Malware Analysis Report

2024-12-07 22:08

Sample ID 220604-ygr1nshbhm
Target 9d640e603feb1d0308c5fcf56ecc8f10b14ac1ed3c15eea005b8fb2cbce9e573
SHA256 9d640e603feb1d0308c5fcf56ecc8f10b14ac1ed3c15eea005b8fb2cbce9e573
Tags
sakula persistence rat suricata trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

9d640e603feb1d0308c5fcf56ecc8f10b14ac1ed3c15eea005b8fb2cbce9e573

Threat Level: Known bad

The file 9d640e603feb1d0308c5fcf56ecc8f10b14ac1ed3c15eea005b8fb2cbce9e573 was found to be: Known bad.

Malicious Activity Summary

sakula persistence rat suricata trojan

Sakula family

suricata: ET MALWARE Sakula/Mivast RAT CnC Beacon 1

Sakula

Sakula Payload

suricata: ET MALWARE SUSPICIOUS UA (iexplore)

Executes dropped EXE

Deletes itself

Loads dropped DLL

Checks computer location settings

Adds Run key to start application

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

Runs ping.exe

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2022-06-04 19:45

Signatures

Sakula Payload

Description Indicator Process Target
N/A N/A N/A N/A

Sakula family

sakula

Analysis: behavioral1

Detonation Overview

Submitted

2022-06-04 19:45

Reported

2022-06-05 04:09

Platform

win7-20220414-en

Max time kernel

150s

Max time network

155s

Command Line

"C:\Users\Admin\AppData\Local\Temp\9d640e603feb1d0308c5fcf56ecc8f10b14ac1ed3c15eea005b8fb2cbce9e573.exe"

Signatures

Sakula

trojan rat sakula

Sakula Payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

suricata: ET MALWARE SUSPICIOUS UA (iexplore)

suricata

suricata: ET MALWARE Sakula/Mivast RAT CnC Beacon 1

suricata

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe N/A

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" C:\Users\Admin\AppData\Local\Temp\9d640e603feb1d0308c5fcf56ecc8f10b14ac1ed3c15eea005b8fb2cbce9e573.exe N/A

Enumerates physical storage devices

Runs ping.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\9d640e603feb1d0308c5fcf56ecc8f10b14ac1ed3c15eea005b8fb2cbce9e573.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1304 wrote to memory of 1812 N/A C:\Users\Admin\AppData\Local\Temp\9d640e603feb1d0308c5fcf56ecc8f10b14ac1ed3c15eea005b8fb2cbce9e573.exe C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
PID 1304 wrote to memory of 1812 N/A C:\Users\Admin\AppData\Local\Temp\9d640e603feb1d0308c5fcf56ecc8f10b14ac1ed3c15eea005b8fb2cbce9e573.exe C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
PID 1304 wrote to memory of 1812 N/A C:\Users\Admin\AppData\Local\Temp\9d640e603feb1d0308c5fcf56ecc8f10b14ac1ed3c15eea005b8fb2cbce9e573.exe C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
PID 1304 wrote to memory of 1812 N/A C:\Users\Admin\AppData\Local\Temp\9d640e603feb1d0308c5fcf56ecc8f10b14ac1ed3c15eea005b8fb2cbce9e573.exe C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
PID 1304 wrote to memory of 1072 N/A C:\Users\Admin\AppData\Local\Temp\9d640e603feb1d0308c5fcf56ecc8f10b14ac1ed3c15eea005b8fb2cbce9e573.exe C:\Windows\SysWOW64\cmd.exe
PID 1304 wrote to memory of 1072 N/A C:\Users\Admin\AppData\Local\Temp\9d640e603feb1d0308c5fcf56ecc8f10b14ac1ed3c15eea005b8fb2cbce9e573.exe C:\Windows\SysWOW64\cmd.exe
PID 1304 wrote to memory of 1072 N/A C:\Users\Admin\AppData\Local\Temp\9d640e603feb1d0308c5fcf56ecc8f10b14ac1ed3c15eea005b8fb2cbce9e573.exe C:\Windows\SysWOW64\cmd.exe
PID 1304 wrote to memory of 1072 N/A C:\Users\Admin\AppData\Local\Temp\9d640e603feb1d0308c5fcf56ecc8f10b14ac1ed3c15eea005b8fb2cbce9e573.exe C:\Windows\SysWOW64\cmd.exe
PID 1072 wrote to memory of 1216 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 1072 wrote to memory of 1216 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 1072 wrote to memory of 1216 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 1072 wrote to memory of 1216 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE

Processes

C:\Users\Admin\AppData\Local\Temp\9d640e603feb1d0308c5fcf56ecc8f10b14ac1ed3c15eea005b8fb2cbce9e573.exe

"C:\Users\Admin\AppData\Local\Temp\9d640e603feb1d0308c5fcf56ecc8f10b14ac1ed3c15eea005b8fb2cbce9e573.exe"

C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe

C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\9d640e603feb1d0308c5fcf56ecc8f10b14ac1ed3c15eea005b8fb2cbce9e573.exe"

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1

Network

Country Destination Domain Proto
US 8.8.8.8:53 www.polarroute.com udp
US 204.11.56.48:80 www.polarroute.com tcp
US 204.11.56.48:80 www.polarroute.com tcp
US 204.11.56.48:80 www.polarroute.com tcp
US 204.11.56.48:80 www.polarroute.com tcp
US 8.8.8.8:53 www.northpoleroute.com udp
NL 104.110.191.201:80 tcp

