Malware Analysis Report

2024-12-07 22:07

Sample ID 220712-c3cbfsaad2
Target 4d8f44743321704462cf4eb51ce02bb76a61cd139c88ad1b002ce27ed2a32095
SHA256 4d8f44743321704462cf4eb51ce02bb76a61cd139c88ad1b002ce27ed2a32095
Tags
sakula persistence rat suricata trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

4d8f44743321704462cf4eb51ce02bb76a61cd139c88ad1b002ce27ed2a32095

Threat Level: Known bad

The file 4d8f44743321704462cf4eb51ce02bb76a61cd139c88ad1b002ce27ed2a32095 was found to be: Known bad.

Malicious Activity Summary

sakula persistence rat suricata trojan

Sakula

suricata: ET MALWARE Sakula/Mivast RAT CnC Beacon 1

suricata: ET MALWARE SUSPICIOUS UA (iexplore)

Sakula family

Sakula payload

Executes dropped EXE

Checks computer location settings

Loads dropped DLL

Deletes itself

Adds Run key to start application

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Runs ping.exe

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2022-07-12 02:35

Signatures

Sakula family

sakula

Sakula payload

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2022-07-12 02:35

Reported

2022-07-12 03:04

Platform

win7-20220414-en

Max time kernel

142s

Max time network

143s

Command Line

"C:\Users\Admin\AppData\Local\Temp\4d8f44743321704462cf4eb51ce02bb76a61cd139c88ad1b002ce27ed2a32095.exe"

Signatures

Sakula

trojan rat sakula

Sakula payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

suricata: ET MALWARE SUSPICIOUS UA (iexplore)

suricata

suricata: ET MALWARE Sakula/Mivast RAT CnC Beacon 1

suricata

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\MicroMedia\AdobeUpdate.exe N/A

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\AdobeUpdate = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\AdobeUpdate.exe" C:\Users\Admin\AppData\Local\Temp\4d8f44743321704462cf4eb51ce02bb76a61cd139c88ad1b002ce27ed2a32095.exe N/A

Enumerates physical storage devices

Runs ping.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\4d8f44743321704462cf4eb51ce02bb76a61cd139c88ad1b002ce27ed2a32095.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1048 wrote to memory of 1792 N/A C:\Users\Admin\AppData\Local\Temp\4d8f44743321704462cf4eb51ce02bb76a61cd139c88ad1b002ce27ed2a32095.exe C:\Users\Admin\AppData\Local\Temp\MicroMedia\AdobeUpdate.exe
PID 1048 wrote to memory of 1792 N/A C:\Users\Admin\AppData\Local\Temp\4d8f44743321704462cf4eb51ce02bb76a61cd139c88ad1b002ce27ed2a32095.exe C:\Users\Admin\AppData\Local\Temp\MicroMedia\AdobeUpdate.exe
PID 1048 wrote to memory of 1792 N/A C:\Users\Admin\AppData\Local\Temp\4d8f44743321704462cf4eb51ce02bb76a61cd139c88ad1b002ce27ed2a32095.exe C:\Users\Admin\AppData\Local\Temp\MicroMedia\AdobeUpdate.exe
PID 1048 wrote to memory of 1792 N/A C:\Users\Admin\AppData\Local\Temp\4d8f44743321704462cf4eb51ce02bb76a61cd139c88ad1b002ce27ed2a32095.exe C:\Users\Admin\AppData\Local\Temp\MicroMedia\AdobeUpdate.exe
PID 1048 wrote to memory of 1792 N/A C:\Users\Admin\AppData\Local\Temp\4d8f44743321704462cf4eb51ce02bb76a61cd139c88ad1b002ce27ed2a32095.exe C:\Users\Admin\AppData\Local\Temp\MicroMedia\AdobeUpdate.exe
PID 1048 wrote to memory of 1792 N/A C:\Users\Admin\AppData\Local\Temp\4d8f44743321704462cf4eb51ce02bb76a61cd139c88ad1b002ce27ed2a32095.exe C:\Users\Admin\AppData\Local\Temp\MicroMedia\AdobeUpdate.exe
PID 1048 wrote to memory of 1792 N/A C:\Users\Admin\AppData\Local\Temp\4d8f44743321704462cf4eb51ce02bb76a61cd139c88ad1b002ce27ed2a32095.exe C:\Users\Admin\AppData\Local\Temp\MicroMedia\AdobeUpdate.exe
PID 1048 wrote to memory of 612 N/A C:\Users\Admin\AppData\Local\Temp\4d8f44743321704462cf4eb51ce02bb76a61cd139c88ad1b002ce27ed2a32095.exe C:\Windows\SysWOW64\cmd.exe
PID 1048 wrote to memory of 612 N/A C:\Users\Admin\AppData\Local\Temp\4d8f44743321704462cf4eb51ce02bb76a61cd139c88ad1b002ce27ed2a32095.exe C:\Windows\SysWOW64\cmd.exe
PID 1048 wrote to memory of 612 N/A C:\Users\Admin\AppData\Local\Temp\4d8f44743321704462cf4eb51ce02bb76a61cd139c88ad1b002ce27ed2a32095.exe C:\Windows\SysWOW64\cmd.exe
PID 1048 wrote to memory of 612 N/A C:\Users\Admin\AppData\Local\Temp\4d8f44743321704462cf4eb51ce02bb76a61cd139c88ad1b002ce27ed2a32095.exe C:\Windows\SysWOW64\cmd.exe
PID 612 wrote to memory of 456 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 612 wrote to memory of 456 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 612 wrote to memory of 456 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 612 wrote to memory of 456 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE

Processes

C:\Users\Admin\AppData\Local\Temp\4d8f44743321704462cf4eb51ce02bb76a61cd139c88ad1b002ce27ed2a32095.exe

"C:\Users\Admin\AppData\Local\Temp\4d8f44743321704462cf4eb51ce02bb76a61cd139c88ad1b002ce27ed2a32095.exe"

C:\Users\Admin\AppData\Local\Temp\MicroMedia\AdobeUpdate.exe

C:\Users\Admin\AppData\Local\Temp\MicroMedia\AdobeUpdate.exe

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\4d8f44743321704462cf4eb51ce02bb76a61cd139c88ad1b002ce27ed2a32095.exe"

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1

Network

Country Destination Domain Proto
US 8.8.8.8:53 www.savmpet.com udp
BE 35.205.61.67:80 www.savmpet.com tcp
BE 35.205.61.67:80 www.savmpet.com tcp
BE 35.205.61.67:80 www.savmpet.com tcp
BE 35.205.61.67:80 www.savmpet.com tcp

Files

memory/1048-54-0x0000000075C51000-0x0000000075C53000-memory.dmp

\Users\Admin\AppData\Local\Temp\MicroMedia\AdobeUpdate.exe

MD5 0f0aabe9815864bf847453917c232393
SHA1 7e8a2794ea0e8cca671ccaba0c9d0a56b726c053
SHA256 2a5d9489986bfa32f2a04fabdf6a180d28e2dea511d8d8c15f05d34cb3793d43
SHA512 69cd033e89642bc3ef694a89ea2a7f44a1f9a1d975252295ffcbfdaa1c3d1a269ac9fc9187231ffff51fc1896e3307e35c57248e0ce0e36acfe72425b152a939

memory/1792-56-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\MicroMedia\AdobeUpdate.exe

MD5 0f0aabe9815864bf847453917c232393
SHA1 7e8a2794ea0e8cca671ccaba0c9d0a56b726c053
SHA256 2a5d9489986bfa32f2a04fabdf6a180d28e2dea511d8d8c15f05d34cb3793d43
SHA512 69cd033e89642bc3ef694a89ea2a7f44a1f9a1d975252295ffcbfdaa1c3d1a269ac9fc9187231ffff51fc1896e3307e35c57248e0ce0e36acfe72425b152a939

C:\Users\Admin\AppData\Local\Temp\MicroMedia\AdobeUpdate.exe

MD5 0f0aabe9815864bf847453917c232393
SHA1 7e8a2794ea0e8cca671ccaba0c9d0a56b726c053
SHA256 2a5d9489986bfa32f2a04fabdf6a180d28e2dea511d8d8c15f05d34cb3793d43
SHA512 69cd033e89642bc3ef694a89ea2a7f44a1f9a1d975252295ffcbfdaa1c3d1a269ac9fc9187231ffff51fc1896e3307e35c57248e0ce0e36acfe72425b152a939

\Users\Admin\AppData\Local\Temp\MicroMedia\AdobeUpdate.exe

MD5 0f0aabe9815864bf847453917c232393
SHA1 7e8a2794ea0e8cca671ccaba0c9d0a56b726c053
SHA256 2a5d9489986bfa32f2a04fabdf6a180d28e2dea511d8d8c15f05d34cb3793d43
SHA512 69cd033e89642bc3ef694a89ea2a7f44a1f9a1d975252295ffcbfdaa1c3d1a269ac9fc9187231ffff51fc1896e3307e35c57248e0ce0e36acfe72425b152a939

