Malware Analysis Report

2024-12-07 22:10

Sample ID 220908-ynapzacghm
Target bed112b385fa1c816dee97964167fad7
SHA256 b9b4486fce211476beef8da8b0719448514741c0d66241f33c043bfe52921232
Tags
sakula persistence rat trojan upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

b9b4486fce211476beef8da8b0719448514741c0d66241f33c043bfe52921232

Threat Level: Known bad

The file bed112b385fa1c816dee97964167fad7 was found to be: Known bad.

Malicious Activity Summary

sakula persistence rat trojan upx

Sakula

Executes dropped EXE

UPX packed file

Deletes itself

Loads dropped DLL

Adds Run key to start application

Suspicious use of WriteProcessMemory

Modifies registry key

Runs ping.exe

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2022-09-08 19:55

Signatures

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2022-09-08 19:55

Reported

2022-09-08 19:58

Platform

win10v2004-20220812-en

Max time kernel

140s

Max time network

135s

Command Line

"C:\Users\Admin\AppData\Local\Temp\bed112b385fa1c816dee97964167fad7.exe"

Signatures

Sakula

trojan rat sakula

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run C:\Windows\SysWOW64\reg.exe N/A

Modifies registry key

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\reg.exe N/A

Runs ping.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 900 wrote to memory of 1996 N/A C:\Users\Admin\AppData\Local\Temp\bed112b385fa1c816dee97964167fad7.exe C:\Windows\SysWOW64\cmd.exe
PID 900 wrote to memory of 1996 N/A C:\Users\Admin\AppData\Local\Temp\bed112b385fa1c816dee97964167fad7.exe C:\Windows\SysWOW64\cmd.exe
PID 900 wrote to memory of 1996 N/A C:\Users\Admin\AppData\Local\Temp\bed112b385fa1c816dee97964167fad7.exe C:\Windows\SysWOW64\cmd.exe
PID 900 wrote to memory of 1300 N/A C:\Users\Admin\AppData\Local\Temp\bed112b385fa1c816dee97964167fad7.exe C:\Windows\SysWOW64\cmd.exe
PID 900 wrote to memory of 1300 N/A C:\Users\Admin\AppData\Local\Temp\bed112b385fa1c816dee97964167fad7.exe C:\Windows\SysWOW64\cmd.exe
PID 900 wrote to memory of 1300 N/A C:\Users\Admin\AppData\Local\Temp\bed112b385fa1c816dee97964167fad7.exe C:\Windows\SysWOW64\cmd.exe
PID 900 wrote to memory of 2392 N/A C:\Users\Admin\AppData\Local\Temp\bed112b385fa1c816dee97964167fad7.exe C:\Windows\SysWOW64\cmd.exe
PID 900 wrote to memory of 2392 N/A C:\Users\Admin\AppData\Local\Temp\bed112b385fa1c816dee97964167fad7.exe C:\Windows\SysWOW64\cmd.exe
PID 900 wrote to memory of 2392 N/A C:\Users\Admin\AppData\Local\Temp\bed112b385fa1c816dee97964167fad7.exe C:\Windows\SysWOW64\cmd.exe
PID 1996 wrote to memory of 3232 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1996 wrote to memory of 3232 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1996 wrote to memory of 3232 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1300 wrote to memory of 1432 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
PID 1300 wrote to memory of 1432 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
PID 1300 wrote to memory of 1432 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
PID 2392 wrote to memory of 3892 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 2392 wrote to memory of 3892 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 2392 wrote to memory of 3892 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE

Processes

C:\Users\Admin\AppData\Local\Temp\bed112b385fa1c816dee97964167fad7.exe

"C:\Users\Admin\AppData\Local\Temp\bed112b385fa1c816dee97964167fad7.exe"

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v "MicroMedia" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe"

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe"

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c ping 127.0.0.1 & del "C:\Users\Admin\AppData\Local\Temp\bed112b385fa1c816dee97964167fad7.exe"

C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe

C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe

C:\Windows\SysWOW64\reg.exe

reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v "MicroMedia" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe"

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1

Network

Country Destination Domain Proto
US 209.197.3.8:80 tcp
US 209.197.3.8:80 tcp
US 8.8.8.8:53 vpn.premrera.com udp
US 208.91.197.27:443 vpn.premrera.com tcp
US 208.91.197.27:443 vpn.premrera.com tcp
US 208.91.197.27:443 vpn.premrera.com tcp
US 208.91.197.27:443 vpn.premrera.com tcp
US 208.91.197.27:443 vpn.premrera.com tcp
US 208.91.197.27:443 vpn.premrera.com tcp
US 208.91.197.27:443 vpn.premrera.com tcp
US 208.91.197.27:443 vpn.premrera.com tcp
US 208.91.197.27:443 vpn.premrera.com tcp
US 208.91.197.27:443 vpn.premrera.com tcp
US 208.91.197.27:443 vpn.premrera.com tcp
US 208.91.197.27:443 vpn.premrera.com tcp

