Malware Analysis Report

2025-01-02 02:58

Sample ID 220323-lkdw1abge9
Target c282d35f4f5b6476fa15a710062b76ac2f74c73c4228fc5448e52618a8cb18a2
SHA256 c282d35f4f5b6476fa15a710062b76ac2f74c73c4228fc5448e52618a8cb18a2
Tags
sakula persistence rat trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

c282d35f4f5b6476fa15a710062b76ac2f74c73c4228fc5448e52618a8cb18a2

Threat Level: Known bad

The file c282d35f4f5b6476fa15a710062b76ac2f74c73c4228fc5448e52618a8cb18a2 was found to be: Known bad.

Malicious Activity Summary

sakula persistence rat trojan

Sakula

Executes dropped EXE

Loads dropped DLL

Deletes itself

Adds Run key to start application

Modifies registry key

Runs ping.exe

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2022-03-23 09:35

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2022-03-23 09:35

Reported

2022-03-23 09:43

Platform

win7-20220311-en

Max time kernel

4294180s

Max time network

128s

Command Line

"C:\Users\Admin\AppData\Local\Temp\c282d35f4f5b6476fa15a710062b76ac2f74c73c4228fc5448e52618a8cb18a2.exe"

Signatures

Sakula

trojan rat sakula

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe N/A

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" C:\Windows\SysWOW64\reg.exe N/A

Modifies registry key

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\reg.exe N/A

Runs ping.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 576 wrote to memory of 1948 N/A C:\Users\Admin\AppData\Local\Temp\c282d35f4f5b6476fa15a710062b76ac2f74c73c4228fc5448e52618a8cb18a2.exe C:\Windows\SysWOW64\cmd.exe
PID 576 wrote to memory of 1948 N/A C:\Users\Admin\AppData\Local\Temp\c282d35f4f5b6476fa15a710062b76ac2f74c73c4228fc5448e52618a8cb18a2.exe C:\Windows\SysWOW64\cmd.exe
PID 576 wrote to memory of 1948 N/A C:\Users\Admin\AppData\Local\Temp\c282d35f4f5b6476fa15a710062b76ac2f74c73c4228fc5448e52618a8cb18a2.exe C:\Windows\SysWOW64\cmd.exe
PID 576 wrote to memory of 1948 N/A C:\Users\Admin\AppData\Local\Temp\c282d35f4f5b6476fa15a710062b76ac2f74c73c4228fc5448e52618a8cb18a2.exe C:\Windows\SysWOW64\cmd.exe
PID 576 wrote to memory of 1932 N/A C:\Users\Admin\AppData\Local\Temp\c282d35f4f5b6476fa15a710062b76ac2f74c73c4228fc5448e52618a8cb18a2.exe C:\Windows\SysWOW64\cmd.exe
PID 576 wrote to memory of 1932 N/A C:\Users\Admin\AppData\Local\Temp\c282d35f4f5b6476fa15a710062b76ac2f74c73c4228fc5448e52618a8cb18a2.exe C:\Windows\SysWOW64\cmd.exe
PID 576 wrote to memory of 1932 N/A C:\Users\Admin\AppData\Local\Temp\c282d35f4f5b6476fa15a710062b76ac2f74c73c4228fc5448e52618a8cb18a2.exe C:\Windows\SysWOW64\cmd.exe
PID 576 wrote to memory of 1932 N/A C:\Users\Admin\AppData\Local\Temp\c282d35f4f5b6476fa15a710062b76ac2f74c73c4228fc5448e52618a8cb18a2.exe C:\Windows\SysWOW64\cmd.exe
PID 576 wrote to memory of 2016 N/A C:\Users\Admin\AppData\Local\Temp\c282d35f4f5b6476fa15a710062b76ac2f74c73c4228fc5448e52618a8cb18a2.exe C:\Windows\SysWOW64\cmd.exe
PID 576 wrote to memory of 2016 N/A C:\Users\Admin\AppData\Local\Temp\c282d35f4f5b6476fa15a710062b76ac2f74c73c4228fc5448e52618a8cb18a2.exe C:\Windows\SysWOW64\cmd.exe
PID 576 wrote to memory of 2016 N/A C:\Users\Admin\AppData\Local\Temp\c282d35f4f5b6476fa15a710062b76ac2f74c73c4228fc5448e52618a8cb18a2.exe C:\Windows\SysWOW64\cmd.exe
PID 576 wrote to memory of 2016 N/A C:\Users\Admin\AppData\Local\Temp\c282d35f4f5b6476fa15a710062b76ac2f74c73c4228fc5448e52618a8cb18a2.exe C:\Windows\SysWOW64\cmd.exe
PID 1948 wrote to memory of 856 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1948 wrote to memory of 856 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1948 wrote to memory of 856 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1948 wrote to memory of 856 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1932 wrote to memory of 1796 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
PID 1932 wrote to memory of 1796 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
PID 1932 wrote to memory of 1796 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
PID 1932 wrote to memory of 1796 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
PID 2016 wrote to memory of 2020 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 2016 wrote to memory of 2020 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 2016 wrote to memory of 2020 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 2016 wrote to memory of 2020 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE

