Malware Analysis Report

2024-12-07 22:09

Sample ID 220906-1fhrqafgak
Target b94c34b47ff7bb61ad8b70f18de510c7
SHA256 6cb97cb356491c601fe9b104bdeeb12351741ab13c77ce335bbb5c4981d13323
Tags
upx sakula persistence rat trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

6cb97cb356491c601fe9b104bdeeb12351741ab13c77ce335bbb5c4981d13323

Threat Level: Known bad

The file b94c34b47ff7bb61ad8b70f18de510c7 was found to be: Known bad.

Malicious Activity Summary

upx sakula persistence rat trojan

Sakula

Executes dropped EXE

UPX packed file

Deletes itself

Loads dropped DLL

Adds Run key to start application

Modifies registry key

Runs ping.exe

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2022-09-06 21:35

Signatures

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2022-09-06 21:35

Reported

2022-09-06 21:38

Platform

win7-20220812-en

Max time kernel

36s

Max time network

42s

Command Line

"C:\Users\Admin\AppData\Local\Temp\b94c34b47ff7bb61ad8b70f18de510c7.exe"

Signatures

Sakula

trojan rat sakula

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" C:\Windows\SysWOW64\reg.exe N/A

Modifies registry key

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\reg.exe N/A

Runs ping.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1928 wrote to memory of 1172 N/A C:\Users\Admin\AppData\Local\Temp\b94c34b47ff7bb61ad8b70f18de510c7.exe C:\Windows\SysWOW64\cmd.exe
PID 1928 wrote to memory of 1172 N/A C:\Users\Admin\AppData\Local\Temp\b94c34b47ff7bb61ad8b70f18de510c7.exe C:\Windows\SysWOW64\cmd.exe
PID 1928 wrote to memory of 1172 N/A C:\Users\Admin\AppData\Local\Temp\b94c34b47ff7bb61ad8b70f18de510c7.exe C:\Windows\SysWOW64\cmd.exe
PID 1928 wrote to memory of 1172 N/A C:\Users\Admin\AppData\Local\Temp\b94c34b47ff7bb61ad8b70f18de510c7.exe C:\Windows\SysWOW64\cmd.exe
PID 1928 wrote to memory of 1316 N/A C:\Users\Admin\AppData\Local\Temp\b94c34b47ff7bb61ad8b70f18de510c7.exe C:\Windows\SysWOW64\cmd.exe
PID 1928 wrote to memory of 1316 N/A C:\Users\Admin\AppData\Local\Temp\b94c34b47ff7bb61ad8b70f18de510c7.exe C:\Windows\SysWOW64\cmd.exe
PID 1928 wrote to memory of 1316 N/A C:\Users\Admin\AppData\Local\Temp\b94c34b47ff7bb61ad8b70f18de510c7.exe C:\Windows\SysWOW64\cmd.exe
PID 1928 wrote to memory of 1316 N/A C:\Users\Admin\AppData\Local\Temp\b94c34b47ff7bb61ad8b70f18de510c7.exe C:\Windows\SysWOW64\cmd.exe
PID 1928 wrote to memory of 1136 N/A C:\Users\Admin\AppData\Local\Temp\b94c34b47ff7bb61ad8b70f18de510c7.exe C:\Windows\SysWOW64\cmd.exe
PID 1928 wrote to memory of 1136 N/A C:\Users\Admin\AppData\Local\Temp\b94c34b47ff7bb61ad8b70f18de510c7.exe C:\Windows\SysWOW64\cmd.exe
PID 1928 wrote to memory of 1136 N/A C:\Users\Admin\AppData\Local\Temp\b94c34b47ff7bb61ad8b70f18de510c7.exe C:\Windows\SysWOW64\cmd.exe
PID 1928 wrote to memory of 1136 N/A C:\Users\Admin\AppData\Local\Temp\b94c34b47ff7bb61ad8b70f18de510c7.exe C:\Windows\SysWOW64\cmd.exe
PID 1316 wrote to memory of 812 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
PID 1316 wrote to memory of 812 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
PID 1316 wrote to memory of 812 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
PID 1316 wrote to memory of 812 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
PID 1136 wrote to memory of 2028 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 1136 wrote to memory of 2028 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 1136 wrote to memory of 2028 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 1136 wrote to memory of 2028 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 1172 wrote to memory of 1148 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1172 wrote to memory of 1148 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1172 wrote to memory of 1148 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1172 wrote to memory of 1148 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe

Processes

C:\Users\Admin\AppData\Local\Temp\b94c34b47ff7bb61ad8b70f18de510c7.exe

"C:\Users\Admin\AppData\Local\Temp\b94c34b47ff7bb61ad8b70f18de510c7.exe"

