Malware Analysis Report

2024-11-13 18:44

Sample ID 231015-ydkgesed73
Target 7e9c917a00d385169f54f0302f39adb0_exe32.exe
SHA256 1d9deea1f2460ec87569b0af5f2693a0b36a80aacdedda1ecce870bb56749de2
Tags
sakula persistence rat trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

1d9deea1f2460ec87569b0af5f2693a0b36a80aacdedda1ecce870bb56749de2

Threat Level: Known bad

The file 7e9c917a00d385169f54f0302f39adb0_exe32.exe was found to be: Known bad.

Malicious Activity Summary

sakula persistence rat trojan

Sakula

Loads dropped DLL

Deletes itself

Executes dropped EXE

Adds Run key to start application

Unsigned PE

Modifies registry key

Runs ping.exe

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-10-15 19:40

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-10-15 19:40

Reported

2023-10-15 21:28

Platform

win7-20230831-en

Max time kernel

147s

Max time network

149s

Command Line

"C:\Users\Admin\AppData\Local\Temp\7e9c917a00d385169f54f0302f39adb0_exe32.exe"

Signatures

Sakula

trojan rat sakula

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" C:\Windows\SysWOW64\reg.exe N/A

Modifies registry key

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\reg.exe N/A

Runs ping.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3044 wrote to memory of 2316 N/A C:\Users\Admin\AppData\Local\Temp\7e9c917a00d385169f54f0302f39adb0_exe32.exe C:\Windows\SysWOW64\cmd.exe
PID 3044 wrote to memory of 2316 N/A C:\Users\Admin\AppData\Local\Temp\7e9c917a00d385169f54f0302f39adb0_exe32.exe C:\Windows\SysWOW64\cmd.exe
PID 3044 wrote to memory of 2316 N/A C:\Users\Admin\AppData\Local\Temp\7e9c917a00d385169f54f0302f39adb0_exe32.exe C:\Windows\SysWOW64\cmd.exe
PID 3044 wrote to memory of 2316 N/A C:\Users\Admin\AppData\Local\Temp\7e9c917a00d385169f54f0302f39adb0_exe32.exe C:\Windows\SysWOW64\cmd.exe
PID 3044 wrote to memory of 3028 N/A C:\Users\Admin\AppData\Local\Temp\7e9c917a00d385169f54f0302f39adb0_exe32.exe C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
PID 3044 wrote to memory of 3028 N/A C:\Users\Admin\AppData\Local\Temp\7e9c917a00d385169f54f0302f39adb0_exe32.exe C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
PID 3044 wrote to memory of 3028 N/A C:\Users\Admin\AppData\Local\Temp\7e9c917a00d385169f54f0302f39adb0_exe32.exe C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
PID 3044 wrote to memory of 3028 N/A C:\Users\Admin\AppData\Local\Temp\7e9c917a00d385169f54f0302f39adb0_exe32.exe C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
PID 2316 wrote to memory of 2612 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2316 wrote to memory of 2612 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2316 wrote to memory of 2612 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2316 wrote to memory of 2612 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 3044 wrote to memory of 2528 N/A C:\Users\Admin\AppData\Local\Temp\7e9c917a00d385169f54f0302f39adb0_exe32.exe C:\Windows\SysWOW64\cmd.exe
PID 3044 wrote to memory of 2528 N/A C:\Users\Admin\AppData\Local\Temp\7e9c917a00d385169f54f0302f39adb0_exe32.exe C:\Windows\SysWOW64\cmd.exe
PID 3044 wrote to memory of 2528 N/A C:\Users\Admin\AppData\Local\Temp\7e9c917a00d385169f54f0302f39adb0_exe32.exe C:\Windows\SysWOW64\cmd.exe
PID 3044 wrote to memory of 2528 N/A C:\Users\Admin\AppData\Local\Temp\7e9c917a00d385169f54f0302f39adb0_exe32.exe C:\Windows\SysWOW64\cmd.exe
PID 2528 wrote to memory of 2764 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 2528 wrote to memory of 2764 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 2528 wrote to memory of 2764 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 2528 wrote to memory of 2764 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE

