Malware Analysis Report

2024-12-07 22:10

Sample ID 221010-gdzgxaahfm
Target MediaCenter.exe
SHA256 271be9c3df89b518eceeb3be77246d48313bd98299f9c5c76b23bc983521bfc1
Tags
sakula persistence rat trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

271be9c3df89b518eceeb3be77246d48313bd98299f9c5c76b23bc983521bfc1

Threat Level: Known bad

The file MediaCenter.exe was found to be: Known bad.

Malicious Activity Summary

sakula persistence rat trojan

Sakula

Sakula family

Sakula payload

Executes dropped EXE

Deletes itself

Loads dropped DLL

Checks computer location settings

Adds Run key to start application

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

Runs ping.exe

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2022-10-10 05:42

Signatures

Sakula family

sakula

Sakula payload

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2022-10-10 05:42

Reported

2022-10-10 05:54

Platform

win10v2004-20220812-en

Max time kernel

117s

Max time network

145s

Command Line

"C:\Users\Admin\AppData\Local\Temp\MediaCenter.exe"

Signatures

Sakula

trojan rat sakula

Sakula payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\MediaCenter.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" C:\Users\Admin\AppData\Local\Temp\MediaCenter.exe N/A

Enumerates physical storage devices

Runs ping.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\MediaCenter.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\MediaCenter.exe

"C:\Users\Admin\AppData\Local\Temp\MediaCenter.exe"

C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe

C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\MediaCenter.exe"

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1

Network

Country Destination Domain Proto
US 8.8.8.8:53 citrix.vipreclod.com udp
US 8.8.8.8:53 citrix.vipreclod.com udp
US 8.238.21.126:80 tcp
US 20.42.65.90:443 tcp
US 8.8.8.8:53 citrix.vipreclod.com udp
US 93.184.221.240:80 tcp
US 93.184.221.240:80 tcp
US 93.184.221.240:80 tcp
US 8.8.8.8:53 citrix.vipreclod.com udp
TH 184.22.175.13:80 tcp
US 93.184.221.240:80 tcp
TH 184.22.175.13:80 tcp

Files

memory/2480-132-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe

MD5 fd36cdf100c95baa5c39e9a47a65dbca
SHA1 012cf84ce6812850bfb4299149fa42ee54c1b9c2
SHA256 717417974f87ad0168c85c716847c30cfbe62c9843dbb1754ce9c2a9cc32f30a
SHA512 d7041416cd6fbf468403789bafceb68ef49273a3075b5980151b723305a3b93401934f4a08260898201570e4e31c0f329f6302ee54d1e7ca313287ec011bb366

C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe

MD5 fd36cdf100c95baa5c39e9a47a65dbca
SHA1 012cf84ce6812850bfb4299149fa42ee54c1b9c2
SHA256 717417974f87ad0168c85c716847c30cfbe62c9843dbb1754ce9c2a9cc32f30a
SHA512 d7041416cd6fbf468403789bafceb68ef49273a3075b5980151b723305a3b93401934f4a08260898201570e4e31c0f329f6302ee54d1e7ca313287ec011bb366

memory/2524-135-0x0000000000000000-mapping.dmp

memory/3832-136-0x0000000000000000-mapping.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2022-10-10 05:42

Reported

2022-10-10 05:54

Platform

win7-20220812-en

Max time kernel

131s

Max time network

143s

Command Line

"C:\Users\Admin\AppData\Local\Temp\MediaCenter.exe"

Signatures

Sakula

trojan rat sakula

Sakula payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe N/A

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\MediaCenter.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\MediaCenter.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" C:\Users\Admin\AppData\Local\Temp\MediaCenter.exe N/A

Enumerates physical storage devices

Runs ping.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\MediaCenter.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\MediaCenter.exe

"C:\Users\Admin\AppData\Local\Temp\MediaCenter.exe"

C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe

C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\MediaCenter.exe"

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1

Network

Country Destination Domain Proto
US 8.8.8.8:53 citrix.vipreclod.com udp
TH 184.22.175.13:80 tcp
TH 184.22.175.13:80 tcp
TH 184.22.175.13:80 tcp

Files

memory/1044-54-0x0000000075501000-0x0000000075503000-memory.dmp

\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe

MD5 8028ee8c5518482c874d415f6cd9613b
SHA1 64854fd072613b2dd75ee725207eec214baf93e0
SHA256 d1c07fa8c37038f57e511586c2711302ec3b31f8fe178c4fbeeb8984a18a5225
SHA512 f9b514b807fa9add7367ef50761efc469ff6f0e589dc36113a2b36a69d87b268e256ff199ece94a4d9768a6051654693adade03edba055a5922d46fc5b26c889

\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe

MD5 8028ee8c5518482c874d415f6cd9613b
SHA1 64854fd072613b2dd75ee725207eec214baf93e0
SHA256 d1c07fa8c37038f57e511586c2711302ec3b31f8fe178c4fbeeb8984a18a5225
SHA512 f9b514b807fa9add7367ef50761efc469ff6f0e589dc36113a2b36a69d87b268e256ff199ece94a4d9768a6051654693adade03edba055a5922d46fc5b26c889

memory/1904-57-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe

MD5 8028ee8c5518482c874d415f6cd9613b
SHA1 64854fd072613b2dd75ee725207eec214baf93e0
SHA256 d1c07fa8c37038f57e511586c2711302ec3b31f8fe178c4fbeeb8984a18a5225
SHA512 f9b514b807fa9add7367ef50761efc469ff6f0e589dc36113a2b36a69d87b268e256ff199ece94a4d9768a6051654693adade03edba055a5922d46fc5b26c889

memory/368-60-0x0000000000000000-mapping.dmp

memory/860-61-0x0000000000000000-mapping.dmp