Malware Analysis Report

2024-12-07 22:09

Sample ID 221012-tes3qsade9
Target 2c43bc2636af763584c23e31fd1a374b162933b11ed22d6773593896094c1d9c
SHA256 2c43bc2636af763584c23e31fd1a374b162933b11ed22d6773593896094c1d9c
Tags
sakula persistence rat trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

2c43bc2636af763584c23e31fd1a374b162933b11ed22d6773593896094c1d9c

Threat Level: Known bad

The file 2c43bc2636af763584c23e31fd1a374b162933b11ed22d6773593896094c1d9c was found to be: Known bad.

Malicious Activity Summary

sakula persistence rat trojan

Sakula

Sakula payload

Sakula family

Executes dropped EXE

Deletes itself

Loads dropped DLL

Checks computer location settings

Adds Run key to start application

Enumerates physical storage devices

Runs ping.exe

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2022-10-12 15:58

Signatures

Sakula family

sakula

Sakula payload

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2022-10-12 15:58

Reported

2022-10-12 16:02

Platform

win7-20220812-en

Max time kernel

135s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2c43bc2636af763584c23e31fd1a374b162933b11ed22d6773593896094c1d9c.exe"

Signatures

Sakula

trojan rat sakula

Sakula payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe N/A

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" C:\Users\Admin\AppData\Local\Temp\2c43bc2636af763584c23e31fd1a374b162933b11ed22d6773593896094c1d9c.exe N/A

Enumerates physical storage devices

Runs ping.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2c43bc2636af763584c23e31fd1a374b162933b11ed22d6773593896094c1d9c.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1920 wrote to memory of 1688 N/A C:\Users\Admin\AppData\Local\Temp\2c43bc2636af763584c23e31fd1a374b162933b11ed22d6773593896094c1d9c.exe C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
PID 1920 wrote to memory of 1688 N/A C:\Users\Admin\AppData\Local\Temp\2c43bc2636af763584c23e31fd1a374b162933b11ed22d6773593896094c1d9c.exe C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
PID 1920 wrote to memory of 1688 N/A C:\Users\Admin\AppData\Local\Temp\2c43bc2636af763584c23e31fd1a374b162933b11ed22d6773593896094c1d9c.exe C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
PID 1920 wrote to memory of 1688 N/A C:\Users\Admin\AppData\Local\Temp\2c43bc2636af763584c23e31fd1a374b162933b11ed22d6773593896094c1d9c.exe C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
PID 1920 wrote to memory of 856 N/A C:\Users\Admin\AppData\Local\Temp\2c43bc2636af763584c23e31fd1a374b162933b11ed22d6773593896094c1d9c.exe C:\Windows\SysWOW64\cmd.exe
PID 1920 wrote to memory of 856 N/A C:\Users\Admin\AppData\Local\Temp\2c43bc2636af763584c23e31fd1a374b162933b11ed22d6773593896094c1d9c.exe C:\Windows\SysWOW64\cmd.exe
PID 1920 wrote to memory of 856 N/A C:\Users\Admin\AppData\Local\Temp\2c43bc2636af763584c23e31fd1a374b162933b11ed22d6773593896094c1d9c.exe C:\Windows\SysWOW64\cmd.exe
PID 1920 wrote to memory of 856 N/A C:\Users\Admin\AppData\Local\Temp\2c43bc2636af763584c23e31fd1a374b162933b11ed22d6773593896094c1d9c.exe C:\Windows\SysWOW64\cmd.exe
PID 856 wrote to memory of 1564 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 856 wrote to memory of 1564 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 856 wrote to memory of 1564 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 856 wrote to memory of 1564 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE

Processes

C:\Users\Admin\AppData\Local\Temp\2c43bc2636af763584c23e31fd1a374b162933b11ed22d6773593896094c1d9c.exe

"C:\Users\Admin\AppData\Local\Temp\2c43bc2636af763584c23e31fd1a374b162933b11ed22d6773593896094c1d9c.exe"

C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe

C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\2c43bc2636af763584c23e31fd1a374b162933b11ed22d6773593896094c1d9c.exe"

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1

Network

Country Destination Domain Proto
US 93.184.220.29:80 tcp
US 8.8.8.8:53 citrix.vipreclod.com udp
TH 184.22.175.13:80 tcp
TH 184.22.175.13:80 tcp
TH 184.22.175.13:80 tcp

