Malware Analysis Report

2024-12-07 22:05

Sample ID 241119-b6tt8szblm
Target cc1b7c9eada68beb4ff0f0ba2f066c0e.bin
SHA256 e0f7c3fdefa3832d5ef5558ea7adb407a9260f7a2d3f5194ce407f31f7c77d58
Tags
sakula discovery persistence rat trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

e0f7c3fdefa3832d5ef5558ea7adb407a9260f7a2d3f5194ce407f31f7c77d58

Threat Level: Known bad

The file cc1b7c9eada68beb4ff0f0ba2f066c0e.bin was found to be: Known bad.

Malicious Activity Summary

sakula discovery persistence rat trojan

Sakula family

Sakula

Sakula payload

Deletes itself

Loads dropped DLL

Checks computer location settings

Executes dropped EXE

Adds Run key to start application

Unsigned PE

System Network Configuration Discovery: Internet Connection Discovery

Enumerates physical storage devices

System Location Discovery: System Language Discovery

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

Runs ping.exe

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-19 01:45

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-19 01:45

Reported

2024-11-19 01:48

Platform

win7-20241010-en

Max time kernel

145s

Max time network

153s

Command Line

"C:\Users\Admin\AppData\Local\Temp\0cbb5e112654c75d39beb00b12f773b7ea44931b6524f8071bdedd91eb7e8efb.exe"

Signatures

Sakula

trojan rat sakula

Sakula family

sakula

Sakula payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" C:\Users\Admin\AppData\Local\Temp\0cbb5e112654c75d39beb00b12f773b7ea44931b6524f8071bdedd91eb7e8efb.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\PING.EXE N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\0cbb5e112654c75d39beb00b12f773b7ea44931b6524f8071bdedd91eb7e8efb.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A

System Network Configuration Discovery: Internet Connection Discovery

discovery
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A

Runs ping.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\0cbb5e112654c75d39beb00b12f773b7ea44931b6524f8071bdedd91eb7e8efb.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2116 wrote to memory of 760 N/A C:\Users\Admin\AppData\Local\Temp\0cbb5e112654c75d39beb00b12f773b7ea44931b6524f8071bdedd91eb7e8efb.exe C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
PID 2116 wrote to memory of 760 N/A C:\Users\Admin\AppData\Local\Temp\0cbb5e112654c75d39beb00b12f773b7ea44931b6524f8071bdedd91eb7e8efb.exe C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
PID 2116 wrote to memory of 760 N/A C:\Users\Admin\AppData\Local\Temp\0cbb5e112654c75d39beb00b12f773b7ea44931b6524f8071bdedd91eb7e8efb.exe C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
PID 2116 wrote to memory of 760 N/A C:\Users\Admin\AppData\Local\Temp\0cbb5e112654c75d39beb00b12f773b7ea44931b6524f8071bdedd91eb7e8efb.exe C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
PID 2116 wrote to memory of 2920 N/A C:\Users\Admin\AppData\Local\Temp\0cbb5e112654c75d39beb00b12f773b7ea44931b6524f8071bdedd91eb7e8efb.exe C:\Windows\SysWOW64\cmd.exe
PID 2116 wrote to memory of 2920 N/A C:\Users\Admin\AppData\Local\Temp\0cbb5e112654c75d39beb00b12f773b7ea44931b6524f8071bdedd91eb7e8efb.exe C:\Windows\SysWOW64\cmd.exe
PID 2116 wrote to memory of 2920 N/A C:\Users\Admin\AppData\Local\Temp\0cbb5e112654c75d39beb00b12f773b7ea44931b6524f8071bdedd91eb7e8efb.exe C:\Windows\SysWOW64\cmd.exe
PID 2116 wrote to memory of 2920 N/A C:\Users\Admin\AppData\Local\Temp\0cbb5e112654c75d39beb00b12f773b7ea44931b6524f8071bdedd91eb7e8efb.exe C:\Windows\SysWOW64\cmd.exe
PID 2920 wrote to memory of 2864 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 2920 wrote to memory of 2864 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 2920 wrote to memory of 2864 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 2920 wrote to memory of 2864 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE

Processes

C:\Users\Admin\AppData\Local\Temp\0cbb5e112654c75d39beb00b12f773b7ea44931b6524f8071bdedd91eb7e8efb.exe

"C:\Users\Admin\AppData\Local\Temp\0cbb5e112654c75d39beb00b12f773b7ea44931b6524f8071bdedd91eb7e8efb.exe"