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v "MicroMedia" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe"

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe"

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c ping 127.0.0.1 & del "C:\Users\Admin\AppData\Local\Temp\b94c34b47ff7bb61ad8b70f18de510c7.exe"

C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe

C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1

C:\Windows\SysWOW64\reg.exe

reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v "MicroMedia" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe"

Network

N/A

Files

memory/1928-54-0x00000000762B1000-0x00000000762B3000-memory.dmp

memory/1928-55-0x0000000000400000-0x000000000040D000-memory.dmp

memory/1928-56-0x0000000000400000-0x000000000040D000-memory.dmp

memory/1172-57-0x0000000000000000-mapping.dmp

memory/1316-58-0x0000000000000000-mapping.dmp

memory/1136-59-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe

MD5 b1e367b777f6882bae549f5ea05808bd
SHA1 189a8b701613fc666aeac735f9aae2f90e349557
SHA256 923e19006557b4c7e2a0a070ab85cbeff30c1116f25b83f05927919d527e1935
SHA512 8cf1b5ce7f7e94094ac72cc7a122c3ea25a9db54c627413a46c51fd678c21c7fa33d2fa91309aad64e8fab105d92329f364489f7fa1f8196be6ce48df5296a61

\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe

MD5 b1e367b777f6882bae549f5ea05808bd
SHA1 189a8b701613fc666aeac735f9aae2f90e349557
SHA256 923e19006557b4c7e2a0a070ab85cbeff30c1116f25b83f05927919d527e1935
SHA512 8cf1b5ce7f7e94094ac72cc7a122c3ea25a9db54c627413a46c51fd678c21c7fa33d2fa91309aad64e8fab105d92329f364489f7fa1f8196be6ce48df5296a61

\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe

MD5 b1e367b777f6882bae549f5ea05808bd
SHA1 189a8b701613fc666aeac735f9aae2f90e349557
SHA256 923e19006557b4c7e2a0a070ab85cbeff30c1116f25b83f05927919d527e1935
SHA512 8cf1b5ce7f7e94094ac72cc7a122c3ea25a9db54c627413a46c51fd678c21c7fa33d2fa91309aad64e8fab105d92329f364489f7fa1f8196be6ce48df5296a61

C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe

MD5 b1e367b777f6882bae549f5ea05808bd
SHA1 189a8b701613fc666aeac735f9aae2f90e349557
SHA256 923e19006557b4c7e2a0a070ab85cbeff30c1116f25b83f05927919d527e1935
SHA512 8cf1b5ce7f7e94094ac72cc7a122c3ea25a9db54c627413a46c51fd678c21c7fa33d2fa91309aad64e8fab105d92329f364489f7fa1f8196be6ce48df5296a61

memory/812-63-0x0000000000000000-mapping.dmp

memory/2028-66-0x0000000000000000-mapping.dmp

memory/1148-67-0x0000000000000000-mapping.dmp

memory/1316-68-0x0000000000130000-0x000000000013D000-memory.dmp

memory/1316-69-0x0000000000130000-0x000000000013D000-memory.dmp

memory/812-70-0x0000000000400000-0x000000000040D000-memory.dmp

memory/1316-71-0x0000000000130000-0x000000000013D000-memory.dmp

memory/1316-72-0x0000000000130000-0x000000000013D000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2022-09-06 21:35

Reported

2022-09-06 21:38

Platform

win10v2004-20220901-en

Max time kernel

130s

Max time network

155s

Command Line

"C:\Users\Admin\AppData\Local\Temp\b94c34b47ff7bb61ad8b70f18de510c7.exe"

Signatures

Sakula

trojan rat sakula

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run C:\Windows\SysWOW64\reg.exe N/A