Processes

C:\Users\Admin\AppData\Local\Temp\7e9c917a00d385169f54f0302f39adb0_exe32.exe

"C:\Users\Admin\AppData\Local\Temp\7e9c917a00d385169f54f0302f39adb0_exe32.exe"

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v "MicroMedia" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe"

C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe

C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe

C:\Windows\SysWOW64\reg.exe

reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v "MicroMedia" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe"

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c ping 127.0.0.1 & del "C:\Users\Admin\AppData\Local\Temp\7e9c917a00d385169f54f0302f39adb0_exe32.exe"

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1

Network

Country Destination Domain Proto
US 8.8.8.8:53 www.we11point.com udp

Files

memory/3044-0-0x0000000000400000-0x000000000040A000-memory.dmp

memory/3044-1-0x0000000000400000-0x000000000040A000-memory.dmp

\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe

MD5 5b0ab64f321785bd97c4d02f11e982f5
SHA1 a1bb7cf5906c951064d7fccb0e7a14a553b80f72
SHA256 0a7657b069f1d847846ed3f9bb492cf7e08d45141bca4828ad036eb9fc464515
SHA512 d6d5653019866b6c4002e07859b3a5fa61ff79fc99dbfa2391a0fb17bc086d3eae2dde15448d3d7239d000e33ca82e2934dceeeb7245a46e4351b24c1a57c338

\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe

MD5 5b0ab64f321785bd97c4d02f11e982f5
SHA1 a1bb7cf5906c951064d7fccb0e7a14a553b80f72
SHA256 0a7657b069f1d847846ed3f9bb492cf7e08d45141bca4828ad036eb9fc464515
SHA512 d6d5653019866b6c4002e07859b3a5fa61ff79fc99dbfa2391a0fb17bc086d3eae2dde15448d3d7239d000e33ca82e2934dceeeb7245a46e4351b24c1a57c338

memory/3044-9-0x0000000000220000-0x000000000022A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe

MD5 5b0ab64f321785bd97c4d02f11e982f5
SHA1 a1bb7cf5906c951064d7fccb0e7a14a553b80f72
SHA256 0a7657b069f1d847846ed3f9bb492cf7e08d45141bca4828ad036eb9fc464515
SHA512 d6d5653019866b6c4002e07859b3a5fa61ff79fc99dbfa2391a0fb17bc086d3eae2dde15448d3d7239d000e33ca82e2934dceeeb7245a46e4351b24c1a57c338

C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe

MD5 5b0ab64f321785bd97c4d02f11e982f5
SHA1 a1bb7cf5906c951064d7fccb0e7a14a553b80f72
SHA256 0a7657b069f1d847846ed3f9bb492cf7e08d45141bca4828ad036eb9fc464515
SHA512 d6d5653019866b6c4002e07859b3a5fa61ff79fc99dbfa2391a0fb17bc086d3eae2dde15448d3d7239d000e33ca82e2934dceeeb7245a46e4351b24c1a57c338

memory/3028-11-0x0000000000400000-0x000000000040A000-memory.dmp

memory/3044-12-0x0000000000400000-0x000000000040A000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2023-10-15 19:40

Reported

2023-10-15 21:29

Platform

win10v2004-20230915-en

Max time kernel

133s

Max time network

164s

Command Line

"C:\Users\Admin\AppData\Local\Temp\7e9c917a00d385169f54f0302f39adb0_exe32.exe"

Signatures

Sakula

trojan rat sakula

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" C:\Windows\SysWOW64\reg.exe N/A