C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe

C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\0cbb5e112654c75d39beb00b12f773b7ea44931b6524f8071bdedd91eb7e8efb.exe"

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1

Network

Country Destination Domain Proto
US 8.8.8.8:53 citrix.vipreclod.com udp
TH 184.22.175.13:80 tcp
TH 184.22.175.13:80 tcp
TH 184.22.175.13:80 tcp

Files

memory/2116-0-0x0000000000400000-0x000000000041A000-memory.dmp

\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe

MD5 3d593bf66bfe92ceef711e8487ab0d55
SHA1 e5e6c94778bbfe431284f8e31dd5c84b69fc5270
SHA256 5e33410ed722c918ed8ff8e7639e29e9627a8899c3c943913cd1c353adb5605f
SHA512 3b6eee058e29532e15fd79ac4ea009f85ca9d3cc9253801ae2e4c9b49c9c3bf900f777e37bcc512e1c166952d85a3bfb752178982b99bb06576ed3d7bb891126

memory/2116-4-0x0000000000220000-0x000000000023A000-memory.dmp

memory/2116-9-0x0000000000220000-0x000000000023A000-memory.dmp

memory/760-11-0x0000000000400000-0x000000000041A000-memory.dmp

memory/2116-12-0x0000000000400000-0x000000000041A000-memory.dmp

memory/2116-13-0x0000000000220000-0x000000000023A000-memory.dmp

memory/2116-14-0x0000000000220000-0x000000000023A000-memory.dmp

memory/760-16-0x0000000000400000-0x000000000041A000-memory.dmp

memory/2116-22-0x0000000000400000-0x000000000041A000-memory.dmp

memory/760-27-0x0000000000400000-0x000000000041A000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-11-19 01:45

Reported

2024-11-19 01:48

Platform

win10v2004-20241007-en

Max time kernel

140s

Max time network

142s

Command Line

"C:\Users\Admin\AppData\Local\Temp\0cbb5e112654c75d39beb00b12f773b7ea44931b6524f8071bdedd91eb7e8efb.exe"

Signatures

Sakula

trojan rat sakula

Sakula family

sakula

Sakula payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\0cbb5e112654c75d39beb00b12f773b7ea44931b6524f8071bdedd91eb7e8efb.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" C:\Users\Admin\AppData\Local\Temp\0cbb5e112654c75d39beb00b12f773b7ea44931b6524f8071bdedd91eb7e8efb.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\PING.EXE N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\0cbb5e112654c75d39beb00b12f773b7ea44931b6524f8071bdedd91eb7e8efb.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A

System Network Configuration Discovery: Internet Connection Discovery

discovery
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A

Runs ping.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\0cbb5e112654c75d39beb00b12f773b7ea44931b6524f8071bdedd91eb7e8efb.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\0cbb5e112654c75d39beb00b12f773b7ea44931b6524f8071bdedd91eb7e8efb.exe

"C:\Users\Admin\AppData\Local\Temp\0cbb5e112654c75d39beb00b12f773b7ea44931b6524f8071bdedd91eb7e8efb.exe"

C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe

C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\0cbb5e112654c75d39beb00b12f773b7ea44931b6524f8071bdedd91eb7e8efb.exe"

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1

Network

Country Destination Domain Proto
US 8.8.8.8:53 citrix.vipreclod.com udp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 138.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 citrix.vipreclod.com udp
US 8.8.8.8:53 200.163.202.172.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 citrix.vipreclod.com udp
US 8.8.8.8:53 citrix.vipreclod.com udp
TH 184.22.175.13:80 tcp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
TH 184.22.175.13:80 tcp

Files

memory/5024-0-0x0000000000400000-0x000000000041A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe

MD5 f2313917ca5797515d648b85f88afd64
SHA1 8bfdb364d3b2e3b1e92180736602b9e7a0b45966
SHA256 955e3c0602887c5f0d8fe6979916e7579be33bb4446652f583c3dc360726fd7b
SHA512 af49965b3fa3f9dc59bff7092f7c681aac16731664d44b7513cab30821b8a5429175f4b4d53a723a6d53657e5ff5d84de937929b592c5d4fb178d9dcee18d72d

memory/4520-5-0x0000000000400000-0x000000000041A000-memory.dmp

memory/5024-6-0x0000000000400000-0x000000000041A000-memory.dmp

memory/4520-9-0x0000000000400000-0x000000000041A000-memory.dmp

memory/5024-14-0x0000000000400000-0x000000000041A000-memory.dmp

memory/4520-19-0x0000000000400000-0x000000000041A000-memory.dmp