\Users\Admin\AppData\Local\Temp\MicroMedia\AdobeUpdate.exe

MD5 0f0aabe9815864bf847453917c232393
SHA1 7e8a2794ea0e8cca671ccaba0c9d0a56b726c053
SHA256 2a5d9489986bfa32f2a04fabdf6a180d28e2dea511d8d8c15f05d34cb3793d43
SHA512 69cd033e89642bc3ef694a89ea2a7f44a1f9a1d975252295ffcbfdaa1c3d1a269ac9fc9187231ffff51fc1896e3307e35c57248e0ce0e36acfe72425b152a939

\Users\Admin\AppData\Local\Temp\MicroMedia\AdobeUpdate.exe

MD5 0f0aabe9815864bf847453917c232393
SHA1 7e8a2794ea0e8cca671ccaba0c9d0a56b726c053
SHA256 2a5d9489986bfa32f2a04fabdf6a180d28e2dea511d8d8c15f05d34cb3793d43
SHA512 69cd033e89642bc3ef694a89ea2a7f44a1f9a1d975252295ffcbfdaa1c3d1a269ac9fc9187231ffff51fc1896e3307e35c57248e0ce0e36acfe72425b152a939

memory/612-63-0x0000000000000000-mapping.dmp

memory/456-64-0x0000000000000000-mapping.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2022-07-12 02:35

Reported

2022-07-12 03:04

Platform

win10v2004-20220414-en

Max time kernel

112s

Max time network

143s

Command Line

"C:\Users\Admin\AppData\Local\Temp\4d8f44743321704462cf4eb51ce02bb76a61cd139c88ad1b002ce27ed2a32095.exe"

Signatures

Sakula

trojan rat sakula

Sakula payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

suricata: ET MALWARE SUSPICIOUS UA (iexplore)

suricata

suricata: ET MALWARE Sakula/Mivast RAT CnC Beacon 1

suricata

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\MicroMedia\AdobeUpdate.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\4d8f44743321704462cf4eb51ce02bb76a61cd139c88ad1b002ce27ed2a32095.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\AdobeUpdate = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\AdobeUpdate.exe" C:\Users\Admin\AppData\Local\Temp\4d8f44743321704462cf4eb51ce02bb76a61cd139c88ad1b002ce27ed2a32095.exe N/A

Enumerates physical storage devices

Runs ping.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\4d8f44743321704462cf4eb51ce02bb76a61cd139c88ad1b002ce27ed2a32095.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\4d8f44743321704462cf4eb51ce02bb76a61cd139c88ad1b002ce27ed2a32095.exe

"C:\Users\Admin\AppData\Local\Temp\4d8f44743321704462cf4eb51ce02bb76a61cd139c88ad1b002ce27ed2a32095.exe"

C:\Users\Admin\AppData\Local\Temp\MicroMedia\AdobeUpdate.exe

C:\Users\Admin\AppData\Local\Temp\MicroMedia\AdobeUpdate.exe

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\4d8f44743321704462cf4eb51ce02bb76a61cd139c88ad1b002ce27ed2a32095.exe"

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1

Network

Country Destination Domain Proto
US 8.8.8.8:53 www.savmpet.com udp
BE 35.205.61.67:80 www.savmpet.com tcp
NL 20.190.160.67:443 tcp
US 52.182.143.208:443 tcp
NL 20.190.160.136:443 tcp
NL 104.110.191.140:80 tcp
NL 104.110.191.140:80 tcp
NL 87.248.202.1:80 tcp
BE 35.205.61.67:80 www.savmpet.com tcp
NL 20.190.160.71:443 tcp
BE 35.205.61.67:80 www.savmpet.com tcp
BE 35.205.61.67:80 www.savmpet.com tcp

Files

memory/3444-130-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\MicroMedia\AdobeUpdate.exe

MD5 4818390e64b44dd13d3eb0d59f348c28
SHA1 2014d47da2e42355afaf416eac5d2e8f0d406406
SHA256 dc0358edcaf97aea27e8e06e13cc59a788dfaf8e1cc9f75f261961238528fd1f
SHA512 da690d11f8ccfa5823fd306cc373c59eccf0305faf2c3a248e1b0f48968ba6cb725efe89e7798032a2594283a29200ca6e3f148733ee870105784a53f282e9ae

C:\Users\Admin\AppData\Local\Temp\MicroMedia\AdobeUpdate.exe

MD5 4818390e64b44dd13d3eb0d59f348c28
SHA1 2014d47da2e42355afaf416eac5d2e8f0d406406
SHA256 dc0358edcaf97aea27e8e06e13cc59a788dfaf8e1cc9f75f261961238528fd1f
SHA512 da690d11f8ccfa5823fd306cc373c59eccf0305faf2c3a248e1b0f48968ba6cb725efe89e7798032a2594283a29200ca6e3f148733ee870105784a53f282e9ae

memory/2744-133-0x0000000000000000-mapping.dmp

memory/4628-134-0x0000000000000000-mapping.dmp