Modifies registry key

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\reg.exe N/A

Runs ping.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2292 wrote to memory of 1968 N/A C:\Users\Admin\AppData\Local\Temp\7e9c917a00d385169f54f0302f39adb0_exe32.exe C:\Windows\SysWOW64\cmd.exe
PID 2292 wrote to memory of 1968 N/A C:\Users\Admin\AppData\Local\Temp\7e9c917a00d385169f54f0302f39adb0_exe32.exe C:\Windows\SysWOW64\cmd.exe
PID 2292 wrote to memory of 1968 N/A C:\Users\Admin\AppData\Local\Temp\7e9c917a00d385169f54f0302f39adb0_exe32.exe C:\Windows\SysWOW64\cmd.exe
PID 2292 wrote to memory of 4928 N/A C:\Users\Admin\AppData\Local\Temp\7e9c917a00d385169f54f0302f39adb0_exe32.exe C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
PID 2292 wrote to memory of 4928 N/A C:\Users\Admin\AppData\Local\Temp\7e9c917a00d385169f54f0302f39adb0_exe32.exe C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
PID 2292 wrote to memory of 4928 N/A C:\Users\Admin\AppData\Local\Temp\7e9c917a00d385169f54f0302f39adb0_exe32.exe C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
PID 1968 wrote to memory of 3304 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1968 wrote to memory of 3304 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1968 wrote to memory of 3304 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2292 wrote to memory of 2680 N/A C:\Users\Admin\AppData\Local\Temp\7e9c917a00d385169f54f0302f39adb0_exe32.exe C:\Windows\SysWOW64\cmd.exe
PID 2292 wrote to memory of 2680 N/A C:\Users\Admin\AppData\Local\Temp\7e9c917a00d385169f54f0302f39adb0_exe32.exe C:\Windows\SysWOW64\cmd.exe
PID 2292 wrote to memory of 2680 N/A C:\Users\Admin\AppData\Local\Temp\7e9c917a00d385169f54f0302f39adb0_exe32.exe C:\Windows\SysWOW64\cmd.exe
PID 2680 wrote to memory of 4516 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 2680 wrote to memory of 4516 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 2680 wrote to memory of 4516 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE

Processes

C:\Users\Admin\AppData\Local\Temp\7e9c917a00d385169f54f0302f39adb0_exe32.exe

"C:\Users\Admin\AppData\Local\Temp\7e9c917a00d385169f54f0302f39adb0_exe32.exe"

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v "MicroMedia" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe"

C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe

C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe

C:\Windows\SysWOW64\reg.exe

reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v "MicroMedia" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe"

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c ping 127.0.0.1 & del "C:\Users\Admin\AppData\Local\Temp\7e9c917a00d385169f54f0302f39adb0_exe32.exe"

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 2.136.104.51.in-addr.arpa udp
US 8.8.8.8:53 8.3.197.209.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 158.240.127.40.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 254.210.247.8.in-addr.arpa udp
US 8.8.8.8:53 www.we11point.com udp
US 8.8.8.8:53 www.we11point.com udp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 www.we11point.com udp
US 8.8.8.8:53 www.we11point.com udp
US 8.8.8.8:53 3.173.189.20.in-addr.arpa udp

Files

memory/2292-0-0x0000000000400000-0x000000000040A000-memory.dmp

memory/2292-1-0x0000000000400000-0x000000000040A000-memory.dmp

memory/2292-2-0x0000000000400000-0x000000000040A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe

MD5 fc924aab1fb46bda3717763f199fddf9
SHA1 99c757316f971ec28bc2706c5cda6026cc3e0bd2
SHA256 aaf160d344c990e4e9760a8842b4f7a19035a18266c045975fa673016e5527e3
SHA512 f22ae603a444b90ea228419d3d0477f457fa00f5d13575a96ab5717317b1f878d555a49bc9c4ebdb0a2cea95ae9837ea859a7f7720c46f634d1aebb744fb9997

C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe

MD5 fc924aab1fb46bda3717763f199fddf9
SHA1 99c757316f971ec28bc2706c5cda6026cc3e0bd2
SHA256 aaf160d344c990e4e9760a8842b4f7a19035a18266c045975fa673016e5527e3
SHA512 f22ae603a444b90ea228419d3d0477f457fa00f5d13575a96ab5717317b1f878d555a49bc9c4ebdb0a2cea95ae9837ea859a7f7720c46f634d1aebb744fb9997

memory/4928-7-0x0000000000400000-0x000000000040A000-memory.dmp