Malware Analysis Report

2024-12-07 22:10

Sample ID 220906-1e9ttaffhp
Target e099a64759ca26fd00eab5a428b9754b
SHA256 6bef3daf882386d3d6e0b06e4e55675dd0f5f7afebfa0056551b7f9cf9a48c90
Tags
upx sakula persistence rat trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

6bef3daf882386d3d6e0b06e4e55675dd0f5f7afebfa0056551b7f9cf9a48c90

Threat Level: Known bad

The file e099a64759ca26fd00eab5a428b9754b was found to be: Known bad.

Malicious Activity Summary

upx sakula persistence rat trojan

Sakula

UPX packed file

Executes dropped EXE

Deletes itself

Loads dropped DLL

Adds Run key to start application

Modifies registry key

Runs ping.exe

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2022-09-06 21:34

Signatures

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2022-09-06 21:34

Reported

2022-09-06 21:37

Platform

win7-20220812-en

Max time kernel

137s

Max time network

140s

Command Line

"C:\Users\Admin\AppData\Local\Temp\e099a64759ca26fd00eab5a428b9754b.exe"

Signatures

Sakula

trojan rat sakula

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" C:\Windows\SysWOW64\reg.exe N/A

Modifies registry key

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\reg.exe N/A

Runs ping.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 240 wrote to memory of 952 N/A C:\Users\Admin\AppData\Local\Temp\e099a64759ca26fd00eab5a428b9754b.exe C:\Windows\SysWOW64\cmd.exe
PID 240 wrote to memory of 952 N/A C:\Users\Admin\AppData\Local\Temp\e099a64759ca26fd00eab5a428b9754b.exe C:\Windows\SysWOW64\cmd.exe
PID 240 wrote to memory of 952 N/A C:\Users\Admin\AppData\Local\Temp\e099a64759ca26fd00eab5a428b9754b.exe C:\Windows\SysWOW64\cmd.exe
PID 240 wrote to memory of 952 N/A C:\Users\Admin\AppData\Local\Temp\e099a64759ca26fd00eab5a428b9754b.exe C:\Windows\SysWOW64\cmd.exe
PID 240 wrote to memory of 1936 N/A C:\Users\Admin\AppData\Local\Temp\e099a64759ca26fd00eab5a428b9754b.exe C:\Windows\SysWOW64\cmd.exe
PID 240 wrote to memory of 1936 N/A C:\Users\Admin\AppData\Local\Temp\e099a64759ca26fd00eab5a428b9754b.exe C:\Windows\SysWOW64\cmd.exe
PID 240 wrote to memory of 1936 N/A C:\Users\Admin\AppData\Local\Temp\e099a64759ca26fd00eab5a428b9754b.exe C:\Windows\SysWOW64\cmd.exe
PID 240 wrote to memory of 1936 N/A C:\Users\Admin\AppData\Local\Temp\e099a64759ca26fd00eab5a428b9754b.exe C:\Windows\SysWOW64\cmd.exe
PID 240 wrote to memory of 1428 N/A C:\Users\Admin\AppData\Local\Temp\e099a64759ca26fd00eab5a428b9754b.exe C:\Windows\SysWOW64\cmd.exe
PID 240 wrote to memory of 1428 N/A C:\Users\Admin\AppData\Local\Temp\e099a64759ca26fd00eab5a428b9754b.exe C:\Windows\SysWOW64\cmd.exe
PID 240 wrote to memory of 1428 N/A C:\Users\Admin\AppData\Local\Temp\e099a64759ca26fd00eab5a428b9754b.exe C:\Windows\SysWOW64\cmd.exe
PID 240 wrote to memory of 1428 N/A C:\Users\Admin\AppData\Local\Temp\e099a64759ca26fd00eab5a428b9754b.exe C:\Windows\SysWOW64\cmd.exe
PID 952 wrote to memory of 1112 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 952 wrote to memory of 1112 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 952 wrote to memory of 1112 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 952 wrote to memory of 1112 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1936 wrote to memory of 1084 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
PID 1936 wrote to memory of 1084 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
PID 1936 wrote to memory of 1084 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
PID 1936 wrote to memory of 1084 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
PID 1428 wrote to memory of 908 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 1428 wrote to memory of 908 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 1428 wrote to memory of 908 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 1428 wrote to memory of 908 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE

Processes

C:\Users\Admin\AppData\Local\Temp\e099a64759ca26fd00eab5a428b9754b.exe

"C:\Users\Admin\AppData\Local\Temp\e099a64759ca26fd00eab5a428b9754b.exe"

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v "MicroMedia" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe"

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c ping 127.0.0.1 & del "C:\Users\Admin\AppData\Local\Temp\e099a64759ca26fd00eab5a428b9754b.exe"

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe"

C:\Windows\SysWOW64\reg.exe

reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v "MicroMedia" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe"