Files

memory/900-132-0x0000000000400000-0x000000000040D000-memory.dmp

memory/2392-135-0x0000000000000000-mapping.dmp

memory/1300-134-0x0000000000000000-mapping.dmp

memory/1996-133-0x0000000000000000-mapping.dmp

memory/900-136-0x0000000000400000-0x000000000040D000-memory.dmp

memory/3892-139-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe

MD5 4ae7245e883fd3821505764a1a8d3a1a
SHA1 e98d7c1bd4bddeec1f62a0c45ee7638d2d484ec6
SHA256 d6d87680bac57a16d1b0f5753de2188e19eadfdf17919454ba4467bcb013320f
SHA512 0db424076874f9c815d215fbfb4090424f666506c9a90c1e6738552a4b02df1235f77613a0fe6519fdd754b4201fe677362315cd41d62db6593eac97adfd509a

memory/1432-138-0x0000000000000000-mapping.dmp

memory/3232-137-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe

MD5 4ae7245e883fd3821505764a1a8d3a1a
SHA1 e98d7c1bd4bddeec1f62a0c45ee7638d2d484ec6
SHA256 d6d87680bac57a16d1b0f5753de2188e19eadfdf17919454ba4467bcb013320f
SHA512 0db424076874f9c815d215fbfb4090424f666506c9a90c1e6738552a4b02df1235f77613a0fe6519fdd754b4201fe677362315cd41d62db6593eac97adfd509a

Analysis: behavioral1

Detonation Overview

Submitted

2022-09-08 19:55

Reported

2022-09-08 19:58

Platform

win7-20220812-en

Max time kernel

127s

Max time network

130s

Command Line

"C:\Users\Admin\AppData\Local\Temp\bed112b385fa1c816dee97964167fad7.exe"

Signatures

Sakula

trojan rat sakula

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" C:\Windows\SysWOW64\reg.exe N/A

Modifies registry key

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\reg.exe N/A

Runs ping.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 864 wrote to memory of 1960 N/A C:\Users\Admin\AppData\Local\Temp\bed112b385fa1c816dee97964167fad7.exe C:\Windows\SysWOW64\cmd.exe
PID 864 wrote to memory of 1960 N/A C:\Users\Admin\AppData\Local\Temp\bed112b385fa1c816dee97964167fad7.exe C:\Windows\SysWOW64\cmd.exe
PID 864 wrote to memory of 1960 N/A C:\Users\Admin\AppData\Local\Temp\bed112b385fa1c816dee97964167fad7.exe C:\Windows\SysWOW64\cmd.exe
PID 864 wrote to memory of 1960 N/A C:\Users\Admin\AppData\Local\Temp\bed112b385fa1c816dee97964167fad7.exe C:\Windows\SysWOW64\cmd.exe
PID 864 wrote to memory of 1676 N/A C:\Users\Admin\AppData\Local\Temp\bed112b385fa1c816dee97964167fad7.exe C:\Windows\SysWOW64\cmd.exe
PID 864 wrote to memory of 1676 N/A C:\Users\Admin\AppData\Local\Temp\bed112b385fa1c816dee97964167fad7.exe C:\Windows\SysWOW64\cmd.exe
PID 864 wrote to memory of 1676 N/A C:\Users\Admin\AppData\Local\Temp\bed112b385fa1c816dee97964167fad7.exe C:\Windows\SysWOW64\cmd.exe
PID 864 wrote to memory of 1676 N/A C:\Users\Admin\AppData\Local\Temp\bed112b385fa1c816dee97964167fad7.exe C:\Windows\SysWOW64\cmd.exe
PID 864 wrote to memory of 1076 N/A C:\Users\Admin\AppData\Local\Temp\bed112b385fa1c816dee97964167fad7.exe C:\Windows\SysWOW64\cmd.exe
PID 864 wrote to memory of 1076 N/A C:\Users\Admin\AppData\Local\Temp\bed112b385fa1c816dee97964167fad7.exe C:\Windows\SysWOW64\cmd.exe
PID 864 wrote to memory of 1076 N/A C:\Users\Admin\AppData\Local\Temp\bed112b385fa1c816dee97964167fad7.exe C:\Windows\SysWOW64\cmd.exe
PID 864 wrote to memory of 1076 N/A C:\Users\Admin\AppData\Local\Temp\bed112b385fa1c816dee97964167fad7.exe C:\Windows\SysWOW64\cmd.exe
PID 1960 wrote to memory of 2032 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1960 wrote to memory of 2032 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1960 wrote to memory of 2032 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1960 wrote to memory of 2032 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1676 wrote to memory of 2020 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
PID 1676 wrote to memory of 2020 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
PID 1676 wrote to memory of 2020 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
PID 1676 wrote to memory of 2020 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
PID 1076 wrote to memory of 1772 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 1076 wrote to memory of 1772 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 1076 wrote to memory of 1772 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 1076 wrote to memory of 1772 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE

Processes

C:\Users\Admin\AppData\Local\Temp\bed112b385fa1c816dee97964167fad7.exe

"C:\Users\Admin\AppData\Local\Temp\bed112b385fa1c816dee97964167fad7.exe"

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v "MicroMedia" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe"

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe"

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c ping 127.0.0.1 & del "C:\Users\Admin\AppData\Local\Temp\bed112b385fa1c816dee97964167fad7.exe"

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1

C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe

C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe

C:\Windows\SysWOW64\reg.exe

reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v "MicroMedia" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 vpn.premrera.com udp
US 208.91.197.27:443 vpn.premrera.com tcp
US 208.91.197.27:443 vpn.premrera.com tcp
US 208.91.197.27:443 vpn.premrera.com tcp
US 208.91.197.27:443 vpn.premrera.com tcp
US 208.91.197.27:443 vpn.premrera.com tcp
US 208.91.197.27:443 vpn.premrera.com tcp
US 208.91.197.27:443 vpn.premrera.com tcp
US 208.91.197.27:443 vpn.premrera.com tcp
US 208.91.197.27:443 vpn.premrera.com tcp
US 208.91.197.27:443 vpn.premrera.com tcp

Files

memory/864-54-0x0000000076321000-0x0000000076323000-memory.dmp

memory/864-55-0x0000000000400000-0x000000000040D000-memory.dmp

memory/1960-56-0x0000000000000000-mapping.dmp

memory/1676-57-0x0000000000000000-mapping.dmp

memory/864-59-0x0000000000400000-0x000000000040D000-memory.dmp

memory/1076-58-0x0000000000000000-mapping.dmp

memory/2020-64-0x0000000000000000-mapping.dmp

\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe

MD5 24998c234d2e8f10c9a6ea01b22dac94
SHA1 257676214018f04972660ff9d80baaea0c628d08
SHA256 04f6ab5b32fad2e3a2d883e856dfee37f8b81a536149f8e0f0f6f95a9d512fc5
SHA512 d7d39eb61683dce7c46dd47875e702e59592d765cfc93efab117a1330b8c5f9e00fbc5f7d516da4fe209ef084aafd87252d97a4ec92e4053310f8a20b16046d7

memory/2032-62-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe

MD5 24998c234d2e8f10c9a6ea01b22dac94
SHA1 257676214018f04972660ff9d80baaea0c628d08
SHA256 04f6ab5b32fad2e3a2d883e856dfee37f8b81a536149f8e0f0f6f95a9d512fc5
SHA512 d7d39eb61683dce7c46dd47875e702e59592d765cfc93efab117a1330b8c5f9e00fbc5f7d516da4fe209ef084aafd87252d97a4ec92e4053310f8a20b16046d7

\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe

MD5 24998c234d2e8f10c9a6ea01b22dac94
SHA1 257676214018f04972660ff9d80baaea0c628d08
SHA256 04f6ab5b32fad2e3a2d883e856dfee37f8b81a536149f8e0f0f6f95a9d512fc5
SHA512 d7d39eb61683dce7c46dd47875e702e59592d765cfc93efab117a1330b8c5f9e00fbc5f7d516da4fe209ef084aafd87252d97a4ec92e4053310f8a20b16046d7

memory/1772-65-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe

MD5 24998c234d2e8f10c9a6ea01b22dac94
SHA1 257676214018f04972660ff9d80baaea0c628d08
SHA256 04f6ab5b32fad2e3a2d883e856dfee37f8b81a536149f8e0f0f6f95a9d512fc5
SHA512 d7d39eb61683dce7c46dd47875e702e59592d765cfc93efab117a1330b8c5f9e00fbc5f7d516da4fe209ef084aafd87252d97a4ec92e4053310f8a20b16046d7

memory/1676-68-0x0000000000170000-0x000000000017D000-memory.dmp

memory/1676-69-0x0000000000170000-0x000000000017D000-memory.dmp

memory/1676-70-0x0000000000170000-0x000000000017D000-memory.dmp

memory/1676-71-0x0000000000170000-0x000000000017D000-memory.dmp

memory/2020-72-0x0000000000400000-0x000000000040D000-memory.dmp