Malware Analysis Report

2024-12-07 22:08

Sample ID 220705-cr2rzadagj
Target 9f9e86b22b4f11c6e4c7defbd05eb64ea0f528a0913b5502d2dc534aee08ddb2
SHA256 9f9e86b22b4f11c6e4c7defbd05eb64ea0f528a0913b5502d2dc534aee08ddb2
Tags
sakula persistence rat suricata trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

9f9e86b22b4f11c6e4c7defbd05eb64ea0f528a0913b5502d2dc534aee08ddb2

Threat Level: Known bad

The file 9f9e86b22b4f11c6e4c7defbd05eb64ea0f528a0913b5502d2dc534aee08ddb2 was found to be: Known bad.

Malicious Activity Summary

sakula persistence rat suricata trojan

suricata: ET MALWARE Sakula/Mivast RAT CnC Beacon 1

suricata: ET MALWARE SUSPICIOUS UA (iexplore)

Sakula family

Sakula

Sakula Payload

Executes dropped EXE

Deletes itself

Loads dropped DLL

Checks computer location settings

Adds Run key to start application

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Runs ping.exe

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2022-07-05 02:19

Signatures

Sakula Payload

Description Indicator Process Target
N/A N/A N/A N/A

Sakula family

sakula

Analysis: behavioral1

Detonation Overview

Submitted

2022-07-05 02:19

Reported

2022-07-05 02:49

Platform

win7-20220414-en

Max time kernel

1615s

Max time network

1619s

Command Line

"C:\Users\Admin\AppData\Local\Temp\9f9e86b22b4f11c6e4c7defbd05eb64ea0f528a0913b5502d2dc534aee08ddb2.exe"

Signatures

Sakula

trojan rat sakula

Sakula Payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

suricata: ET MALWARE SUSPICIOUS UA (iexplore)

suricata

suricata: ET MALWARE Sakula/Mivast RAT CnC Beacon 1

suricata

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe N/A

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" C:\Users\Admin\AppData\Local\Temp\9f9e86b22b4f11c6e4c7defbd05eb64ea0f528a0913b5502d2dc534aee08ddb2.exe N/A

Enumerates physical storage devices

Runs ping.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\9f9e86b22b4f11c6e4c7defbd05eb64ea0f528a0913b5502d2dc534aee08ddb2.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1984 wrote to memory of 2016 N/A C:\Users\Admin\AppData\Local\Temp\9f9e86b22b4f11c6e4c7defbd05eb64ea0f528a0913b5502d2dc534aee08ddb2.exe C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
PID 1984 wrote to memory of 2016 N/A C:\Users\Admin\AppData\Local\Temp\9f9e86b22b4f11c6e4c7defbd05eb64ea0f528a0913b5502d2dc534aee08ddb2.exe C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
PID 1984 wrote to memory of 2016 N/A C:\Users\Admin\AppData\Local\Temp\9f9e86b22b4f11c6e4c7defbd05eb64ea0f528a0913b5502d2dc534aee08ddb2.exe C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
PID 1984 wrote to memory of 2016 N/A C:\Users\Admin\AppData\Local\Temp\9f9e86b22b4f11c6e4c7defbd05eb64ea0f528a0913b5502d2dc534aee08ddb2.exe C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
PID 1984 wrote to memory of 1716 N/A C:\Users\Admin\AppData\Local\Temp\9f9e86b22b4f11c6e4c7defbd05eb64ea0f528a0913b5502d2dc534aee08ddb2.exe C:\Windows\SysWOW64\cmd.exe
PID 1984 wrote to memory of 1716 N/A C:\Users\Admin\AppData\Local\Temp\9f9e86b22b4f11c6e4c7defbd05eb64ea0f528a0913b5502d2dc534aee08ddb2.exe C:\Windows\SysWOW64\cmd.exe
PID 1984 wrote to memory of 1716 N/A C:\Users\Admin\AppData\Local\Temp\9f9e86b22b4f11c6e4c7defbd05eb64ea0f528a0913b5502d2dc534aee08ddb2.exe C:\Windows\SysWOW64\cmd.exe
PID 1984 wrote to memory of 1716 N/A C:\Users\Admin\AppData\Local\Temp\9f9e86b22b4f11c6e4c7defbd05eb64ea0f528a0913b5502d2dc534aee08ddb2.exe C:\Windows\SysWOW64\cmd.exe
PID 1716 wrote to memory of 960 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 1716 wrote to memory of 960 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 1716 wrote to memory of 960 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 1716 wrote to memory of 960 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE

Processes

C:\Users\Admin\AppData\Local\Temp\9f9e86b22b4f11c6e4c7defbd05eb64ea0f528a0913b5502d2dc534aee08ddb2.exe

"C:\Users\Admin\AppData\Local\Temp\9f9e86b22b4f11c6e4c7defbd05eb64ea0f528a0913b5502d2dc534aee08ddb2.exe"

C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe

C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\9f9e86b22b4f11c6e4c7defbd05eb64ea0f528a0913b5502d2dc534aee08ddb2.exe"

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1

Network

Country Destination Domain Proto
US 8.8.8.8:53 www.polarroute.com udp
US 204.11.56.48:80 www.polarroute.com tcp
US 204.11.56.48:80 www.polarroute.com tcp
US 204.11.56.48:80 www.polarroute.com tcp
US 204.11.56.48:80 www.polarroute.com tcp
US 8.8.8.8:53 www.northpoleroute.com udp

