Malware Analysis Report

2024-12-07 22:07

Sample ID 220612-hqe5gafab7
Target 21f06f909bf7716296251e0cbbebf97d5374090b2995432822f69da998a7e0bc
SHA256 21f06f909bf7716296251e0cbbebf97d5374090b2995432822f69da998a7e0bc
Tags
sakula persistence rat suricata trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

21f06f909bf7716296251e0cbbebf97d5374090b2995432822f69da998a7e0bc

Threat Level: Known bad

The file 21f06f909bf7716296251e0cbbebf97d5374090b2995432822f69da998a7e0bc was found to be: Known bad.

Malicious Activity Summary

sakula persistence rat suricata trojan

Sakula Payload

Sakula

suricata: ET MALWARE SUSPICIOUS UA (iexplore)

Sakula family

suricata: ET MALWARE Sakula/Mivast RAT CnC Beacon 1

Executes dropped EXE

Loads dropped DLL

Checks computer location settings

Deletes itself

Adds Run key to start application

Enumerates physical storage devices

Runs ping.exe

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2022-06-12 06:56

Signatures

Sakula Payload

Description Indicator Process Target
N/A N/A N/A N/A

Sakula family

sakula

Analysis: behavioral1

Detonation Overview

Submitted

2022-06-12 06:56

Reported

2022-06-12 11:53

Platform

win7-20220414-en

Max time kernel

161s

Max time network

191s

Command Line

"C:\Users\Admin\AppData\Local\Temp\21f06f909bf7716296251e0cbbebf97d5374090b2995432822f69da998a7e0bc.exe"

Signatures

Sakula

trojan rat sakula

Sakula Payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

suricata: ET MALWARE SUSPICIOUS UA (iexplore)

suricata

suricata: ET MALWARE Sakula/Mivast RAT CnC Beacon 1

suricata

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe N/A

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" C:\Users\Admin\AppData\Local\Temp\21f06f909bf7716296251e0cbbebf97d5374090b2995432822f69da998a7e0bc.exe N/A

Enumerates physical storage devices

Runs ping.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\21f06f909bf7716296251e0cbbebf97d5374090b2995432822f69da998a7e0bc.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1988 wrote to memory of 1268 N/A C:\Users\Admin\AppData\Local\Temp\21f06f909bf7716296251e0cbbebf97d5374090b2995432822f69da998a7e0bc.exe C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
PID 1988 wrote to memory of 1268 N/A C:\Users\Admin\AppData\Local\Temp\21f06f909bf7716296251e0cbbebf97d5374090b2995432822f69da998a7e0bc.exe C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
PID 1988 wrote to memory of 1268 N/A C:\Users\Admin\AppData\Local\Temp\21f06f909bf7716296251e0cbbebf97d5374090b2995432822f69da998a7e0bc.exe C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
PID 1988 wrote to memory of 1268 N/A C:\Users\Admin\AppData\Local\Temp\21f06f909bf7716296251e0cbbebf97d5374090b2995432822f69da998a7e0bc.exe C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
PID 1988 wrote to memory of 1540 N/A C:\Users\Admin\AppData\Local\Temp\21f06f909bf7716296251e0cbbebf97d5374090b2995432822f69da998a7e0bc.exe C:\Windows\SysWOW64\cmd.exe
PID 1988 wrote to memory of 1540 N/A C:\Users\Admin\AppData\Local\Temp\21f06f909bf7716296251e0cbbebf97d5374090b2995432822f69da998a7e0bc.exe C:\Windows\SysWOW64\cmd.exe
PID 1988 wrote to memory of 1540 N/A C:\Users\Admin\AppData\Local\Temp\21f06f909bf7716296251e0cbbebf97d5374090b2995432822f69da998a7e0bc.exe C:\Windows\SysWOW64\cmd.exe
PID 1988 wrote to memory of 1540 N/A C:\Users\Admin\AppData\Local\Temp\21f06f909bf7716296251e0cbbebf97d5374090b2995432822f69da998a7e0bc.exe C:\Windows\SysWOW64\cmd.exe
PID 1540 wrote to memory of 1528 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 1540 wrote to memory of 1528 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 1540 wrote to memory of 1528 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 1540 wrote to memory of 1528 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE

Processes

C:\Users\Admin\AppData\Local\Temp\21f06f909bf7716296251e0cbbebf97d5374090b2995432822f69da998a7e0bc.exe

"C:\Users\Admin\AppData\Local\Temp\21f06f909bf7716296251e0cbbebf97d5374090b2995432822f69da998a7e0bc.exe"

C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe

C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\21f06f909bf7716296251e0cbbebf97d5374090b2995432822f69da998a7e0bc.exe"

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1

Network

Country Destination Domain Proto
US 93.184.220.29:80 tcp
US 8.8.8.8:53 www.polarroute.com udp
US 204.11.56.48:80 www.polarroute.com tcp
US 204.11.56.48:80 www.polarroute.com tcp
US 204.11.56.48:80 www.polarroute.com tcp
US 204.11.56.48:80 www.polarroute.com tcp
US 204.11.56.48:80 www.polarroute.com tcp
US 8.8.8.8:53 www.northpoleroute.com udp

