Malware Analysis Report

2024-12-07 22:09

Sample ID 221013-bvmlsaaee5
Target e84e3f69364a3aa00fee5e5f24744d77ac01c026b004756ca65e19a891f4de54
SHA256 e84e3f69364a3aa00fee5e5f24744d77ac01c026b004756ca65e19a891f4de54
Tags
sakula persistence rat trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

e84e3f69364a3aa00fee5e5f24744d77ac01c026b004756ca65e19a891f4de54

Threat Level: Known bad

The file e84e3f69364a3aa00fee5e5f24744d77ac01c026b004756ca65e19a891f4de54 was found to be: Known bad.

Malicious Activity Summary

sakula persistence rat trojan

Sakula family

Sakula

Sakula payload

Executes dropped EXE

Deletes itself

Loads dropped DLL

Checks computer location settings

Adds Run key to start application

Enumerates physical storage devices

Runs ping.exe

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2022-10-13 01:28

Signatures

Sakula family

sakula

Sakula payload

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2022-10-13 01:28

Reported

2022-10-13 01:34

Platform

win7-20220901-en

Max time kernel

128s

Max time network

144s

Command Line

"C:\Users\Admin\AppData\Local\Temp\e84e3f69364a3aa00fee5e5f24744d77ac01c026b004756ca65e19a891f4de54.exe"

Signatures

Sakula

trojan rat sakula

Sakula payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe N/A

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" C:\Users\Admin\AppData\Local\Temp\e84e3f69364a3aa00fee5e5f24744d77ac01c026b004756ca65e19a891f4de54.exe N/A

Enumerates physical storage devices

Runs ping.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e84e3f69364a3aa00fee5e5f24744d77ac01c026b004756ca65e19a891f4de54.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1416 wrote to memory of 1188 N/A C:\Users\Admin\AppData\Local\Temp\e84e3f69364a3aa00fee5e5f24744d77ac01c026b004756ca65e19a891f4de54.exe C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
PID 1416 wrote to memory of 1188 N/A C:\Users\Admin\AppData\Local\Temp\e84e3f69364a3aa00fee5e5f24744d77ac01c026b004756ca65e19a891f4de54.exe C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
PID 1416 wrote to memory of 1188 N/A C:\Users\Admin\AppData\Local\Temp\e84e3f69364a3aa00fee5e5f24744d77ac01c026b004756ca65e19a891f4de54.exe C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
PID 1416 wrote to memory of 1188 N/A C:\Users\Admin\AppData\Local\Temp\e84e3f69364a3aa00fee5e5f24744d77ac01c026b004756ca65e19a891f4de54.exe C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
PID 1416 wrote to memory of 1524 N/A C:\Users\Admin\AppData\Local\Temp\e84e3f69364a3aa00fee5e5f24744d77ac01c026b004756ca65e19a891f4de54.exe C:\Windows\SysWOW64\cmd.exe
PID 1416 wrote to memory of 1524 N/A C:\Users\Admin\AppData\Local\Temp\e84e3f69364a3aa00fee5e5f24744d77ac01c026b004756ca65e19a891f4de54.exe C:\Windows\SysWOW64\cmd.exe
PID 1416 wrote to memory of 1524 N/A C:\Users\Admin\AppData\Local\Temp\e84e3f69364a3aa00fee5e5f24744d77ac01c026b004756ca65e19a891f4de54.exe C:\Windows\SysWOW64\cmd.exe
PID 1416 wrote to memory of 1524 N/A C:\Users\Admin\AppData\Local\Temp\e84e3f69364a3aa00fee5e5f24744d77ac01c026b004756ca65e19a891f4de54.exe C:\Windows\SysWOW64\cmd.exe
PID 1524 wrote to memory of 2016 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 1524 wrote to memory of 2016 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 1524 wrote to memory of 2016 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 1524 wrote to memory of 2016 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE

Processes

C:\Users\Admin\AppData\Local\Temp\e84e3f69364a3aa00fee5e5f24744d77ac01c026b004756ca65e19a891f4de54.exe

"C:\Users\Admin\AppData\Local\Temp\e84e3f69364a3aa00fee5e5f24744d77ac01c026b004756ca65e19a891f4de54.exe"

C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe

C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\e84e3f69364a3aa00fee5e5f24744d77ac01c026b004756ca65e19a891f4de54.exe"

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1

Network

Country Destination Domain Proto
US 8.8.8.8:53 citrix.vipreclod.com udp
TH 184.22.175.13:80 tcp
TH 184.22.175.13:80 tcp

