Malware Analysis Report

2025-01-02 02:58

Sample ID 220326-hjs3rahdg2
Target 2f75127174f624462df8fbae0de572c2eb6c04b4562ea16ba05dff714ca48a8d
SHA256 2f75127174f624462df8fbae0de572c2eb6c04b4562ea16ba05dff714ca48a8d
Tags
sakula persistence rat trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

2f75127174f624462df8fbae0de572c2eb6c04b4562ea16ba05dff714ca48a8d

Threat Level: Known bad

The file 2f75127174f624462df8fbae0de572c2eb6c04b4562ea16ba05dff714ca48a8d was found to be: Known bad.

Malicious Activity Summary

sakula persistence rat trojan

Sakula

Executes dropped EXE

Deletes itself

Loads dropped DLL

Adds Run key to start application

Modifies registry key

Runs ping.exe

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2022-03-26 06:46

Signatures

N/A

Analysis: behavioral2

Detonation Overview

Submitted

2022-03-26 06:46

Reported

2022-03-27 02:10

Platform

win10v2004-en-20220113

Max time kernel

148s

Max time network

157s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2f75127174f624462df8fbae0de572c2eb6c04b4562ea16ba05dff714ca48a8d.exe"

Signatures

Sakula

trojan rat sakula

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" C:\Windows\SysWOW64\reg.exe N/A

Modifies registry key

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\reg.exe N/A

Runs ping.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4424 wrote to memory of 3772 N/A C:\Users\Admin\AppData\Local\Temp\2f75127174f624462df8fbae0de572c2eb6c04b4562ea16ba05dff714ca48a8d.exe C:\Windows\SysWOW64\cmd.exe
PID 4424 wrote to memory of 3772 N/A C:\Users\Admin\AppData\Local\Temp\2f75127174f624462df8fbae0de572c2eb6c04b4562ea16ba05dff714ca48a8d.exe C:\Windows\SysWOW64\cmd.exe
PID 4424 wrote to memory of 3772 N/A C:\Users\Admin\AppData\Local\Temp\2f75127174f624462df8fbae0de572c2eb6c04b4562ea16ba05dff714ca48a8d.exe C:\Windows\SysWOW64\cmd.exe
PID 4424 wrote to memory of 3744 N/A C:\Users\Admin\AppData\Local\Temp\2f75127174f624462df8fbae0de572c2eb6c04b4562ea16ba05dff714ca48a8d.exe C:\Windows\SysWOW64\cmd.exe
PID 4424 wrote to memory of 3744 N/A C:\Users\Admin\AppData\Local\Temp\2f75127174f624462df8fbae0de572c2eb6c04b4562ea16ba05dff714ca48a8d.exe C:\Windows\SysWOW64\cmd.exe
PID 4424 wrote to memory of 3744 N/A C:\Users\Admin\AppData\Local\Temp\2f75127174f624462df8fbae0de572c2eb6c04b4562ea16ba05dff714ca48a8d.exe C:\Windows\SysWOW64\cmd.exe
PID 4424 wrote to memory of 4180 N/A C:\Users\Admin\AppData\Local\Temp\2f75127174f624462df8fbae0de572c2eb6c04b4562ea16ba05dff714ca48a8d.exe C:\Windows\SysWOW64\cmd.exe
PID 4424 wrote to memory of 4180 N/A C:\Users\Admin\AppData\Local\Temp\2f75127174f624462df8fbae0de572c2eb6c04b4562ea16ba05dff714ca48a8d.exe C:\Windows\SysWOW64\cmd.exe
PID 4424 wrote to memory of 4180 N/A C:\Users\Admin\AppData\Local\Temp\2f75127174f624462df8fbae0de572c2eb6c04b4562ea16ba05dff714ca48a8d.exe C:\Windows\SysWOW64\cmd.exe
PID 3772 wrote to memory of 3424 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 3772 wrote to memory of 3424 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 3772 wrote to memory of 3424 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 4180 wrote to memory of 800 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 4180 wrote to memory of 800 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 4180 wrote to memory of 800 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 3744 wrote to memory of 676 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
PID 3744 wrote to memory of 676 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
PID 3744 wrote to memory of 676 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2f75127174f624462df8fbae0de572c2eb6c04b4562ea16ba05dff714ca48a8d.exe