Files

memory/1988-54-0x0000000075501000-0x0000000075503000-memory.dmp

\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe

MD5 ba872c01b314a029fcbdbf13939372ba
SHA1 04bd5f6d28694a0af498ee76b1fe068811dd0f1c
SHA256 38c9630e5d91b26dec4568590d7578105dd0069f1ec93314357311783c1d88cf
SHA512 395c9c0ab9071f652c2b6623eefd136f9c71d940c1e8fcbe1688d0fae96447a8b51c535aa47370d328a242d988d2005a9a60bc4247b8a5eff04536f5ad8d08d7

memory/1268-56-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe

MD5 ba872c01b314a029fcbdbf13939372ba
SHA1 04bd5f6d28694a0af498ee76b1fe068811dd0f1c
SHA256 38c9630e5d91b26dec4568590d7578105dd0069f1ec93314357311783c1d88cf
SHA512 395c9c0ab9071f652c2b6623eefd136f9c71d940c1e8fcbe1688d0fae96447a8b51c535aa47370d328a242d988d2005a9a60bc4247b8a5eff04536f5ad8d08d7

memory/1988-59-0x0000000000400000-0x0000000000420000-memory.dmp

memory/1988-60-0x00000000002C0000-0x00000000002E0000-memory.dmp

memory/1268-61-0x0000000000400000-0x0000000000420000-memory.dmp

memory/1540-62-0x0000000000000000-mapping.dmp

memory/1988-63-0x0000000000400000-0x0000000000420000-memory.dmp

memory/1528-64-0x0000000000000000-mapping.dmp

memory/1268-65-0x0000000000400000-0x0000000000420000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2022-06-12 06:56

Reported

2022-06-12 11:52

Platform

win10v2004-20220414-en

Max time kernel

139s

Max time network

152s

Command Line

"C:\Users\Admin\AppData\Local\Temp\21f06f909bf7716296251e0cbbebf97d5374090b2995432822f69da998a7e0bc.exe"

Signatures

Sakula

trojan rat sakula

Sakula Payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

suricata: ET MALWARE SUSPICIOUS UA (iexplore)

suricata

suricata: ET MALWARE Sakula/Mivast RAT CnC Beacon 1

suricata

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\21f06f909bf7716296251e0cbbebf97d5374090b2995432822f69da998a7e0bc.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" C:\Users\Admin\AppData\Local\Temp\21f06f909bf7716296251e0cbbebf97d5374090b2995432822f69da998a7e0bc.exe N/A

Enumerates physical storage devices

Runs ping.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\21f06f909bf7716296251e0cbbebf97d5374090b2995432822f69da998a7e0bc.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\21f06f909bf7716296251e0cbbebf97d5374090b2995432822f69da998a7e0bc.exe

"C:\Users\Admin\AppData\Local\Temp\21f06f909bf7716296251e0cbbebf97d5374090b2995432822f69da998a7e0bc.exe"

C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe

C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\21f06f909bf7716296251e0cbbebf97d5374090b2995432822f69da998a7e0bc.exe"

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1

Network

Country Destination Domain Proto
US 8.8.8.8:53 www.polarroute.com udp
US 204.11.56.48:80 www.polarroute.com tcp
US 93.184.220.29:80 tcp
IE 52.109.76.32:443 tcp
NL 104.110.191.140:80 tcp
US 204.11.56.48:80 www.polarroute.com tcp
US 52.168.117.170:443 tcp
US 209.197.3.8:80 tcp
US 209.197.3.8:80 tcp
US 209.197.3.8:80 tcp
US 204.11.56.48:80 www.polarroute.com tcp
FR 2.18.109.224:443 tcp
US 104.18.25.243:80 tcp
US 204.11.56.48:80 www.polarroute.com tcp
US 204.11.56.48:80 www.polarroute.com tcp
US 8.8.8.8:53 www.northpoleroute.com udp
US 8.8.8.8:53 www.northpoleroute.com udp
US 8.8.8.8:53 www.northpoleroute.com udp

Files

memory/1916-130-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe

MD5 785a87695fb3330fde205da9cbfb38d6
SHA1 ee694310955aafa7a9c8cebae9eb9e83b54f9db3
SHA256 92388e45212d6af10b6974f0107b9176e8f8fadc1ebacbd639d8c43d8e720723
SHA512 ac036b60781f744c011b1364f2a514587037710fda57ed8a61feece8932b60f9c31c93f32ef37e669956f98a6da20306d91e8a2d0f109157ed6b685182cf3c12

memory/5100-132-0x0000000000400000-0x0000000000420000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe

MD5 785a87695fb3330fde205da9cbfb38d6
SHA1 ee694310955aafa7a9c8cebae9eb9e83b54f9db3
SHA256 92388e45212d6af10b6974f0107b9176e8f8fadc1ebacbd639d8c43d8e720723
SHA512 ac036b60781f744c011b1364f2a514587037710fda57ed8a61feece8932b60f9c31c93f32ef37e669956f98a6da20306d91e8a2d0f109157ed6b685182cf3c12

memory/1916-134-0x0000000000400000-0x0000000000420000-memory.dmp

memory/1472-135-0x0000000000000000-mapping.dmp

memory/5100-136-0x0000000000400000-0x0000000000420000-memory.dmp

memory/4280-137-0x0000000000000000-mapping.dmp

memory/1916-138-0x0000000000400000-0x0000000000420000-memory.dmp