Files

memory/1984-54-0x00000000756E1000-0x00000000756E3000-memory.dmp

\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe

MD5 276de0150d052bcfbff970bb7c187b7e
SHA1 520c4e2c93507081d6f4691f8c3788aca1ce2ccb
SHA256 a8579c91e8128d6e44eab84ae480f584225ff83a12241712cb37e0e34d9af2c0
SHA512 c20419d79eaf944423be44056451a1c7529637b6b7e1f5317fbc0a5ea7e611d7e9756d48730d36f0006748626bea716fbb5d3de39e45590a03d24379923d876b

memory/2016-56-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe

MD5 276de0150d052bcfbff970bb7c187b7e
SHA1 520c4e2c93507081d6f4691f8c3788aca1ce2ccb
SHA256 a8579c91e8128d6e44eab84ae480f584225ff83a12241712cb37e0e34d9af2c0
SHA512 c20419d79eaf944423be44056451a1c7529637b6b7e1f5317fbc0a5ea7e611d7e9756d48730d36f0006748626bea716fbb5d3de39e45590a03d24379923d876b

memory/1984-59-0x0000000000400000-0x0000000000420000-memory.dmp

memory/1984-60-0x0000000000230000-0x0000000000250000-memory.dmp

memory/2016-61-0x0000000000400000-0x0000000000420000-memory.dmp

memory/1716-62-0x0000000000000000-mapping.dmp

memory/1984-63-0x0000000000400000-0x0000000000420000-memory.dmp

memory/960-64-0x0000000000000000-mapping.dmp

memory/2016-65-0x0000000000400000-0x0000000000420000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2022-07-05 02:19

Reported

2022-07-05 02:49

Platform

win10v2004-20220414-en

Max time kernel

1573s

Max time network

1555s

Command Line

"C:\Users\Admin\AppData\Local\Temp\9f9e86b22b4f11c6e4c7defbd05eb64ea0f528a0913b5502d2dc534aee08ddb2.exe"

Signatures

Sakula

trojan rat sakula

Sakula Payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

suricata: ET MALWARE SUSPICIOUS UA (iexplore)

suricata

suricata: ET MALWARE Sakula/Mivast RAT CnC Beacon 1

suricata

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\9f9e86b22b4f11c6e4c7defbd05eb64ea0f528a0913b5502d2dc534aee08ddb2.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" C:\Users\Admin\AppData\Local\Temp\9f9e86b22b4f11c6e4c7defbd05eb64ea0f528a0913b5502d2dc534aee08ddb2.exe N/A

Enumerates physical storage devices

Runs ping.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\9f9e86b22b4f11c6e4c7defbd05eb64ea0f528a0913b5502d2dc534aee08ddb2.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\9f9e86b22b4f11c6e4c7defbd05eb64ea0f528a0913b5502d2dc534aee08ddb2.exe

"C:\Users\Admin\AppData\Local\Temp\9f9e86b22b4f11c6e4c7defbd05eb64ea0f528a0913b5502d2dc534aee08ddb2.exe"

C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe

C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\9f9e86b22b4f11c6e4c7defbd05eb64ea0f528a0913b5502d2dc534aee08ddb2.exe"

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1

Network

Country Destination Domain Proto
US 8.8.8.8:53 www.polarroute.com udp
US 204.11.56.48:80 www.polarroute.com tcp
US 204.11.56.48:80 www.polarroute.com tcp
NL 13.69.116.104:443 tcp
IE 20.54.110.249:443 tcp
US 8.8.8.8:53 ocsp.msocsp.com udp
US 104.18.25.243:80 ocsp.msocsp.com tcp
NL 178.79.208.1:80 tcp
NL 178.79.208.1:80 tcp
US 204.11.56.48:80 www.polarroute.com tcp
US 204.79.197.203:80 tcp
US 204.11.56.48:80 www.polarroute.com tcp
US 8.8.8.8:53 www.northpoleroute.com udp
US 8.8.8.8:53 www.northpoleroute.com udp
US 8.8.8.8:53 www.northpoleroute.com udp
US 8.8.8.8:53 www.northpoleroute.com udp
US 13.107.21.200:443 tcp
US 52.188.50.245:80 tcp

Files

C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe

MD5 37edf44fa242fb8d838de4802637baa8
SHA1 0e87361baf843422cf4d14e7ed46732a4ee86185
SHA256 04c77f83f640bcbd59249889fabe12b4109d949011a38d08cb49927db780afdb
SHA512 d5e97d1f402a75413794e7677bd77d2b5350fbcf5289a2e7c50444116412de75cd03ac8a62449ab6dd889da18d07fc105b3bec6f2bca230f57ad176a6c325170

memory/1332-130-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe

MD5 37edf44fa242fb8d838de4802637baa8
SHA1 0e87361baf843422cf4d14e7ed46732a4ee86185
SHA256 04c77f83f640bcbd59249889fabe12b4109d949011a38d08cb49927db780afdb
SHA512 d5e97d1f402a75413794e7677bd77d2b5350fbcf5289a2e7c50444116412de75cd03ac8a62449ab6dd889da18d07fc105b3bec6f2bca230f57ad176a6c325170

memory/1200-133-0x0000000000400000-0x0000000000420000-memory.dmp

memory/1332-134-0x0000000000400000-0x0000000000420000-memory.dmp

memory/5020-135-0x0000000000000000-mapping.dmp

memory/1200-136-0x0000000000400000-0x0000000000420000-memory.dmp

memory/4148-137-0x0000000000000000-mapping.dmp

memory/1332-138-0x0000000000400000-0x0000000000420000-memory.dmp