"C:\Users\Admin\AppData\Local\Temp\2f75127174f624462df8fbae0de572c2eb6c04b4562ea16ba05dff714ca48a8d.exe"

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v "MicroMedia" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe"

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe"

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c ping 127.0.0.1 & del "C:\Users\Admin\AppData\Local\Temp\2f75127174f624462df8fbae0de572c2eb6c04b4562ea16ba05dff714ca48a8d.exe"

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1

C:\Windows\SysWOW64\reg.exe

reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v "MicroMedia" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe"

C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe

C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 vpn.premrera.com udp
US 208.91.197.27:443 vpn.premrera.com tcp
US 208.91.197.27:443 vpn.premrera.com tcp
US 208.91.197.27:443 vpn.premrera.com tcp
NL 67.26.111.254:80 tcp
NL 67.26.111.254:80 tcp
NL 67.26.111.254:80 tcp
US 8.8.8.8:53 crl4.digicert.com udp
US 93.184.220.29:80 crl4.digicert.com tcp
US 8.8.8.8:53 97.97.242.52.in-addr.arpa udp
US 208.91.197.27:443 vpn.premrera.com tcp
US 208.91.197.27:443 vpn.premrera.com tcp
US 208.91.197.27:443 vpn.premrera.com tcp
US 208.91.197.27:443 vpn.premrera.com tcp
US 208.91.197.27:443 vpn.premrera.com tcp
US 208.91.197.27:443 vpn.premrera.com tcp
US 208.91.197.27:443 vpn.premrera.com tcp
US 208.91.197.27:443 vpn.premrera.com tcp
US 208.91.197.27:443 vpn.premrera.com tcp
US 208.91.197.27:443 vpn.premrera.com tcp

Files

memory/3772-130-0x0000000000000000-mapping.dmp

memory/4180-132-0x0000000000000000-mapping.dmp

memory/3744-131-0x0000000000000000-mapping.dmp

memory/4424-133-0x0000000000400000-0x000000000040B000-memory.dmp

memory/800-135-0x0000000000000000-mapping.dmp

memory/3424-134-0x0000000000000000-mapping.dmp

memory/676-136-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe

MD5 586a8ab77ce47ffc3446f82dc066b730
SHA1 ec4034b0fe19255b8bee2f6b481b17c5c0f1c4b6
SHA256 c34277f9968ba2d7aa0829f83a53fd3f4bfdd2a0269f5e2bc0f2dd52bbaf6a5c
SHA512 016d8053d817e1f35ca41e11733288b6e7101e20f7d6168076a615bdce04d566702b8c36bffbe689c8b63df404a84456881070fe53036933a9b9184532ec0a90

C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe

MD5 586a8ab77ce47ffc3446f82dc066b730
SHA1 ec4034b0fe19255b8bee2f6b481b17c5c0f1c4b6
SHA256 c34277f9968ba2d7aa0829f83a53fd3f4bfdd2a0269f5e2bc0f2dd52bbaf6a5c
SHA512 016d8053d817e1f35ca41e11733288b6e7101e20f7d6168076a615bdce04d566702b8c36bffbe689c8b63df404a84456881070fe53036933a9b9184532ec0a90

memory/676-139-0x0000000000400000-0x000000000040B000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2022-03-26 06:46

Reported

2022-03-27 02:10

Platform

win7-20220311-en

Max time kernel

4294205s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2f75127174f624462df8fbae0de572c2eb6c04b4562ea16ba05dff714ca48a8d.exe"