Files

memory/1304-54-0x0000000076531000-0x0000000076533000-memory.dmp

\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe

MD5 f3305dca6d5f1ad959f347f040511131
SHA1 2329bc5982b943a37ce83947487e21ed4f2d9dfa
SHA256 004d28bbeb5594ced52e7d5d178126248fc4ce0b0078595517b8f21338635542
SHA512 b0c46fa2183f981512f4f4c8e7499c6ffe65726c1b637a7502fbd3cbb66cab44d86bf3d0b30d9c99dc909b47e6c7d3255415cc1e8ed58ab314629f17196d1a83

memory/1812-56-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe

MD5 f3305dca6d5f1ad959f347f040511131
SHA1 2329bc5982b943a37ce83947487e21ed4f2d9dfa
SHA256 004d28bbeb5594ced52e7d5d178126248fc4ce0b0078595517b8f21338635542
SHA512 b0c46fa2183f981512f4f4c8e7499c6ffe65726c1b637a7502fbd3cbb66cab44d86bf3d0b30d9c99dc909b47e6c7d3255415cc1e8ed58ab314629f17196d1a83

memory/1812-61-0x0000000000400000-0x0000000000420000-memory.dmp

memory/1304-60-0x0000000000230000-0x0000000000250000-memory.dmp

memory/1304-59-0x0000000000400000-0x0000000000420000-memory.dmp

memory/1072-62-0x0000000000000000-mapping.dmp

memory/1304-63-0x0000000000400000-0x0000000000420000-memory.dmp

memory/1216-64-0x0000000000000000-mapping.dmp

memory/1812-65-0x0000000000400000-0x0000000000420000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2022-06-04 19:45

Reported

2022-06-05 04:09

Platform

win10v2004-20220414-en

Max time kernel

143s

Max time network

171s

Command Line

"C:\Users\Admin\AppData\Local\Temp\9d640e603feb1d0308c5fcf56ecc8f10b14ac1ed3c15eea005b8fb2cbce9e573.exe"

Signatures

Sakula

trojan rat sakula

Sakula Payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

suricata: ET MALWARE SUSPICIOUS UA (iexplore)

suricata

suricata: ET MALWARE Sakula/Mivast RAT CnC Beacon 1

suricata

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\9d640e603feb1d0308c5fcf56ecc8f10b14ac1ed3c15eea005b8fb2cbce9e573.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" C:\Users\Admin\AppData\Local\Temp\9d640e603feb1d0308c5fcf56ecc8f10b14ac1ed3c15eea005b8fb2cbce9e573.exe N/A

Enumerates physical storage devices

Runs ping.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\9d640e603feb1d0308c5fcf56ecc8f10b14ac1ed3c15eea005b8fb2cbce9e573.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\9d640e603feb1d0308c5fcf56ecc8f10b14ac1ed3c15eea005b8fb2cbce9e573.exe

"C:\Users\Admin\AppData\Local\Temp\9d640e603feb1d0308c5fcf56ecc8f10b14ac1ed3c15eea005b8fb2cbce9e573.exe"

C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe

C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\9d640e603feb1d0308c5fcf56ecc8f10b14ac1ed3c15eea005b8fb2cbce9e573.exe"

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1

Network

Country Destination Domain Proto
US 8.8.8.8:53 www.polarroute.com udp
US 204.11.56.48:80 www.polarroute.com tcp
US 209.197.3.8:80 tcp
US 209.197.3.8:80 tcp
US 209.197.3.8:80 tcp
US 204.11.56.48:80 www.polarroute.com tcp
US 204.11.56.48:80 www.polarroute.com tcp
US 8.8.8.8:53 97.97.242.52.in-addr.arpa udp
US 204.11.56.48:80 www.polarroute.com tcp

Files

memory/4596-130-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe

MD5 11c8dc37312748eeef8b947c022f6b49
SHA1 93fa8fa9b56aa56b574b470aae96b45b48c8f6bf
SHA256 228b83abf4b38a11d4f5c40cf0b3b93814c5f0371206db5e9f791cd0bebc69a4
SHA512 c634a10901610efb665b2510002e69218dacf5f1e89852a429e8a9494665e01f54c068353138de943ddae7c00d295e164da7ad404dbcf12873ed4baf1cce6a80

C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe

MD5 11c8dc37312748eeef8b947c022f6b49
SHA1 93fa8fa9b56aa56b574b470aae96b45b48c8f6bf
SHA256 228b83abf4b38a11d4f5c40cf0b3b93814c5f0371206db5e9f791cd0bebc69a4
SHA512 c634a10901610efb665b2510002e69218dacf5f1e89852a429e8a9494665e01f54c068353138de943ddae7c00d295e164da7ad404dbcf12873ed4baf1cce6a80

memory/4608-133-0x0000000000400000-0x0000000000420000-memory.dmp

memory/4596-134-0x0000000000400000-0x0000000000420000-memory.dmp

memory/4984-135-0x0000000000000000-mapping.dmp

memory/4608-136-0x0000000000400000-0x0000000000420000-memory.dmp

memory/4336-137-0x0000000000000000-mapping.dmp

memory/4596-138-0x0000000000400000-0x0000000000420000-memory.dmp