Malware Analysis Report

2024-12-07 22:08

Sample ID 220716-j4f5csbcam
Target virussign.com_1bc0e4769e7c8d200892a2b1450961e0
SHA256 7a3c203d3668423e2bf6e11568ceeac3c5081d06f304db0db39fea341833323e
Tags
upx sakula persistence rat suricata trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

7a3c203d3668423e2bf6e11568ceeac3c5081d06f304db0db39fea341833323e

Threat Level: Known bad

The file virussign.com_1bc0e4769e7c8d200892a2b1450961e0 was found to be: Known bad.

Malicious Activity Summary

upx sakula persistence rat suricata trojan

suricata: ET MALWARE Sakula/Mivast RAT CnC Beacon 1

Sakula

suricata: ET MALWARE SUSPICIOUS UA (iexplore)

Sakula payload

Sakula family

Executes dropped EXE

UPX packed file

Checks computer location settings

Loads dropped DLL

Deletes itself

Adds Run key to start application

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

Runs ping.exe

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2022-07-16 08:13

Signatures

Sakula family

sakula

Sakula payload

Description Indicator Process Target
N/A N/A N/A N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2022-07-16 08:13

Reported

2022-07-16 08:18

Platform

win7-20220414-en

Max time kernel

134s

Max time network

178s

Command Line

"C:\Users\Admin\AppData\Local\Temp\virussign.exe"

Signatures

Sakula

trojan rat sakula

Sakula payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

suricata: ET MALWARE SUSPICIOUS UA (iexplore)

suricata

suricata: ET MALWARE Sakula/Mivast RAT CnC Beacon 1

suricata

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\virussign.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" C:\Users\Admin\AppData\Local\Temp\virussign.exe N/A

Enumerates physical storage devices

Runs ping.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\virussign.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\virussign.exe

"C:\Users\Admin\AppData\Local\Temp\virussign.exe"

C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe

C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\virussign.exe"

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1

Network

Country Destination Domain Proto
US 8.8.8.8:53 www.polarroute.com udp
US 204.11.56.48:80 www.polarroute.com tcp
US 204.11.56.48:80 www.polarroute.com tcp
US 204.11.56.48:80 www.polarroute.com tcp
US 204.11.56.48:80 www.polarroute.com tcp
US 8.8.8.8:53 www.northpoleroute.com udp

Files

memory/1516-54-0x0000000074DE1000-0x0000000074DE3000-memory.dmp

\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe

MD5 78e8d366a9398e0122b01f5e7fcd11a9
SHA1 07beb008010de20198cad3ecad910547656f1f23
SHA256 95123cffb519372a9ef0d5eddd69e8349724d401a4d77f4a17010594f0f897eb
SHA512 21b4ffac9850a36ff2fa1a38832faea842034bd1cf79de84830c5527dc2d1cfb2532b0f7269f1ec8bcb72ad56f84052d466a7b623087bf00601912858227f1d4

C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe

MD5 78e8d366a9398e0122b01f5e7fcd11a9
SHA1 07beb008010de20198cad3ecad910547656f1f23
SHA256 95123cffb519372a9ef0d5eddd69e8349724d401a4d77f4a17010594f0f897eb
SHA512 21b4ffac9850a36ff2fa1a38832faea842034bd1cf79de84830c5527dc2d1cfb2532b0f7269f1ec8bcb72ad56f84052d466a7b623087bf00601912858227f1d4

memory/972-56-0x0000000000000000-mapping.dmp

memory/1516-59-0x0000000000400000-0x0000000000435000-memory.dmp

memory/1516-60-0x0000000000440000-0x0000000000475000-memory.dmp

memory/972-61-0x0000000000400000-0x0000000000435000-memory.dmp

memory/1684-62-0x0000000000000000-mapping.dmp

memory/1516-63-0x0000000000400000-0x0000000000435000-memory.dmp

memory/1204-64-0x0000000000000000-mapping.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2022-07-16 08:13

Reported

2022-07-16 08:16

Platform

win10v2004-20220414-en

Max time kernel

149s

Max time network

155s

Command Line

"C:\Users\Admin\AppData\Local\Temp\virussign.exe"

Signatures

Sakula

trojan rat sakula

Sakula payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

suricata: ET MALWARE SUSPICIOUS UA (iexplore)

suricata

suricata: ET MALWARE Sakula/Mivast RAT CnC Beacon 1

suricata

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\virussign.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" C:\Users\Admin\AppData\Local\Temp\virussign.exe N/A

Enumerates physical storage devices

Runs ping.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\virussign.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\virussign.exe

"C:\Users\Admin\AppData\Local\Temp\virussign.exe"

C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe

C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\virussign.exe"

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1

Network

Country Destination Domain Proto
US 52.109.12.18:443 tcp
US 8.8.8.8:53 www.polarroute.com udp
US 204.11.56.48:80 www.polarroute.com tcp
US 204.11.56.48:80 www.polarroute.com tcp
US 20.189.173.1:443 tcp
US 13.107.21.200:443 tcp
US 204.11.56.48:80 www.polarroute.com tcp
NL 178.79.208.1:80 tcp
US 104.18.25.243:80 tcp
US 204.11.56.48:80 www.polarroute.com tcp
US 8.8.8.8:53 www.northpoleroute.com udp
US 8.8.8.8:53 www.northpoleroute.com udp
US 8.8.8.8:53 www.northpoleroute.com udp
US 13.107.21.200:443 tcp

Files

memory/4088-130-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe

MD5 349fbefe7935ba6d15c55c1f69f13d95
SHA1 21b0009e3e4ceb65cf3f11b10b80183bf42239db
SHA256 11023e2ad8f91e567c54aa10fbe9110338c8a2d60eacd652d3b7c6f99d465551
SHA512 4b68b5404d62b50aac704cac18544163620282f87b6b7219ee663285fdff81c8f4299ff47a9fb9d57ac5af34ae429106ee304218fa16dd9882207e91dbce0baf

C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe

MD5 349fbefe7935ba6d15c55c1f69f13d95
SHA1 21b0009e3e4ceb65cf3f11b10b80183bf42239db
SHA256 11023e2ad8f91e567c54aa10fbe9110338c8a2d60eacd652d3b7c6f99d465551
SHA512 4b68b5404d62b50aac704cac18544163620282f87b6b7219ee663285fdff81c8f4299ff47a9fb9d57ac5af34ae429106ee304218fa16dd9882207e91dbce0baf

memory/3000-133-0x0000000000400000-0x0000000000435000-memory.dmp

memory/4088-134-0x0000000000400000-0x0000000000435000-memory.dmp

memory/4088-135-0x0000000000400000-0x0000000000435000-memory.dmp

memory/3528-136-0x0000000000000000-mapping.dmp

memory/3000-137-0x0000000000400000-0x0000000000435000-memory.dmp

memory/5076-138-0x0000000000000000-mapping.dmp