Files

memory/1416-54-0x0000000074DC1000-0x0000000074DC3000-memory.dmp

\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe

MD5 217486ab83d42ca6ae98a076e01915de
SHA1 6e111501ab7eac06bb05d037729d6c5c60302c33
SHA256 527395dc5151e7f70376fe2bbe8a96ae24fe1cb0852bfc227eebf874fb8cd2f6
SHA512 c93be87c09653aae255563fd9c869806666bfbb5511519bc88acee809759341e12ff6541234484216fac09a0b40bc5b37bc7da6c996e9ce29a1c5977d0396a6d

memory/1188-57-0x0000000000000000-mapping.dmp

\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe

MD5 217486ab83d42ca6ae98a076e01915de
SHA1 6e111501ab7eac06bb05d037729d6c5c60302c33
SHA256 527395dc5151e7f70376fe2bbe8a96ae24fe1cb0852bfc227eebf874fb8cd2f6
SHA512 c93be87c09653aae255563fd9c869806666bfbb5511519bc88acee809759341e12ff6541234484216fac09a0b40bc5b37bc7da6c996e9ce29a1c5977d0396a6d

C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe

MD5 217486ab83d42ca6ae98a076e01915de
SHA1 6e111501ab7eac06bb05d037729d6c5c60302c33
SHA256 527395dc5151e7f70376fe2bbe8a96ae24fe1cb0852bfc227eebf874fb8cd2f6
SHA512 c93be87c09653aae255563fd9c869806666bfbb5511519bc88acee809759341e12ff6541234484216fac09a0b40bc5b37bc7da6c996e9ce29a1c5977d0396a6d

memory/1524-60-0x0000000000000000-mapping.dmp

memory/2016-61-0x0000000000000000-mapping.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2022-10-13 01:28

Reported

2022-10-13 01:34

Platform

win10v2004-20220812-en

Max time kernel

129s

Max time network

148s

Command Line

"C:\Users\Admin\AppData\Local\Temp\e84e3f69364a3aa00fee5e5f24744d77ac01c026b004756ca65e19a891f4de54.exe"

Signatures

Sakula

trojan rat sakula

Sakula payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\e84e3f69364a3aa00fee5e5f24744d77ac01c026b004756ca65e19a891f4de54.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" C:\Users\Admin\AppData\Local\Temp\e84e3f69364a3aa00fee5e5f24744d77ac01c026b004756ca65e19a891f4de54.exe N/A

Enumerates physical storage devices

Runs ping.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e84e3f69364a3aa00fee5e5f24744d77ac01c026b004756ca65e19a891f4de54.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\e84e3f69364a3aa00fee5e5f24744d77ac01c026b004756ca65e19a891f4de54.exe

"C:\Users\Admin\AppData\Local\Temp\e84e3f69364a3aa00fee5e5f24744d77ac01c026b004756ca65e19a891f4de54.exe"

C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe

C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\e84e3f69364a3aa00fee5e5f24744d77ac01c026b004756ca65e19a891f4de54.exe"

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1

Network

Country Destination Domain Proto
NL 178.79.208.1:80 tcp
US 8.8.8.8:53 citrix.vipreclod.com udp
US 93.184.220.29:80 tcp
US 93.184.220.29:80 tcp
US 8.8.8.8:53 citrix.vipreclod.com udp
NL 104.80.225.205:443 tcp
US 20.42.73.26:443 tcp
US 8.8.8.8:53 citrix.vipreclod.com udp
US 8.8.8.8:53 citrix.vipreclod.com udp
TH 184.22.175.13:80 tcp
TH 184.22.175.13:80 tcp

Files

memory/4540-132-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe

MD5 75cf4b8c02161fa358ffe3e6cf748b80
SHA1 d58f77e27238fd20063df2665f4269185e96e5d9
SHA256 d6195ce720c788f614a7775a19a4a81aee2043925489e2fba3a293cccb19d6b8
SHA512 fd9061de9acdc30208ffa27e64ad2047a485898e73faff5136a156cf725df7f418b630b28d90b5a7be57e847065e47986df52bb2b8c70740d30add2cf2be4d35

C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe

MD5 75cf4b8c02161fa358ffe3e6cf748b80
SHA1 d58f77e27238fd20063df2665f4269185e96e5d9
SHA256 d6195ce720c788f614a7775a19a4a81aee2043925489e2fba3a293cccb19d6b8
SHA512 fd9061de9acdc30208ffa27e64ad2047a485898e73faff5136a156cf725df7f418b630b28d90b5a7be57e847065e47986df52bb2b8c70740d30add2cf2be4d35

memory/4884-135-0x0000000000000000-mapping.dmp

memory/4692-136-0x0000000000000000-mapping.dmp