Files

memory/1920-54-0x00000000763F1000-0x00000000763F3000-memory.dmp

\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe

MD5 94e8c427e1f049a255948eae1568ca3e
SHA1 0cebcb0d6da27ed46f912a443fa88502566a8e96
SHA256 c4e5631dc7f5b92fc677d1684dce3ed494ca3169691ceb3315ff6656c35052df
SHA512 7a384b87369cf96671e56528784aa5912d75a525dbf9dcb3a26f34bc6095eafc23bbaf4f4cb0b27eb14697ca031801aa4eccb5f1d02c614874a7095b0dae57bc

\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe

MD5 94e8c427e1f049a255948eae1568ca3e
SHA1 0cebcb0d6da27ed46f912a443fa88502566a8e96
SHA256 c4e5631dc7f5b92fc677d1684dce3ed494ca3169691ceb3315ff6656c35052df
SHA512 7a384b87369cf96671e56528784aa5912d75a525dbf9dcb3a26f34bc6095eafc23bbaf4f4cb0b27eb14697ca031801aa4eccb5f1d02c614874a7095b0dae57bc

C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe

MD5 94e8c427e1f049a255948eae1568ca3e
SHA1 0cebcb0d6da27ed46f912a443fa88502566a8e96
SHA256 c4e5631dc7f5b92fc677d1684dce3ed494ca3169691ceb3315ff6656c35052df
SHA512 7a384b87369cf96671e56528784aa5912d75a525dbf9dcb3a26f34bc6095eafc23bbaf4f4cb0b27eb14697ca031801aa4eccb5f1d02c614874a7095b0dae57bc

memory/1688-57-0x0000000000000000-mapping.dmp

memory/856-60-0x0000000000000000-mapping.dmp

memory/1564-61-0x0000000000000000-mapping.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2022-10-12 15:58

Reported

2022-10-12 16:03

Platform

win10v2004-20220812-en

Max time kernel

123s

Max time network

156s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2c43bc2636af763584c23e31fd1a374b162933b11ed22d6773593896094c1d9c.exe"

Signatures

Sakula

trojan rat sakula

Sakula payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\2c43bc2636af763584c23e31fd1a374b162933b11ed22d6773593896094c1d9c.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" C:\Users\Admin\AppData\Local\Temp\2c43bc2636af763584c23e31fd1a374b162933b11ed22d6773593896094c1d9c.exe N/A

Enumerates physical storage devices

Runs ping.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2c43bc2636af763584c23e31fd1a374b162933b11ed22d6773593896094c1d9c.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\2c43bc2636af763584c23e31fd1a374b162933b11ed22d6773593896094c1d9c.exe

"C:\Users\Admin\AppData\Local\Temp\2c43bc2636af763584c23e31fd1a374b162933b11ed22d6773593896094c1d9c.exe"

C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe

C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\2c43bc2636af763584c23e31fd1a374b162933b11ed22d6773593896094c1d9c.exe"

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1

Network

Country Destination Domain Proto
US 8.8.8.8:53 citrix.vipreclod.com udp
US 20.44.10.122:443 tcp
US 8.238.21.126:80 tcp
US 8.238.21.126:80 tcp
US 8.238.21.126:80 tcp
US 8.8.8.8:53 citrix.vipreclod.com udp
US 8.8.8.8:53 citrix.vipreclod.com udp
US 8.8.8.8:53 citrix.vipreclod.com udp
TH 184.22.175.13:80 tcp
TH 184.22.175.13:80 tcp

Files

memory/3636-132-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe

MD5 a32dda792acb1948bc64f6c3a9523baf
SHA1 fca3afb06d88ce07cfc1eda35602e10df4c74328
SHA256 591dc07659745b1c11662ad0fbb7b55b88753813886f03afa196948ffcdbdb7b
SHA512 6c7804cdb65b5110fbb1769dccfb5c63f5c7246978205a5278da55769dfc51a2d37b45d15b62e0ba87f1810564881decb4134ee61a980923dcc92609f2ca7d3e

C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe

MD5 a32dda792acb1948bc64f6c3a9523baf
SHA1 fca3afb06d88ce07cfc1eda35602e10df4c74328
SHA256 591dc07659745b1c11662ad0fbb7b55b88753813886f03afa196948ffcdbdb7b
SHA512 6c7804cdb65b5110fbb1769dccfb5c63f5c7246978205a5278da55769dfc51a2d37b45d15b62e0ba87f1810564881decb4134ee61a980923dcc92609f2ca7d3e

memory/2608-135-0x0000000000000000-mapping.dmp

memory/4352-136-0x0000000000000000-mapping.dmp