Malware Analysis Report

2024-12-07 22:10

Sample ID 221017-kfz31abbc7
Target d496522fd93ca1cb2bca9979b7868a39cbfb534ba328136a1d674dd8e88cd497
SHA256 d496522fd93ca1cb2bca9979b7868a39cbfb534ba328136a1d674dd8e88cd497
Tags
sakula persistence rat trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

d496522fd93ca1cb2bca9979b7868a39cbfb534ba328136a1d674dd8e88cd497

Threat Level: Known bad

The file d496522fd93ca1cb2bca9979b7868a39cbfb534ba328136a1d674dd8e88cd497 was found to be: Known bad.

Malicious Activity Summary

sakula persistence rat trojan

Sakula family

Sakula payload

Sakula

Executes dropped EXE

Deletes itself

Loads dropped DLL

Checks computer location settings

Adds Run key to start application

Enumerates physical storage devices

Runs ping.exe

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2022-10-17 08:33

Signatures

Sakula family

sakula

Sakula payload

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2022-10-17 08:33

Reported

2022-10-17 08:35

Platform

win7-20220812-en

Max time kernel

134s

Max time network

116s

Command Line

"C:\Users\Admin\AppData\Local\Temp\d496522fd93ca1cb2bca9979b7868a39cbfb534ba328136a1d674dd8e88cd497.exe"

Signatures

Sakula

trojan rat sakula

Sakula payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe N/A

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" C:\Users\Admin\AppData\Local\Temp\d496522fd93ca1cb2bca9979b7868a39cbfb534ba328136a1d674dd8e88cd497.exe N/A

Enumerates physical storage devices

Runs ping.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\d496522fd93ca1cb2bca9979b7868a39cbfb534ba328136a1d674dd8e88cd497.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 360 wrote to memory of 288 N/A C:\Users\Admin\AppData\Local\Temp\d496522fd93ca1cb2bca9979b7868a39cbfb534ba328136a1d674dd8e88cd497.exe C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
PID 360 wrote to memory of 288 N/A C:\Users\Admin\AppData\Local\Temp\d496522fd93ca1cb2bca9979b7868a39cbfb534ba328136a1d674dd8e88cd497.exe C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
PID 360 wrote to memory of 288 N/A C:\Users\Admin\AppData\Local\Temp\d496522fd93ca1cb2bca9979b7868a39cbfb534ba328136a1d674dd8e88cd497.exe C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
PID 360 wrote to memory of 288 N/A C:\Users\Admin\AppData\Local\Temp\d496522fd93ca1cb2bca9979b7868a39cbfb534ba328136a1d674dd8e88cd497.exe C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
PID 360 wrote to memory of 268 N/A C:\Users\Admin\AppData\Local\Temp\d496522fd93ca1cb2bca9979b7868a39cbfb534ba328136a1d674dd8e88cd497.exe C:\Windows\SysWOW64\cmd.exe
PID 360 wrote to memory of 268 N/A C:\Users\Admin\AppData\Local\Temp\d496522fd93ca1cb2bca9979b7868a39cbfb534ba328136a1d674dd8e88cd497.exe C:\Windows\SysWOW64\cmd.exe
PID 360 wrote to memory of 268 N/A C:\Users\Admin\AppData\Local\Temp\d496522fd93ca1cb2bca9979b7868a39cbfb534ba328136a1d674dd8e88cd497.exe C:\Windows\SysWOW64\cmd.exe
PID 360 wrote to memory of 268 N/A C:\Users\Admin\AppData\Local\Temp\d496522fd93ca1cb2bca9979b7868a39cbfb534ba328136a1d674dd8e88cd497.exe C:\Windows\SysWOW64\cmd.exe
PID 268 wrote to memory of 324 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 268 wrote to memory of 324 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 268 wrote to memory of 324 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 268 wrote to memory of 324 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE

Processes

C:\Users\Admin\AppData\Local\Temp\d496522fd93ca1cb2bca9979b7868a39cbfb534ba328136a1d674dd8e88cd497.exe

"C:\Users\Admin\AppData\Local\Temp\d496522fd93ca1cb2bca9979b7868a39cbfb534ba328136a1d674dd8e88cd497.exe"

C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe

C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\d496522fd93ca1cb2bca9979b7868a39cbfb534ba328136a1d674dd8e88cd497.exe"

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1

Network

Country Destination Domain Proto
US 8.8.8.8:53 www.polarroute.com udp
US 204.11.56.48:80 www.polarroute.com tcp
US 204.11.56.48:80 www.polarroute.com tcp
US 204.11.56.48:80 www.polarroute.com tcp
US 204.11.56.48:80 www.polarroute.com tcp
US 8.8.8.8:53 www.northpoleroute.com udp