Processes

C:\Users\Admin\AppData\Local\Temp\c282d35f4f5b6476fa15a710062b76ac2f74c73c4228fc5448e52618a8cb18a2.exe

"C:\Users\Admin\AppData\Local\Temp\c282d35f4f5b6476fa15a710062b76ac2f74c73c4228fc5448e52618a8cb18a2.exe"

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v "MicroMedia" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe"

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe"

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c ping 127.0.0.1 & del "C:\Users\Admin\AppData\Local\Temp\c282d35f4f5b6476fa15a710062b76ac2f74c73c4228fc5448e52618a8cb18a2.exe"

C:\Windows\SysWOW64\reg.exe

reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v "MicroMedia" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe"

C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe

C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1

Network

Country Destination Domain Proto
US 8.8.8.8:53 vpn.premrera.com udp
US 208.91.197.27:443 vpn.premrera.com tcp
US 173.254.226.212:443 tcp
US 173.254.226.212:443 tcp

Files

memory/576-54-0x0000000075471000-0x0000000075473000-memory.dmp

memory/1948-55-0x0000000000000000-mapping.dmp

memory/1932-56-0x0000000000000000-mapping.dmp

memory/2016-57-0x0000000000000000-mapping.dmp

memory/576-58-0x0000000000400000-0x000000000040B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe

MD5 66263a574d94707622190cb95165195c
SHA1 e3a0cbdb9befdf5fa36c6be50a08372e9764ccf6
SHA256 93346a1a2b990c5ce260dfa30dd00b435e0b71f249039f3056f61d7958c54d03
SHA512 3545d0d7c57d9767d2d3828bf649dd0ef02c8a1b57b427fb8bdf79f718842a16c1c2d9ea93159e68ca64405e408886ca719a08f1f37ed4b97ee3cde9524daf8a

\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe

MD5 66263a574d94707622190cb95165195c
SHA1 e3a0cbdb9befdf5fa36c6be50a08372e9764ccf6
SHA256 93346a1a2b990c5ce260dfa30dd00b435e0b71f249039f3056f61d7958c54d03
SHA512 3545d0d7c57d9767d2d3828bf649dd0ef02c8a1b57b427fb8bdf79f718842a16c1c2d9ea93159e68ca64405e408886ca719a08f1f37ed4b97ee3cde9524daf8a

memory/2020-64-0x0000000000000000-mapping.dmp

memory/856-61-0x0000000000000000-mapping.dmp

memory/1796-63-0x0000000000000000-mapping.dmp

\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe

MD5 66263a574d94707622190cb95165195c
SHA1 e3a0cbdb9befdf5fa36c6be50a08372e9764ccf6
SHA256 93346a1a2b990c5ce260dfa30dd00b435e0b71f249039f3056f61d7958c54d03
SHA512 3545d0d7c57d9767d2d3828bf649dd0ef02c8a1b57b427fb8bdf79f718842a16c1c2d9ea93159e68ca64405e408886ca719a08f1f37ed4b97ee3cde9524daf8a

C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe

MD5 66263a574d94707622190cb95165195c
SHA1 e3a0cbdb9befdf5fa36c6be50a08372e9764ccf6
SHA256 93346a1a2b990c5ce260dfa30dd00b435e0b71f249039f3056f61d7958c54d03
SHA512 3545d0d7c57d9767d2d3828bf649dd0ef02c8a1b57b427fb8bdf79f718842a16c1c2d9ea93159e68ca64405e408886ca719a08f1f37ed4b97ee3cde9524daf8a

Analysis: behavioral2

Detonation Overview

Submitted

2022-03-23 09:35

Reported

2022-03-23 09:43

Platform

win10v2004-en-20220113

Max time kernel

149s

Max time network

154s

Command Line

"C:\Users\Admin\AppData\Local\Temp\c282d35f4f5b6476fa15a710062b76ac2f74c73c4228fc5448e52618a8cb18a2.exe"

Signatures

Sakula

trojan rat sakula

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" C:\Windows\SysWOW64\reg.exe N/A

