Malware Analysis Report

2024-12-07 22:08

Sample ID 220530-ekxwjshcbq
Target 0b2e22c989efa2ab94cab7e9aaf1c6f075929a7a900bad0bd111b56d0d2a1387
SHA256 0b2e22c989efa2ab94cab7e9aaf1c6f075929a7a900bad0bd111b56d0d2a1387
Tags
sakula persistence rat suricata trojan upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

0b2e22c989efa2ab94cab7e9aaf1c6f075929a7a900bad0bd111b56d0d2a1387

Threat Level: Known bad

The file 0b2e22c989efa2ab94cab7e9aaf1c6f075929a7a900bad0bd111b56d0d2a1387 was found to be: Known bad.

Malicious Activity Summary

sakula persistence rat suricata trojan upx

Sakula Payload

suricata: ET MALWARE Sakula/Mivast RAT CnC Beacon 1

Sakula

suricata: ET MALWARE SUSPICIOUS UA (iexplore)

Sakula family

UPX packed file

Executes dropped EXE

Deletes itself

Loads dropped DLL

Checks computer location settings

Adds Run key to start application

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

Runs ping.exe

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2022-05-30 04:00

Signatures

Sakula Payload

Description Indicator Process Target
N/A N/A N/A N/A

Sakula family

sakula

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2022-05-30 04:00

Reported

2022-05-30 05:24

Platform

win7-20220414-en

Max time kernel

140s

Max time network

118s

Command Line

"C:\Users\Admin\AppData\Local\Temp\0b2e22c989efa2ab94cab7e9aaf1c6f075929a7a900bad0bd111b56d0d2a1387.exe"

Signatures

Sakula

trojan rat sakula

Sakula Payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

suricata: ET MALWARE SUSPICIOUS UA (iexplore)

suricata

suricata: ET MALWARE Sakula/Mivast RAT CnC Beacon 1

suricata

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" C:\Users\Admin\AppData\Local\Temp\0b2e22c989efa2ab94cab7e9aaf1c6f075929a7a900bad0bd111b56d0d2a1387.exe N/A

Enumerates physical storage devices

Runs ping.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\0b2e22c989efa2ab94cab7e9aaf1c6f075929a7a900bad0bd111b56d0d2a1387.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 304 wrote to memory of 1188 N/A C:\Users\Admin\AppData\Local\Temp\0b2e22c989efa2ab94cab7e9aaf1c6f075929a7a900bad0bd111b56d0d2a1387.exe C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
PID 304 wrote to memory of 1188 N/A C:\Users\Admin\AppData\Local\Temp\0b2e22c989efa2ab94cab7e9aaf1c6f075929a7a900bad0bd111b56d0d2a1387.exe C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
PID 304 wrote to memory of 1188 N/A C:\Users\Admin\AppData\Local\Temp\0b2e22c989efa2ab94cab7e9aaf1c6f075929a7a900bad0bd111b56d0d2a1387.exe C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
PID 304 wrote to memory of 1188 N/A C:\Users\Admin\AppData\Local\Temp\0b2e22c989efa2ab94cab7e9aaf1c6f075929a7a900bad0bd111b56d0d2a1387.exe C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
PID 304 wrote to memory of 2020 N/A C:\Users\Admin\AppData\Local\Temp\0b2e22c989efa2ab94cab7e9aaf1c6f075929a7a900bad0bd111b56d0d2a1387.exe C:\Windows\SysWOW64\cmd.exe
PID 304 wrote to memory of 2020 N/A C:\Users\Admin\AppData\Local\Temp\0b2e22c989efa2ab94cab7e9aaf1c6f075929a7a900bad0bd111b56d0d2a1387.exe C:\Windows\SysWOW64\cmd.exe
PID 304 wrote to memory of 2020 N/A C:\Users\Admin\AppData\Local\Temp\0b2e22c989efa2ab94cab7e9aaf1c6f075929a7a900bad0bd111b56d0d2a1387.exe C:\Windows\SysWOW64\cmd.exe
PID 304 wrote to memory of 2020 N/A C:\Users\Admin\AppData\Local\Temp\0b2e22c989efa2ab94cab7e9aaf1c6f075929a7a900bad0bd111b56d0d2a1387.exe C:\Windows\SysWOW64\cmd.exe
PID 2020 wrote to memory of 1916 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 2020 wrote to memory of 1916 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 2020 wrote to memory of 1916 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 2020 wrote to memory of 1916 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE

Processes

C:\Users\Admin\AppData\Local\Temp\0b2e22c989efa2ab94cab7e9aaf1c6f075929a7a900bad0bd111b56d0d2a1387.exe

"C:\Users\Admin\AppData\Local\Temp\0b2e22c989efa2ab94cab7e9aaf1c6f075929a7a900bad0bd111b56d0d2a1387.exe"

C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe

C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\0b2e22c989efa2ab94cab7e9aaf1c6f075929a7a900bad0bd111b56d0d2a1387.exe"

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1

Network

Country Destination Domain Proto
US 8.8.8.8:53 www.polarroute.com udp
US 204.11.56.48:80 www.polarroute.com tcp
US 204.11.56.48:80 www.polarroute.com tcp
US 204.11.56.48:80 www.polarroute.com tcp
US 204.11.56.48:80 www.polarroute.com tcp
US 8.8.8.8:53 www.northpoleroute.com udp