Files

memory/360-54-0x0000000075771000-0x0000000075773000-memory.dmp

\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe

MD5 c2010f4e5f3063cbfd83aa2b42a65e70
SHA1 053f2fb4055d6fd0a320942bfb69e214a56a731a
SHA256 907bdbceaeae3a61876adebc0517f892859bddcf5a1667ca9eb434b1a1a53220
SHA512 fabb8c8088ae4660048e58b32d013c98c3625ec54cadc7894081cdd3c670ccfc6a0ec81dae586b30b5c681b6399e6b9f97a5b686f540540fe56d1c58d6540f3e

memory/288-56-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe

MD5 c2010f4e5f3063cbfd83aa2b42a65e70
SHA1 053f2fb4055d6fd0a320942bfb69e214a56a731a
SHA256 907bdbceaeae3a61876adebc0517f892859bddcf5a1667ca9eb434b1a1a53220
SHA512 fabb8c8088ae4660048e58b32d013c98c3625ec54cadc7894081cdd3c670ccfc6a0ec81dae586b30b5c681b6399e6b9f97a5b686f540540fe56d1c58d6540f3e

memory/268-59-0x0000000000000000-mapping.dmp

memory/324-60-0x0000000000000000-mapping.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2022-10-17 08:33

Reported

2022-10-17 08:35

Platform

win10v2004-20220812-en

Max time kernel

125s

Max time network

145s

Command Line

"C:\Users\Admin\AppData\Local\Temp\d496522fd93ca1cb2bca9979b7868a39cbfb534ba328136a1d674dd8e88cd497.exe"

Signatures

Sakula

trojan rat sakula

Sakula payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\d496522fd93ca1cb2bca9979b7868a39cbfb534ba328136a1d674dd8e88cd497.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" C:\Users\Admin\AppData\Local\Temp\d496522fd93ca1cb2bca9979b7868a39cbfb534ba328136a1d674dd8e88cd497.exe N/A

Enumerates physical storage devices

Runs ping.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\d496522fd93ca1cb2bca9979b7868a39cbfb534ba328136a1d674dd8e88cd497.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\d496522fd93ca1cb2bca9979b7868a39cbfb534ba328136a1d674dd8e88cd497.exe

"C:\Users\Admin\AppData\Local\Temp\d496522fd93ca1cb2bca9979b7868a39cbfb534ba328136a1d674dd8e88cd497.exe"

C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe

C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\d496522fd93ca1cb2bca9979b7868a39cbfb534ba328136a1d674dd8e88cd497.exe"

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1

Network

Country Destination Domain Proto
US 8.8.8.8:53 www.polarroute.com udp
US 204.11.56.48:80 www.polarroute.com tcp
US 93.184.220.29:80 tcp
US 93.184.220.29:80 tcp
US 8.253.225.254:80 tcp
US 8.253.225.254:80 tcp
US 204.11.56.48:80 www.polarroute.com tcp
US 8.8.8.8:53 14.110.152.52.in-addr.arpa udp
US 209.197.3.8:80 tcp
US 204.11.56.48:80 www.polarroute.com tcp
US 104.244.42.193:443 tcp
US 204.11.56.48:80 www.polarroute.com tcp
US 8.8.8.8:53 www.northpoleroute.com udp
US 104.244.42.193:80 tcp
US 8.8.8.8:53 www.northpoleroute.com udp

Files

memory/384-132-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe

MD5 2dcec5c4ffc7687ebac33f5f753e8e2f
SHA1 45a21bf6e0c52a5eb9134ab0c1dd45fc92037c0f
SHA256 33c1a371acf01fdd880ad2851e2bee9fc67db7fcff99d7491605654ae42bb0cc
SHA512 a9e6accb4a4e071882ebea37fb432dad7350c38b7d0addc3c5c0f2f41f16466dbac8c2c259c50ee63051422f98d8b669edc1b81f190f82ce2e3432531fc43672

C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe

MD5 2dcec5c4ffc7687ebac33f5f753e8e2f
SHA1 45a21bf6e0c52a5eb9134ab0c1dd45fc92037c0f
SHA256 33c1a371acf01fdd880ad2851e2bee9fc67db7fcff99d7491605654ae42bb0cc
SHA512 a9e6accb4a4e071882ebea37fb432dad7350c38b7d0addc3c5c0f2f41f16466dbac8c2c259c50ee63051422f98d8b669edc1b81f190f82ce2e3432531fc43672

memory/2528-135-0x0000000000000000-mapping.dmp

memory/3480-136-0x0000000000000000-mapping.dmp