C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe

C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1

Network

Country Destination Domain Proto
US 8.8.8.8:53 vpn.premrera.com udp
US 208.91.197.27:443 vpn.premrera.com tcp
US 208.91.197.27:443 vpn.premrera.com tcp
US 208.91.197.27:443 vpn.premrera.com tcp
US 208.91.197.27:443 vpn.premrera.com tcp
US 208.91.197.27:443 vpn.premrera.com tcp
US 208.91.197.27:443 vpn.premrera.com tcp
US 208.91.197.27:443 vpn.premrera.com tcp
US 208.91.197.27:443 vpn.premrera.com tcp
US 208.91.197.27:443 vpn.premrera.com tcp
US 208.91.197.27:443 vpn.premrera.com tcp
US 208.91.197.27:443 vpn.premrera.com tcp
US 208.91.197.27:443 vpn.premrera.com tcp

Files

memory/240-54-0x0000000075DA1000-0x0000000075DA3000-memory.dmp

memory/240-55-0x0000000000400000-0x000000000040D000-memory.dmp

memory/952-56-0x0000000000000000-mapping.dmp

memory/1936-57-0x0000000000000000-mapping.dmp

memory/1428-58-0x0000000000000000-mapping.dmp

memory/240-59-0x0000000000400000-0x000000000040D000-memory.dmp

memory/1112-60-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe

MD5 29017d4c24afa23da3ed2ea198c26193
SHA1 e03ceb3ca91d319a28803d7d5a9e72625a04f3f0
SHA256 a4fe850c7142abd40e1d1f2ae994d7911630660329c15ed0f6b96325e70234cc
SHA512 6bf48ae2ef82ac93e3211dc6f7c374a9725eadf57ebfc4ef28325325c95cd882423b47286f909bb49e5eab0a966af52b526034363a5ce3bc68947a4aea192d05

C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe

MD5 29017d4c24afa23da3ed2ea198c26193
SHA1 e03ceb3ca91d319a28803d7d5a9e72625a04f3f0
SHA256 a4fe850c7142abd40e1d1f2ae994d7911630660329c15ed0f6b96325e70234cc
SHA512 6bf48ae2ef82ac93e3211dc6f7c374a9725eadf57ebfc4ef28325325c95cd882423b47286f909bb49e5eab0a966af52b526034363a5ce3bc68947a4aea192d05

memory/908-65-0x0000000000000000-mapping.dmp

memory/1084-64-0x0000000000000000-mapping.dmp

\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe

MD5 29017d4c24afa23da3ed2ea198c26193
SHA1 e03ceb3ca91d319a28803d7d5a9e72625a04f3f0
SHA256 a4fe850c7142abd40e1d1f2ae994d7911630660329c15ed0f6b96325e70234cc
SHA512 6bf48ae2ef82ac93e3211dc6f7c374a9725eadf57ebfc4ef28325325c95cd882423b47286f909bb49e5eab0a966af52b526034363a5ce3bc68947a4aea192d05

\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe

MD5 29017d4c24afa23da3ed2ea198c26193
SHA1 e03ceb3ca91d319a28803d7d5a9e72625a04f3f0
SHA256 a4fe850c7142abd40e1d1f2ae994d7911630660329c15ed0f6b96325e70234cc
SHA512 6bf48ae2ef82ac93e3211dc6f7c374a9725eadf57ebfc4ef28325325c95cd882423b47286f909bb49e5eab0a966af52b526034363a5ce3bc68947a4aea192d05

memory/1936-68-0x0000000000160000-0x000000000016D000-memory.dmp

memory/1936-69-0x0000000000160000-0x000000000016D000-memory.dmp

memory/1936-70-0x0000000000160000-0x000000000016D000-memory.dmp

memory/1936-71-0x0000000000160000-0x000000000016D000-memory.dmp

memory/1084-72-0x0000000000400000-0x000000000040D000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2022-09-06 21:34

Reported

2022-09-06 21:38

Platform

win10v2004-20220812-en

Max time kernel

147s

Max time network

153s

Command Line

"C:\Users\Admin\AppData\Local\Temp\e099a64759ca26fd00eab5a428b9754b.exe"

Signatures

Sakula

trojan rat sakula

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" C:\Windows\SysWOW64\reg.exe N/A