Signatures

Sakula

trojan rat sakula

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe N/A

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" C:\Windows\SysWOW64\reg.exe N/A

Modifies registry key

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\reg.exe N/A

Runs ping.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2016 wrote to memory of 2004 N/A C:\Users\Admin\AppData\Local\Temp\2f75127174f624462df8fbae0de572c2eb6c04b4562ea16ba05dff714ca48a8d.exe C:\Windows\SysWOW64\cmd.exe
PID 2016 wrote to memory of 2004 N/A C:\Users\Admin\AppData\Local\Temp\2f75127174f624462df8fbae0de572c2eb6c04b4562ea16ba05dff714ca48a8d.exe C:\Windows\SysWOW64\cmd.exe
PID 2016 wrote to memory of 2004 N/A C:\Users\Admin\AppData\Local\Temp\2f75127174f624462df8fbae0de572c2eb6c04b4562ea16ba05dff714ca48a8d.exe C:\Windows\SysWOW64\cmd.exe
PID 2016 wrote to memory of 2004 N/A C:\Users\Admin\AppData\Local\Temp\2f75127174f624462df8fbae0de572c2eb6c04b4562ea16ba05dff714ca48a8d.exe C:\Windows\SysWOW64\cmd.exe
PID 2016 wrote to memory of 1676 N/A C:\Users\Admin\AppData\Local\Temp\2f75127174f624462df8fbae0de572c2eb6c04b4562ea16ba05dff714ca48a8d.exe C:\Windows\SysWOW64\cmd.exe
PID 2016 wrote to memory of 1676 N/A C:\Users\Admin\AppData\Local\Temp\2f75127174f624462df8fbae0de572c2eb6c04b4562ea16ba05dff714ca48a8d.exe C:\Windows\SysWOW64\cmd.exe
PID 2016 wrote to memory of 1676 N/A C:\Users\Admin\AppData\Local\Temp\2f75127174f624462df8fbae0de572c2eb6c04b4562ea16ba05dff714ca48a8d.exe C:\Windows\SysWOW64\cmd.exe
PID 2016 wrote to memory of 1676 N/A C:\Users\Admin\AppData\Local\Temp\2f75127174f624462df8fbae0de572c2eb6c04b4562ea16ba05dff714ca48a8d.exe C:\Windows\SysWOW64\cmd.exe
PID 2016 wrote to memory of 872 N/A C:\Users\Admin\AppData\Local\Temp\2f75127174f624462df8fbae0de572c2eb6c04b4562ea16ba05dff714ca48a8d.exe C:\Windows\SysWOW64\cmd.exe
PID 2016 wrote to memory of 872 N/A C:\Users\Admin\AppData\Local\Temp\2f75127174f624462df8fbae0de572c2eb6c04b4562ea16ba05dff714ca48a8d.exe C:\Windows\SysWOW64\cmd.exe
PID 2016 wrote to memory of 872 N/A C:\Users\Admin\AppData\Local\Temp\2f75127174f624462df8fbae0de572c2eb6c04b4562ea16ba05dff714ca48a8d.exe C:\Windows\SysWOW64\cmd.exe
PID 2016 wrote to memory of 872 N/A C:\Users\Admin\AppData\Local\Temp\2f75127174f624462df8fbae0de572c2eb6c04b4562ea16ba05dff714ca48a8d.exe C:\Windows\SysWOW64\cmd.exe
PID 2004 wrote to memory of 628 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2004 wrote to memory of 628 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2004 wrote to memory of 628 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2004 wrote to memory of 628 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 872 wrote to memory of 1212 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 872 wrote to memory of 1212 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 872 wrote to memory of 1212 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 872 wrote to memory of 1212 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 1676 wrote to memory of 1264 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
PID 1676 wrote to memory of 1264 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
PID 1676 wrote to memory of 1264 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
PID 1676 wrote to memory of 1264 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2f75127174f624462df8fbae0de572c2eb6c04b4562ea16ba05dff714ca48a8d.exe