Modifies registry key

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\reg.exe N/A

Runs ping.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3348 wrote to memory of 396 N/A C:\Users\Admin\AppData\Local\Temp\b94c34b47ff7bb61ad8b70f18de510c7.exe C:\Windows\SysWOW64\cmd.exe
PID 3348 wrote to memory of 396 N/A C:\Users\Admin\AppData\Local\Temp\b94c34b47ff7bb61ad8b70f18de510c7.exe C:\Windows\SysWOW64\cmd.exe
PID 3348 wrote to memory of 396 N/A C:\Users\Admin\AppData\Local\Temp\b94c34b47ff7bb61ad8b70f18de510c7.exe C:\Windows\SysWOW64\cmd.exe
PID 3348 wrote to memory of 2260 N/A C:\Users\Admin\AppData\Local\Temp\b94c34b47ff7bb61ad8b70f18de510c7.exe C:\Windows\SysWOW64\cmd.exe
PID 3348 wrote to memory of 2260 N/A C:\Users\Admin\AppData\Local\Temp\b94c34b47ff7bb61ad8b70f18de510c7.exe C:\Windows\SysWOW64\cmd.exe
PID 3348 wrote to memory of 2260 N/A C:\Users\Admin\AppData\Local\Temp\b94c34b47ff7bb61ad8b70f18de510c7.exe C:\Windows\SysWOW64\cmd.exe
PID 3348 wrote to memory of 1432 N/A C:\Users\Admin\AppData\Local\Temp\b94c34b47ff7bb61ad8b70f18de510c7.exe C:\Windows\SysWOW64\cmd.exe
PID 3348 wrote to memory of 1432 N/A C:\Users\Admin\AppData\Local\Temp\b94c34b47ff7bb61ad8b70f18de510c7.exe C:\Windows\SysWOW64\cmd.exe
PID 3348 wrote to memory of 1432 N/A C:\Users\Admin\AppData\Local\Temp\b94c34b47ff7bb61ad8b70f18de510c7.exe C:\Windows\SysWOW64\cmd.exe
PID 2260 wrote to memory of 3752 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
PID 2260 wrote to memory of 3752 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
PID 2260 wrote to memory of 3752 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
PID 1432 wrote to memory of 4468 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 1432 wrote to memory of 4468 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 1432 wrote to memory of 4468 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 396 wrote to memory of 4440 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 396 wrote to memory of 4440 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 396 wrote to memory of 4440 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe

Processes

C:\Users\Admin\AppData\Local\Temp\b94c34b47ff7bb61ad8b70f18de510c7.exe

"C:\Users\Admin\AppData\Local\Temp\b94c34b47ff7bb61ad8b70f18de510c7.exe"

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v "MicroMedia" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe"

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe"

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c ping 127.0.0.1 & del "C:\Users\Admin\AppData\Local\Temp\b94c34b47ff7bb61ad8b70f18de510c7.exe"

C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe

C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe

C:\Windows\SysWOW64\reg.exe

reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v "MicroMedia" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe"

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1

Network

Country Destination Domain Proto
US 93.184.221.240:80 tcp
US 93.184.221.240:80 tcp
NL 104.80.225.205:443 tcp
GB 51.132.193.104:443 tcp
US 8.8.8.8:53 vpn.premrera.com udp
US 208.91.197.27:443 vpn.premrera.com tcp
US 208.91.197.27:443 vpn.premrera.com tcp
US 208.91.197.27:443 vpn.premrera.com tcp
US 93.184.221.240:80 tcp
US 93.184.221.240:80 tcp
US 93.184.221.240:80 tcp
US 208.91.197.27:443 vpn.premrera.com tcp
NL 67.26.111.254:80 tcp
US 208.91.197.27:443 vpn.premrera.com tcp
US 208.91.197.27:443 vpn.premrera.com tcp
US 208.91.197.27:443 vpn.premrera.com tcp
US 208.91.197.27:443 vpn.premrera.com tcp
US 208.91.197.27:443 vpn.premrera.com tcp
NL 67.26.111.254:80 tcp
US 208.91.197.27:443 vpn.premrera.com tcp
US 208.91.197.27:443 vpn.premrera.com tcp
US 208.91.197.27:443 vpn.premrera.com tcp

Files

memory/3348-135-0x0000000000400000-0x000000000040D000-memory.dmp

memory/396-136-0x0000000000000000-mapping.dmp

memory/2260-137-0x0000000000000000-mapping.dmp

memory/1432-138-0x0000000000000000-mapping.dmp

memory/3348-139-0x0000000000400000-0x000000000040D000-memory.dmp

memory/3752-140-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe

MD5 1aed8064522cf6be4ca5c511322c037f
SHA1 960dd569304c70868dc3a5e968c873bfa8bd8168
SHA256 0651c0321b93bf70b1ca920fdbe9b25ba1aaaec734249c4afb43dcfc34f3d6f9
SHA512 aa5c6596ec1b5a020622820d91332e54e84141a34164fe735dc9763d84a381891af43aa7674b776691e75f4a9180062be79ec616afc7e79e97eb2d198a7d6968

memory/4440-144-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe

MD5 1aed8064522cf6be4ca5c511322c037f
SHA1 960dd569304c70868dc3a5e968c873bfa8bd8168
SHA256 0651c0321b93bf70b1ca920fdbe9b25ba1aaaec734249c4afb43dcfc34f3d6f9
SHA512 aa5c6596ec1b5a020622820d91332e54e84141a34164fe735dc9763d84a381891af43aa7674b776691e75f4a9180062be79ec616afc7e79e97eb2d198a7d6968

memory/4468-142-0x0000000000000000-mapping.dmp