Modifies registry key

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\reg.exe N/A

Runs ping.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1184 wrote to memory of 1644 N/A C:\Users\Admin\AppData\Local\Temp\e099a64759ca26fd00eab5a428b9754b.exe C:\Windows\SysWOW64\cmd.exe
PID 1184 wrote to memory of 1644 N/A C:\Users\Admin\AppData\Local\Temp\e099a64759ca26fd00eab5a428b9754b.exe C:\Windows\SysWOW64\cmd.exe
PID 1184 wrote to memory of 1644 N/A C:\Users\Admin\AppData\Local\Temp\e099a64759ca26fd00eab5a428b9754b.exe C:\Windows\SysWOW64\cmd.exe
PID 1184 wrote to memory of 1676 N/A C:\Users\Admin\AppData\Local\Temp\e099a64759ca26fd00eab5a428b9754b.exe C:\Windows\SysWOW64\cmd.exe
PID 1184 wrote to memory of 1676 N/A C:\Users\Admin\AppData\Local\Temp\e099a64759ca26fd00eab5a428b9754b.exe C:\Windows\SysWOW64\cmd.exe
PID 1184 wrote to memory of 1676 N/A C:\Users\Admin\AppData\Local\Temp\e099a64759ca26fd00eab5a428b9754b.exe C:\Windows\SysWOW64\cmd.exe
PID 1184 wrote to memory of 1396 N/A C:\Users\Admin\AppData\Local\Temp\e099a64759ca26fd00eab5a428b9754b.exe C:\Windows\SysWOW64\cmd.exe
PID 1184 wrote to memory of 1396 N/A C:\Users\Admin\AppData\Local\Temp\e099a64759ca26fd00eab5a428b9754b.exe C:\Windows\SysWOW64\cmd.exe
PID 1184 wrote to memory of 1396 N/A C:\Users\Admin\AppData\Local\Temp\e099a64759ca26fd00eab5a428b9754b.exe C:\Windows\SysWOW64\cmd.exe
PID 1396 wrote to memory of 4584 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 1396 wrote to memory of 4584 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 1396 wrote to memory of 4584 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 1644 wrote to memory of 4500 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1644 wrote to memory of 4500 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1644 wrote to memory of 4500 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1676 wrote to memory of 4572 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
PID 1676 wrote to memory of 4572 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
PID 1676 wrote to memory of 4572 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe

Processes

C:\Users\Admin\AppData\Local\Temp\e099a64759ca26fd00eab5a428b9754b.exe

"C:\Users\Admin\AppData\Local\Temp\e099a64759ca26fd00eab5a428b9754b.exe"

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v "MicroMedia" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe"

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe"

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c ping 127.0.0.1 & del "C:\Users\Admin\AppData\Local\Temp\e099a64759ca26fd00eab5a428b9754b.exe"

C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe

C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe

C:\Windows\SysWOW64\reg.exe

reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v "MicroMedia" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe"

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1

Network

Country Destination Domain Proto
US 209.197.3.8:80 tcp
US 52.109.8.86:443 tcp
US 93.184.220.29:80 tcp
US 93.184.220.29:80 tcp
US 52.168.112.66:443 tcp
US 40.125.122.151:443 tcp
US 8.8.8.8:53 vpn.premrera.com udp
US 208.91.197.27:443 vpn.premrera.com tcp
US 208.91.197.27:443 vpn.premrera.com tcp
US 8.252.51.254:80 tcp
NL 104.80.225.205:443 tcp
US 8.8.8.8:53 164.2.77.40.in-addr.arpa udp
US 208.91.197.27:443 vpn.premrera.com tcp
US 8.8.8.8:53 176.122.125.40.in-addr.arpa udp
US 208.91.197.27:443 vpn.premrera.com tcp
US 208.91.197.27:443 vpn.premrera.com tcp
US 208.91.197.27:443 vpn.premrera.com tcp
US 208.91.197.27:443 vpn.premrera.com tcp

Files

memory/1184-132-0x0000000000400000-0x000000000040D000-memory.dmp

memory/1676-134-0x0000000000000000-mapping.dmp

memory/1644-133-0x0000000000000000-mapping.dmp

memory/1184-136-0x0000000000400000-0x000000000040D000-memory.dmp

memory/1396-135-0x0000000000000000-mapping.dmp

memory/4500-138-0x0000000000000000-mapping.dmp

memory/4584-137-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe

MD5 032e74979a4bab6fc8a7ad9e2c78b6f9
SHA1 efcdf68f6bb15029cfb6d625485940535898a70e
SHA256 5dd43a2db6896a05ab89a48224712de23964d648bdc0d993b158ac074cc3e47a
SHA512 9b3d8aa5413043127347c41cb9f51000366758250a86a9ce4823bcfbe07fb1b249d06208799e5d89c219a2aca37098caa69bf6772fa4904d20b9947482ba40e6

C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe

MD5 032e74979a4bab6fc8a7ad9e2c78b6f9
SHA1 efcdf68f6bb15029cfb6d625485940535898a70e
SHA256 5dd43a2db6896a05ab89a48224712de23964d648bdc0d993b158ac074cc3e47a
SHA512 9b3d8aa5413043127347c41cb9f51000366758250a86a9ce4823bcfbe07fb1b249d06208799e5d89c219a2aca37098caa69bf6772fa4904d20b9947482ba40e6

memory/4572-139-0x0000000000000000-mapping.dmp

memory/4572-142-0x0000000000400000-0x000000000040D000-memory.dmp

memory/4572-143-0x0000000000400000-0x000000000040D000-memory.dmp