"C:\Users\Admin\AppData\Local\Temp\2f75127174f624462df8fbae0de572c2eb6c04b4562ea16ba05dff714ca48a8d.exe"

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v "MicroMedia" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe"

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe"

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c ping 127.0.0.1 & del "C:\Users\Admin\AppData\Local\Temp\2f75127174f624462df8fbae0de572c2eb6c04b4562ea16ba05dff714ca48a8d.exe"

C:\Windows\SysWOW64\reg.exe

reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v "MicroMedia" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe"

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1

C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe

C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 vpn.premrera.com udp
US 208.91.197.27:443 vpn.premrera.com tcp
US 208.91.197.27:443 vpn.premrera.com tcp
US 208.91.197.27:443 vpn.premrera.com tcp
US 208.91.197.27:443 vpn.premrera.com tcp
US 208.91.197.27:443 vpn.premrera.com tcp
US 208.91.197.27:443 vpn.premrera.com tcp
US 208.91.197.27:443 vpn.premrera.com tcp
US 208.91.197.27:443 vpn.premrera.com tcp
US 208.91.197.27:443 vpn.premrera.com tcp
US 208.91.197.27:443 vpn.premrera.com tcp
US 208.91.197.27:443 vpn.premrera.com tcp
US 208.91.197.27:443 vpn.premrera.com tcp

Files

memory/2016-54-0x0000000075801000-0x0000000075803000-memory.dmp

memory/2004-55-0x0000000000000000-mapping.dmp

memory/2016-57-0x0000000000400000-0x000000000040B000-memory.dmp

memory/1676-56-0x0000000000000000-mapping.dmp

memory/872-58-0x0000000000000000-mapping.dmp

\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe

MD5 672093b6998bc4669d2c6b020f6d4208
SHA1 76f9ae76d5e94a5adaa862d8bb62f115862262dd
SHA256 e8c6db684509c0e38041483425f73203b402520f67a8ecdec35edd619a5f0eb1
SHA512 fc465079811636bd3f97b0c881c221e0aa42ea898db77d7d2eb5292b34ca292e408b050b6640fae0365d8e1c285b0fc193676a0fae45fc2ade2bdab7522b7af0

memory/1264-64-0x0000000000000000-mapping.dmp

\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe

MD5 672093b6998bc4669d2c6b020f6d4208
SHA1 76f9ae76d5e94a5adaa862d8bb62f115862262dd
SHA256 e8c6db684509c0e38041483425f73203b402520f67a8ecdec35edd619a5f0eb1
SHA512 fc465079811636bd3f97b0c881c221e0aa42ea898db77d7d2eb5292b34ca292e408b050b6640fae0365d8e1c285b0fc193676a0fae45fc2ade2bdab7522b7af0

C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe

MD5 672093b6998bc4669d2c6b020f6d4208
SHA1 76f9ae76d5e94a5adaa862d8bb62f115862262dd
SHA256 e8c6db684509c0e38041483425f73203b402520f67a8ecdec35edd619a5f0eb1
SHA512 fc465079811636bd3f97b0c881c221e0aa42ea898db77d7d2eb5292b34ca292e408b050b6640fae0365d8e1c285b0fc193676a0fae45fc2ade2bdab7522b7af0

C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe

MD5 672093b6998bc4669d2c6b020f6d4208
SHA1 76f9ae76d5e94a5adaa862d8bb62f115862262dd
SHA256 e8c6db684509c0e38041483425f73203b402520f67a8ecdec35edd619a5f0eb1
SHA512 fc465079811636bd3f97b0c881c221e0aa42ea898db77d7d2eb5292b34ca292e408b050b6640fae0365d8e1c285b0fc193676a0fae45fc2ade2bdab7522b7af0

memory/628-59-0x0000000000000000-mapping.dmp

memory/1212-60-0x0000000000000000-mapping.dmp