Modifies registry key

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\reg.exe N/A

Runs ping.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1996 wrote to memory of 2552 N/A C:\Users\Admin\AppData\Local\Temp\c282d35f4f5b6476fa15a710062b76ac2f74c73c4228fc5448e52618a8cb18a2.exe C:\Windows\SysWOW64\cmd.exe
PID 1996 wrote to memory of 2552 N/A C:\Users\Admin\AppData\Local\Temp\c282d35f4f5b6476fa15a710062b76ac2f74c73c4228fc5448e52618a8cb18a2.exe C:\Windows\SysWOW64\cmd.exe
PID 1996 wrote to memory of 2552 N/A C:\Users\Admin\AppData\Local\Temp\c282d35f4f5b6476fa15a710062b76ac2f74c73c4228fc5448e52618a8cb18a2.exe C:\Windows\SysWOW64\cmd.exe
PID 1996 wrote to memory of 2728 N/A C:\Users\Admin\AppData\Local\Temp\c282d35f4f5b6476fa15a710062b76ac2f74c73c4228fc5448e52618a8cb18a2.exe C:\Windows\SysWOW64\cmd.exe
PID 1996 wrote to memory of 2728 N/A C:\Users\Admin\AppData\Local\Temp\c282d35f4f5b6476fa15a710062b76ac2f74c73c4228fc5448e52618a8cb18a2.exe C:\Windows\SysWOW64\cmd.exe
PID 1996 wrote to memory of 2728 N/A C:\Users\Admin\AppData\Local\Temp\c282d35f4f5b6476fa15a710062b76ac2f74c73c4228fc5448e52618a8cb18a2.exe C:\Windows\SysWOW64\cmd.exe
PID 1996 wrote to memory of 2756 N/A C:\Users\Admin\AppData\Local\Temp\c282d35f4f5b6476fa15a710062b76ac2f74c73c4228fc5448e52618a8cb18a2.exe C:\Windows\SysWOW64\cmd.exe
PID 1996 wrote to memory of 2756 N/A C:\Users\Admin\AppData\Local\Temp\c282d35f4f5b6476fa15a710062b76ac2f74c73c4228fc5448e52618a8cb18a2.exe C:\Windows\SysWOW64\cmd.exe
PID 1996 wrote to memory of 2756 N/A C:\Users\Admin\AppData\Local\Temp\c282d35f4f5b6476fa15a710062b76ac2f74c73c4228fc5448e52618a8cb18a2.exe C:\Windows\SysWOW64\cmd.exe
PID 2756 wrote to memory of 5056 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 2756 wrote to memory of 5056 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 2756 wrote to memory of 5056 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 2552 wrote to memory of 4468 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2552 wrote to memory of 4468 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2552 wrote to memory of 4468 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2728 wrote to memory of 3976 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
PID 2728 wrote to memory of 3976 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
PID 2728 wrote to memory of 3976 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe

Processes

C:\Users\Admin\AppData\Local\Temp\c282d35f4f5b6476fa15a710062b76ac2f74c73c4228fc5448e52618a8cb18a2.exe

"C:\Users\Admin\AppData\Local\Temp\c282d35f4f5b6476fa15a710062b76ac2f74c73c4228fc5448e52618a8cb18a2.exe"

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v "MicroMedia" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe"

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe"

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c ping 127.0.0.1 & del "C:\Users\Admin\AppData\Local\Temp\c282d35f4f5b6476fa15a710062b76ac2f74c73c4228fc5448e52618a8cb18a2.exe"

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1

C:\Windows\SysWOW64\reg.exe

reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v "MicroMedia" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe"

C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe

C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe

Network

Country Destination Domain Proto
NL 8.248.5.254:80 tcp
NL 8.248.5.254:80 tcp
US 8.8.8.8:53 vpn.premrera.com udp
US 208.91.197.27:443 vpn.premrera.com tcp
US 208.91.197.27:443 vpn.premrera.com tcp
US 208.91.197.27:443 vpn.premrera.com tcp
US 208.91.197.27:443 vpn.premrera.com tcp
US 208.91.197.27:443 vpn.premrera.com tcp
US 208.91.197.27:443 vpn.premrera.com tcp
US 173.254.226.212:443 tcp

Files

memory/2552-130-0x0000000000000000-mapping.dmp

memory/2728-131-0x0000000000000000-mapping.dmp

memory/2756-132-0x0000000000000000-mapping.dmp

memory/1996-133-0x0000000000400000-0x000000000040B000-memory.dmp

memory/5056-134-0x0000000000000000-mapping.dmp

memory/4468-135-0x0000000000000000-mapping.dmp

memory/3976-136-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe

MD5 8ed2017c2afac40e15d7d46e88ae3345
SHA1 4ac674621193ade5949a2273544e9bd870be898b
SHA256 13312e953f1a9535e0a0cac6173bff39bb421668d6c96a67937a29d2642d2f7a
SHA512 a783d554de6adf70ff50484a5c2683a24df9644fd9153c95b876b7c3cd804c09657c60411e3a783a938505ce2a5b691fc1f0b23a45fc9a9be6d38fb4d8b7d576

C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe

MD5 8ed2017c2afac40e15d7d46e88ae3345
SHA1 4ac674621193ade5949a2273544e9bd870be898b
SHA256 13312e953f1a9535e0a0cac6173bff39bb421668d6c96a67937a29d2642d2f7a
SHA512 a783d554de6adf70ff50484a5c2683a24df9644fd9153c95b876b7c3cd804c09657c60411e3a783a938505ce2a5b691fc1f0b23a45fc9a9be6d38fb4d8b7d576

memory/3976-139-0x0000000000400000-0x000000000040B000-memory.dmp