory/1056-64-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe

MD5 778de3633cb2456865de56d5e4cf4271
SHA1 e05e3b6b1d9aa630cef3d0d02ab52e952648a716
SHA256 cc8d847d921e3997c060e85c9146c1605b90bd4a90d4d2e01d76c719081fc7f4
SHA512 b116002ab2176d2787499277e6eb1f0b415f581112479a6368aaf0e6a960f8f6a6da026d5513cb9b9d05a46a095bb3a8ea364256fe99d3d7252ac695aa0c301d

Analysis: behavioral2

Detonation Overview

Submitted

2022-03-23 09:35

Reported

2022-03-23 09:43

Platform

win10v2004-en-20220113

Max time kernel

134s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\6699ed985b80cf027b8ac2e914cbe85e97d2ba27962aad45c0f128eece97e630.exe"

Signatures

Sakula

trojan rat sakula

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" C:\Windows\SysWOW64\reg.exe N/A

Modifies registry key

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\reg.exe N/A

Runs ping.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1652 wrote to memory of 2164 N/A C:\Users\Admin\AppData\Local\Temp\6699ed985b80cf027b8ac2e914cbe85e97d2ba27962aad45c0f128eece97e630.exe C:\Windows\SysWOW64\cmd.exe
PID 1652 wrote to memory of 2164 N/A C:\Users\Admin\AppData\Local\Temp\6699ed985b80cf027b8ac2e914cbe85e97d2ba27962aad45c0f128eece97e630.exe C:\Windows\SysWOW64\cmd.exe
PID 1652 wrote to memory of 2164 N/A C:\Users\Admin\AppData\Local\Temp\6699ed985b80cf027b8ac2e914cbe85e97d2ba27962aad45c0f128eece97e630.exe C:\Windows\SysWOW64\cmd.exe
PID 1652 wrote to memory of 2348 N/A C:\Users\Admin\AppData\Local\Temp\6699ed985b80cf027b8ac2e914cbe85e97d2ba27962aad45c0f128eece97e630.exe C:\Windows\SysWOW64\cmd.exe
PID 1652 wrote to memory of 2348 N/A C:\Users\Admin\AppData\Local\Temp\6699ed985b80cf027b8ac2e914cbe85e97d2ba27962aad45c0f128eece97e630.exe C:\Windows\SysWOW64\cmd.exe
PID 1652 wrote to memory of 2348 N/A C:\Users\Admin\AppData\Local\Temp\6699ed985b80cf027b8ac2e914cbe85e97d2ba27962aad45c0f128eece97e630.exe C:\Windows\SysWOW64\cmd.exe
PID 1652 wrote to memory of 2384 N/A C:\Users\Admin\AppData\Local\Temp\6699ed985b80cf027b8ac2e914cbe85e97d2ba27962aad45c0f128eece97e630.exe C:\Windows\SysWOW64\cmd.exe
PID 1652 wrote to memory of 2384 N/A C:\Users\Admin\AppData\Local\Temp\6699ed985b80cf027b8ac2e914cbe85e97d2ba27962aad45c0f128eece97e630.exe C:\Windows\SysWOW64\cmd.exe
PID 1652 wrote to memory of 2384 N/A C:\Users\Admin\AppData\Local\Temp\6699ed985b80cf027b8ac2e914cbe85e97d2ba27962aad45c0f128eece97e630.exe C:\Windows\SysWOW64\cmd.exe
PID 2384 wrote to memory of 4800 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 2384 wrote to memory of 4800 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 2384 wrote to memory of 4800 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 2164 wrote to memory of 4292 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2164 wrote to memory of 4292 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2164 wrote to memory of 4292 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2348 wrote to memory of 4572 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
PID 2348 wrote to memory of 4572 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
PID 2348 wrote to memory of 4572 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe

Processes

C:\Users\Admin\AppData\Local\Temp\6699ed985b80cf027b8ac2e914cbe85e97d2ba27962aad45c0f128eece97e630.exe

"C:\Users\Admin\AppData\Local\Temp\6699ed985b80cf027b8ac2e914cbe85e97d2ba27962aad45c0f128eece97e630.exe"

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v "MicroMedia" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe"

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe"

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c ping 127.0.0.1 & del "C:\Users\Admin\AppData\Local\Temp\6699ed985b80cf027b8ac2e914cbe85e97d2ba27962aad45c0f128eece97e630.exe"

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1

C:\Windows\SysWOW64\reg.exe

reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v "MicroMedia" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe"

C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe

C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe

Network

Country Destination Domain Proto
NL 104.110.191.133:80 tcp
US 8.8.8.8:53 vpn.premrera.com udp
US 208.91.197.27:443 vpn.premrera.com tcp
US 208.91.197.27:443 vpn.premrera.com tcp
US 208.91.197.27:443 vpn.premrera.com tcp
US 208.91.197.27:443 vpn.premrera.com tcp
US 208.91.197.27:443 vpn.premrera.com tcp
US 208.91.197.27:443 vpn.premrera.com tcp
JP 40.79.197.35:443 tcp
US 208.91.197.27:443 vpn.premrera.com tcp
US 208.91.197.27:443 vpn.premrera.com tcp
US 208.91.197.27:443 vpn.premrera.com tcp
US 208.91.197.27:443 vpn.premrera.com tcp
US 208.91.197.27:443 vpn.premrera.com tcp
US 208.91.197.27:443 vpn.premrera.com tcp

Files

memory/2164-130-0x0000000000000000-mapping.dmp

memory/2384-132-0x0000000000000000-mapping.dmp

memory/2348-131-0x0000000000000000-mapping.dmp

memory/1652-133-0x0000000000400000-0x000000000040B000-memory.dmp

memory/4292-135-0x0000000000000000-mapping.dmp

memory/4572-136-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe

MD5 ca29936dfe408e3650b97cecfd5f050d
SHA1 88f82b90bb3e52d18fd6f22300c52306f6fa53fa
SHA256 a0bf6516267ef25808f436bd1755cb224dd09afe59a93c326dfce2ba359b23f2
SHA512 d747ca19c3284d36d70187d2fea99e109e16a88216cec24472ee857a74502245fc33ecb944e26d2dcef2e0506d687a07da436fc57e175f00655c5d5a468ccd84

C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe

MD5 ca29936dfe408e3650b97cecfd5f050d
SHA1 88f82b90bb3e52d18fd6f22300c52306f6fa53fa
SHA256 a0bf6516267ef25808f436bd1755cb224dd09afe59a93c326dfce2ba359b23f2
SHA512 d747ca19c3284d36d70187d2fea99e109e16a88216cec24472ee857a74502245fc33ecb944e26d2dcef2e0506d687a07da436fc57e175f00655c5d5a468ccd84

memory/4800-134-0x0000000000000000-mapping.dmp

memory/4572-139-0x0000000000400000-0x000000000040B000-memory.dmp