Malware Analysis Report

2024-12-07 22:08

Sample ID 220612-e5lzsaaff8
Target 22a59072fc33311b194570e505890222d98a83a66edf7914e50b23323109f31c
SHA256 22a59072fc33311b194570e505890222d98a83a66edf7914e50b23323109f31c
Tags
sakula persistence rat suricata trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

22a59072fc33311b194570e505890222d98a83a66edf7914e50b23323109f31c

Threat Level: Known bad

The file 22a59072fc33311b194570e505890222d98a83a66edf7914e50b23323109f31c was found to be: Known bad.

Malicious Activity Summary

sakula persistence rat suricata trojan

Sakula

Sakula family

suricata: ET MALWARE SUSPICIOUS UA (iexplore)

suricata: ET MALWARE Sakula/Mivast RAT CnC Beacon 1

Sakula Payload

Executes dropped EXE

Deletes itself

Checks computer location settings

Loads dropped DLL

Adds Run key to start application

Enumerates physical storage devices

Runs ping.exe

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2022-06-12 04:31

Signatures

Sakula Payload

Description Indicator Process Target
N/A N/A N/A N/A

Sakula family

sakula

Analysis: behavioral1

Detonation Overview

Submitted

2022-06-12 04:31

Reported

2022-06-12 08:39

Platform

win7-20220414-en

Max time kernel

148s

Max time network

119s

Command Line

"C:\Users\Admin\AppData\Local\Temp\22a59072fc33311b194570e505890222d98a83a66edf7914e50b23323109f31c.exe"

Signatures

Sakula

trojan rat sakula

Sakula Payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

suricata: ET MALWARE SUSPICIOUS UA (iexplore)

suricata

suricata: ET MALWARE Sakula/Mivast RAT CnC Beacon 1

suricata

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe N/A

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" C:\Users\Admin\AppData\Local\Temp\22a59072fc33311b194570e505890222d98a83a66edf7914e50b23323109f31c.exe N/A

Enumerates physical storage devices

Runs ping.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\22a59072fc33311b194570e505890222d98a83a66edf7914e50b23323109f31c.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 388 wrote to memory of 1916 N/A C:\Users\Admin\AppData\Local\Temp\22a59072fc33311b194570e505890222d98a83a66edf7914e50b23323109f31c.exe C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
PID 388 wrote to memory of 1916 N/A C:\Users\Admin\AppData\Local\Temp\22a59072fc33311b194570e505890222d98a83a66edf7914e50b23323109f31c.exe C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
PID 388 wrote to memory of 1916 N/A C:\Users\Admin\AppData\Local\Temp\22a59072fc33311b194570e505890222d98a83a66edf7914e50b23323109f31c.exe C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
PID 388 wrote to memory of 1916 N/A C:\Users\Admin\AppData\Local\Temp\22a59072fc33311b194570e505890222d98a83a66edf7914e50b23323109f31c.exe C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
PID 388 wrote to memory of 700 N/A C:\Users\Admin\AppData\Local\Temp\22a59072fc33311b194570e505890222d98a83a66edf7914e50b23323109f31c.exe C:\Windows\SysWOW64\cmd.exe
PID 388 wrote to memory of 700 N/A C:\Users\Admin\AppData\Local\Temp\22a59072fc33311b194570e505890222d98a83a66edf7914e50b23323109f31c.exe C:\Windows\SysWOW64\cmd.exe
PID 388 wrote to memory of 700 N/A C:\Users\Admin\AppData\Local\Temp\22a59072fc33311b194570e505890222d98a83a66edf7914e50b23323109f31c.exe C:\Windows\SysWOW64\cmd.exe
PID 388 wrote to memory of 700 N/A C:\Users\Admin\AppData\Local\Temp\22a59072fc33311b194570e505890222d98a83a66edf7914e50b23323109f31c.exe C:\Windows\SysWOW64\cmd.exe
PID 700 wrote to memory of 848 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 700 wrote to memory of 848 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 700 wrote to memory of 848 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 700 wrote to memory of 848 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE

Processes

C:\Users\Admin\AppData\Local\Temp\22a59072fc33311b194570e505890222d98a83a66edf7914e50b23323109f31c.exe

"C:\Users\Admin\AppData\Local\Temp\22a59072fc33311b194570e505890222d98a83a66edf7914e50b23323109f31c.exe"

C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe

C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\22a59072fc33311b194570e505890222d98a83a66edf7914e50b23323109f31c.exe"

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1

Network

Country Destination Domain Proto
US 8.8.8.8:53 www.polarroute.com udp
US 204.11.56.48:80 www.polarroute.com tcp
US 204.11.56.48:80 www.polarroute.com tcp
US 204.11.56.48:80 www.polarroute.com tcp
US 204.11.56.48:80 www.polarroute.com tcp
US 8.8.8.8:53 www.northpoleroute.com udp