Files

memory/304-54-0x0000000075311000-0x0000000075313000-memory.dmp

\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe

MD5 9f9b0e8c6fd87c4b0ec9ecc5fe6c51e3
SHA1 d0115403520fb3ddaea60577cbb13567c4fa85ea
SHA256 0db6b1148d05b47fe1e48409ea3a3c66eb889be7e34d00b57f8e18c4eb852daf
SHA512 83e846628748546572e020ba5d1e600a934181d844dac88fe15b9e0061f1f34195899c328e1069655a180be0f85041e452501414a29bba64a5392faa6228577c

memory/1188-56-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe

MD5 9f9b0e8c6fd87c4b0ec9ecc5fe6c51e3
SHA1 d0115403520fb3ddaea60577cbb13567c4fa85ea
SHA256 0db6b1148d05b47fe1e48409ea3a3c66eb889be7e34d00b57f8e18c4eb852daf
SHA512 83e846628748546572e020ba5d1e600a934181d844dac88fe15b9e0061f1f34195899c328e1069655a180be0f85041e452501414a29bba64a5392faa6228577c

memory/304-59-0x0000000000400000-0x0000000000425000-memory.dmp

memory/304-60-0x00000000003C0000-0x00000000003E5000-memory.dmp

memory/1188-61-0x0000000000400000-0x0000000000425000-memory.dmp

memory/304-62-0x00000000003C0000-0x00000000003E5000-memory.dmp

memory/1188-63-0x0000000000400000-0x0000000000425000-memory.dmp

memory/2020-64-0x0000000000000000-mapping.dmp

memory/304-65-0x0000000000400000-0x0000000000425000-memory.dmp

memory/1916-66-0x0000000000000000-mapping.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2022-05-30 04:00

Reported

2022-05-30 05:25

Platform

win10v2004-20220414-en

Max time kernel

141s

Max time network

172s

Command Line

"C:\Users\Admin\AppData\Local\Temp\0b2e22c989efa2ab94cab7e9aaf1c6f075929a7a900bad0bd111b56d0d2a1387.exe"

Signatures

Sakula

trojan rat sakula

Sakula Payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

suricata: ET MALWARE SUSPICIOUS UA (iexplore)

suricata

suricata: ET MALWARE Sakula/Mivast RAT CnC Beacon 1

suricata

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\0b2e22c989efa2ab94cab7e9aaf1c6f075929a7a900bad0bd111b56d0d2a1387.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" C:\Users\Admin\AppData\Local\Temp\0b2e22c989efa2ab94cab7e9aaf1c6f075929a7a900bad0bd111b56d0d2a1387.exe N/A

Enumerates physical storage devices

Runs ping.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\0b2e22c989efa2ab94cab7e9aaf1c6f075929a7a900bad0bd111b56d0d2a1387.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\0b2e22c989efa2ab94cab7e9aaf1c6f075929a7a900bad0bd111b56d0d2a1387.exe

"C:\Users\Admin\AppData\Local\Temp\0b2e22c989efa2ab94cab7e9aaf1c6f075929a7a900bad0bd111b56d0d2a1387.exe"

C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe

C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\0b2e22c989efa2ab94cab7e9aaf1c6f075929a7a900bad0bd111b56d0d2a1387.exe"

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1

Network

Country Destination Domain Proto
US 8.8.8.8:53 www.polarroute.com udp
US 204.11.56.48:80 www.polarroute.com tcp
US 93.184.220.29:80 tcp
US 20.189.173.15:443 tcp
US 204.11.56.48:80 www.polarroute.com tcp
US 204.11.56.48:80 www.polarroute.com tcp
US 93.184.220.29:80 tcp
US 204.11.56.48:80 www.polarroute.com tcp
US 204.11.56.48:80 www.polarroute.com tcp
US 8.8.8.8:53 www.northpoleroute.com udp
US 8.8.8.8:53 www.northpoleroute.com udp

Files

memory/3468-131-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe

MD5 7ce61d17ae72db539d67844a11be2ea6
SHA1 a8babd8a702444302033e70c3b5cb465795d3ea5
SHA256 faed096b4e79544845635de34b741d9c6313783ffbd9914746b435d498ee10a1
SHA512 0c3c70f69e049beaf5dfdecd1558a02e00e63fd2588b4c1335be0c3b8acb490ce844a24af370ee5aa04b6664c6f0f9530281c66a67932d418078bfd47fe6d2de

C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe

MD5 7ce61d17ae72db539d67844a11be2ea6
SHA1 a8babd8a702444302033e70c3b5cb465795d3ea5
SHA256 faed096b4e79544845635de34b741d9c6313783ffbd9914746b435d498ee10a1
SHA512 0c3c70f69e049beaf5dfdecd1558a02e00e63fd2588b4c1335be0c3b8acb490ce844a24af370ee5aa04b6664c6f0f9530281c66a67932d418078bfd47fe6d2de

memory/4100-134-0x0000000000400000-0x0000000000425000-memory.dmp

memory/3468-135-0x0000000000400000-0x0000000000425000-memory.dmp

memory/3468-136-0x0000000000400000-0x0000000000425000-memory.dmp

memory/844-137-0x0000000000000000-mapping.dmp

memory/4100-138-0x0000000000400000-0x0000000000425000-memory.dmp

memory/2636-139-0x0000000000000000-mapping.dmp