Malware Analysis Report

2024-12-07 22:09

Sample ID 221012-tdwggaada5
Target 1f6999433b7ac1b5e41d71c0922e6472cce3b19665da1da5c9c76c64fbda97fb
SHA256 1f6999433b7ac1b5e41d71c0922e6472cce3b19665da1da5c9c76c64fbda97fb
Tags
sakula persistence rat trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

1f6999433b7ac1b5e41d71c0922e6472cce3b19665da1da5c9c76c64fbda97fb

Threat Level: Known bad

The file 1f6999433b7ac1b5e41d71c0922e6472cce3b19665da1da5c9c76c64fbda97fb was found to be: Known bad.

Malicious Activity Summary

sakula persistence rat trojan

Sakula family

Sakula

Sakula payload

Executes dropped EXE

Loads dropped DLL

Checks computer location settings

Deletes itself

Adds Run key to start application

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Runs ping.exe

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2022-10-12 15:57

Signatures

Sakula family

sakula

Sakula payload

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2022-10-12 15:57

Reported

2022-10-12 16:03

Platform

win7-20220812-en

Max time kernel

132s

Max time network

147s

Command Line

"C:\Users\Admin\AppData\Local\Temp\1f6999433b7ac1b5e41d71c0922e6472cce3b19665da1da5c9c76c64fbda97fb.exe"

Signatures

Sakula

trojan rat sakula

Sakula payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe N/A

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" C:\Users\Admin\AppData\Local\Temp\1f6999433b7ac1b5e41d71c0922e6472cce3b19665da1da5c9c76c64fbda97fb.exe N/A

Enumerates physical storage devices

Runs ping.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\1f6999433b7ac1b5e41d71c0922e6472cce3b19665da1da5c9c76c64fbda97fb.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1960 wrote to memory of 1968 N/A C:\Users\Admin\AppData\Local\Temp\1f6999433b7ac1b5e41d71c0922e6472cce3b19665da1da5c9c76c64fbda97fb.exe C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
PID 1960 wrote to memory of 1968 N/A C:\Users\Admin\AppData\Local\Temp\1f6999433b7ac1b5e41d71c0922e6472cce3b19665da1da5c9c76c64fbda97fb.exe C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
PID 1960 wrote to memory of 1968 N/A C:\Users\Admin\AppData\Local\Temp\1f6999433b7ac1b5e41d71c0922e6472cce3b19665da1da5c9c76c64fbda97fb.exe C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
PID 1960 wrote to memory of 1968 N/A C:\Users\Admin\AppData\Local\Temp\1f6999433b7ac1b5e41d71c0922e6472cce3b19665da1da5c9c76c64fbda97fb.exe C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
PID 1960 wrote to memory of 1372 N/A C:\Users\Admin\AppData\Local\Temp\1f6999433b7ac1b5e41d71c0922e6472cce3b19665da1da5c9c76c64fbda97fb.exe C:\Windows\SysWOW64\cmd.exe
PID 1960 wrote to memory of 1372 N/A C:\Users\Admin\AppData\Local\Temp\1f6999433b7ac1b5e41d71c0922e6472cce3b19665da1da5c9c76c64fbda97fb.exe C:\Windows\SysWOW64\cmd.exe
PID 1960 wrote to memory of 1372 N/A C:\Users\Admin\AppData\Local\Temp\1f6999433b7ac1b5e41d71c0922e6472cce3b19665da1da5c9c76c64fbda97fb.exe C:\Windows\SysWOW64\cmd.exe
PID 1960 wrote to memory of 1372 N/A C:\Users\Admin\AppData\Local\Temp\1f6999433b7ac1b5e41d71c0922e6472cce3b19665da1da5c9c76c64fbda97fb.exe C:\Windows\SysWOW64\cmd.exe
PID 1372 wrote to memory of 824 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 1372 wrote to memory of 824 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 1372 wrote to memory of 824 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 1372 wrote to memory of 824 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE

Processes

C:\Users\Admin\AppData\Local\Temp\1f6999433b7ac1b5e41d71c0922e6472cce3b19665da1da5c9c76c64fbda97fb.exe

"C:\Users\Admin\AppData\Local\Temp\1f6999433b7ac1b5e41d71c0922e6472cce3b19665da1da5c9c76c64fbda97fb.exe"

C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe

C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\1f6999433b7ac1b5e41d71c0922e6472cce3b19665da1da5c9c76c64fbda97fb.exe"

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1

Network

Country Destination Domain Proto
US 8.8.8.8:53 citrix.vipreclod.com udp
TH 184.22.175.13:80 tcp
TH 184.22.175.13:80 tcp
TH 184.22.175.13:80 tcp