Files

memory/388-54-0x0000000076C81000-0x0000000076C83000-memory.dmp

\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe

MD5 9b40641d4b6b7c84b4a385fab7fb7c47
SHA1 02913b5dd1a7110605d5eec90bca285a4600c92e
SHA256 7d630b54568791a1f5a8924cd6af56047916de663985dd90926888ffda7a85ef
SHA512 5a3209b69f6255fec1eda3ba4bebf45a0bf149366bfa9268642451e7cd54e86876f27a24e46996d4b6ae05633b78caa9a45ad2eb7836a8bc12b110751ed0d6ba

memory/1916-56-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe

MD5 9b40641d4b6b7c84b4a385fab7fb7c47
SHA1 02913b5dd1a7110605d5eec90bca285a4600c92e
SHA256 7d630b54568791a1f5a8924cd6af56047916de663985dd90926888ffda7a85ef
SHA512 5a3209b69f6255fec1eda3ba4bebf45a0bf149366bfa9268642451e7cd54e86876f27a24e46996d4b6ae05633b78caa9a45ad2eb7836a8bc12b110751ed0d6ba

memory/700-59-0x0000000000000000-mapping.dmp

memory/848-60-0x0000000000000000-mapping.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2022-06-12 04:31

Reported

2022-06-12 08:39

Platform

win10v2004-20220414-en

Max time kernel

145s

Max time network

149s

Command Line

"C:\Users\Admin\AppData\Local\Temp\22a59072fc33311b194570e505890222d98a83a66edf7914e50b23323109f31c.exe"

Signatures

Sakula

trojan rat sakula

Sakula Payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

suricata: ET MALWARE SUSPICIOUS UA (iexplore)

suricata

suricata: ET MALWARE Sakula/Mivast RAT CnC Beacon 1

suricata

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\22a59072fc33311b194570e505890222d98a83a66edf7914e50b23323109f31c.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" C:\Users\Admin\AppData\Local\Temp\22a59072fc33311b194570e505890222d98a83a66edf7914e50b23323109f31c.exe N/A

Enumerates physical storage devices

Runs ping.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\22a59072fc33311b194570e505890222d98a83a66edf7914e50b23323109f31c.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\22a59072fc33311b194570e505890222d98a83a66edf7914e50b23323109f31c.exe

"C:\Users\Admin\AppData\Local\Temp\22a59072fc33311b194570e505890222d98a83a66edf7914e50b23323109f31c.exe"

C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe

C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\22a59072fc33311b194570e505890222d98a83a66edf7914e50b23323109f31c.exe"

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1

Network

Country Destination Domain Proto
US 8.8.8.8:53 www.polarroute.com udp
US 204.11.56.48:80 www.polarroute.com tcp
US 93.184.220.29:80 tcp
JP 40.74.98.195:443 tcp
US 209.197.3.8:80 tcp
US 209.197.3.8:80 tcp
US 209.197.3.8:80 tcp
US 204.11.56.48:80 www.polarroute.com tcp
US 204.11.56.48:80 www.polarroute.com tcp
US 204.11.56.48:80 www.polarroute.com tcp
US 8.8.8.8:53 www.northpoleroute.com udp
US 8.8.8.8:53 www.northpoleroute.com udp
US 8.8.8.8:53 www.northpoleroute.com udp

Files

memory/4980-130-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe

MD5 29fcb13ec6e485e8c1eba60449fcf6b7
SHA1 99bc711da705158af2fff123fb8b1d0fa57efeb4
SHA256 5720cb379a1099b9a37a103a4a83cfeafaa0cd3a75ebda4d90f19bbbb2963b16
SHA512 fd3ee467a0c059056fdcd51e0ed2dd2fbff8cf6c104669a77ce55af5c9cd25a369d2ce6104310dfcf6ba6f6898066e19197b69e3718ca1c55109aaf683934539

C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe

MD5 29fcb13ec6e485e8c1eba60449fcf6b7
SHA1 99bc711da705158af2fff123fb8b1d0fa57efeb4
SHA256 5720cb379a1099b9a37a103a4a83cfeafaa0cd3a75ebda4d90f19bbbb2963b16
SHA512 fd3ee467a0c059056fdcd51e0ed2dd2fbff8cf6c104669a77ce55af5c9cd25a369d2ce6104310dfcf6ba6f6898066e19197b69e3718ca1c55109aaf683934539

memory/1680-133-0x0000000000000000-mapping.dmp

memory/2548-134-0x0000000000000000-mapping.dmp