Files

memory/1960-54-0x0000000074AB1000-0x0000000074AB3000-memory.dmp

\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe

MD5 ba6fc00322778c481af31c52e6a5ab2b
SHA1 3485b93912fc95572eb8cae5ef4032ddc0825972
SHA256 43505be548c9fd576f8638bd98fea0c01e939b7512152fefab150c26a09f61c2
SHA512 7a439dd632cbbf41406a7574a098ed8346241ca6d04e271ba608b9c1ca5ccbc941a900dd8ba66808b562eaa3c89d17e1d075fb52782c631b3907c1e739051f81

C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe

MD5 ba6fc00322778c481af31c52e6a5ab2b
SHA1 3485b93912fc95572eb8cae5ef4032ddc0825972
SHA256 43505be548c9fd576f8638bd98fea0c01e939b7512152fefab150c26a09f61c2
SHA512 7a439dd632cbbf41406a7574a098ed8346241ca6d04e271ba608b9c1ca5ccbc941a900dd8ba66808b562eaa3c89d17e1d075fb52782c631b3907c1e739051f81

memory/1968-57-0x0000000000000000-mapping.dmp

\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe

MD5 ba6fc00322778c481af31c52e6a5ab2b
SHA1 3485b93912fc95572eb8cae5ef4032ddc0825972
SHA256 43505be548c9fd576f8638bd98fea0c01e939b7512152fefab150c26a09f61c2
SHA512 7a439dd632cbbf41406a7574a098ed8346241ca6d04e271ba608b9c1ca5ccbc941a900dd8ba66808b562eaa3c89d17e1d075fb52782c631b3907c1e739051f81

memory/1372-60-0x0000000000000000-mapping.dmp

memory/824-61-0x0000000000000000-mapping.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2022-10-12 15:57

Reported

2022-10-12 16:03

Platform

win10v2004-20220812-en

Max time kernel

162s

Max time network

183s

Command Line

"C:\Users\Admin\AppData\Local\Temp\1f6999433b7ac1b5e41d71c0922e6472cce3b19665da1da5c9c76c64fbda97fb.exe"

Signatures

Sakula

trojan rat sakula

Sakula payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\1f6999433b7ac1b5e41d71c0922e6472cce3b19665da1da5c9c76c64fbda97fb.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" C:\Users\Admin\AppData\Local\Temp\1f6999433b7ac1b5e41d71c0922e6472cce3b19665da1da5c9c76c64fbda97fb.exe N/A

Enumerates physical storage devices

Runs ping.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\1f6999433b7ac1b5e41d71c0922e6472cce3b19665da1da5c9c76c64fbda97fb.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\1f6999433b7ac1b5e41d71c0922e6472cce3b19665da1da5c9c76c64fbda97fb.exe

"C:\Users\Admin\AppData\Local\Temp\1f6999433b7ac1b5e41d71c0922e6472cce3b19665da1da5c9c76c64fbda97fb.exe"

C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe

C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\1f6999433b7ac1b5e41d71c0922e6472cce3b19665da1da5c9c76c64fbda97fb.exe"

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1

Network

Country Destination Domain Proto
US 52.182.143.210:443 tcp
US 8.8.8.8:53 citrix.vipreclod.com udp
US 93.184.221.240:80 tcp
US 8.8.8.8:53 citrix.vipreclod.com udp
US 93.184.220.29:80 tcp
US 93.184.220.29:80 tcp
US 93.184.220.29:80 tcp
US 8.8.8.8:53 citrix.vipreclod.com udp
US 8.8.8.8:53 citrix.vipreclod.com udp
TH 184.22.175.13:80 tcp
TH 184.22.175.13:80 tcp

Files

C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe

MD5 23c8e641882ed3f0e6c729e4c8c03d7b
SHA1 daee1c5a70408a4ba9539d4bca8e5a5447143fa4
SHA256 a63eb1f44d1e7933936a6271b1fd104b4a308983b974369afa47699ad729aea0
SHA512 7235a97955090db1d78287d47b064181a4acf0e09a144fc81fe98191c9fbb0212593ece4e827b6e03653afbb11b862a11675dc49d853e4962ab37eb589fccee9

memory/4752-132-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe

MD5 23c8e641882ed3f0e6c729e4c8c03d7b
SHA1 daee1c5a70408a4ba9539d4bca8e5a5447143fa4
SHA256 a63eb1f44d1e7933936a6271b1fd104b4a308983b974369afa47699ad729aea0
SHA512 7235a97955090db1d78287d47b064181a4acf0e09a144fc81fe98191c9fbb0212593ece4e827b6e03653afbb11b862a11675dc49d853e4962ab37eb589fccee9

memory/4472-135-0x0000000000000000-mapping.dmp

memory/4308-136-0x0000000000000000-mapping.dmp