Malware Analysis Report

2024-12-07 22:05

Sample ID 241120-e3fpzswjer
Target b85d0b465dca98653a4c5faddc4d77ab34f702213ab16597b3586595b737cbf5.exe
SHA256 b85d0b465dca98653a4c5faddc4d77ab34f702213ab16597b3586595b737cbf5
Tags
sakula discovery persistence rat trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

b85d0b465dca98653a4c5faddc4d77ab34f702213ab16597b3586595b737cbf5

Threat Level: Known bad

The file b85d0b465dca98653a4c5faddc4d77ab34f702213ab16597b3586595b737cbf5.exe was found to be: Known bad.

Malicious Activity Summary

sakula discovery persistence rat trojan

Sakula

Sakula payload

Sakula family

Deletes itself

Executes dropped EXE

Checks computer location settings

Loads dropped DLL

Adds Run key to start application

System Location Discovery: System Language Discovery

System Network Configuration Discovery: Internet Connection Discovery

Enumerates physical storage devices

Unsigned PE

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Runs ping.exe

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-20 04:27

Signatures

Sakula family

sakula

Sakula payload

Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-20 04:27

Reported

2024-11-20 04:30

Platform

win7-20240708-en

Max time kernel

128s

Max time network

130s

Command Line

"C:\Users\Admin\AppData\Local\Temp\b85d0b465dca98653a4c5faddc4d77ab34f702213ab16597b3586595b737cbf5.exe"

Signatures

Sakula

trojan rat sakula

Sakula family

sakula

Sakula payload

Description Indicator Process Target
N/A N/A N/A N/A

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\MicroMedia\AdobeUpdate.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\AdobeUpdate = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\AdobeUpdate.exe" C:\Users\Admin\AppData\Local\Temp\b85d0b465dca98653a4c5faddc4d77ab34f702213ab16597b3586595b737cbf5.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\PING.EXE N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\b85d0b465dca98653a4c5faddc4d77ab34f702213ab16597b3586595b737cbf5.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\MicroMedia\AdobeUpdate.exe N/A

System Network Configuration Discovery: Internet Connection Discovery

discovery
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A

Runs ping.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\b85d0b465dca98653a4c5faddc4d77ab34f702213ab16597b3586595b737cbf5.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2640 wrote to memory of 376 N/A C:\Users\Admin\AppData\Local\Temp\b85d0b465dca98653a4c5faddc4d77ab34f702213ab16597b3586595b737cbf5.exe C:\Users\Admin\AppData\Local\Temp\MicroMedia\AdobeUpdate.exe
PID 2640 wrote to memory of 376 N/A C:\Users\Admin\AppData\Local\Temp\b85d0b465dca98653a4c5faddc4d77ab34f702213ab16597b3586595b737cbf5.exe C:\Users\Admin\AppData\Local\Temp\MicroMedia\AdobeUpdate.exe
PID 2640 wrote to memory of 376 N/A C:\Users\Admin\AppData\Local\Temp\b85d0b465dca98653a4c5faddc4d77ab34f702213ab16597b3586595b737cbf5.exe C:\Users\Admin\AppData\Local\Temp\MicroMedia\AdobeUpdate.exe
PID 2640 wrote to memory of 376 N/A C:\Users\Admin\AppData\Local\Temp\b85d0b465dca98653a4c5faddc4d77ab34f702213ab16597b3586595b737cbf5.exe C:\Users\Admin\AppData\Local\Temp\MicroMedia\AdobeUpdate.exe
PID 2640 wrote to memory of 376 N/A C:\Users\Admin\AppData\Local\Temp\b85d0b465dca98653a4c5faddc4d77ab34f702213ab16597b3586595b737cbf5.exe C:\Users\Admin\AppData\Local\Temp\MicroMedia\AdobeUpdate.exe
PID 2640 wrote to memory of 376 N/A C:\Users\Admin\AppData\Local\Temp\b85d0b465dca98653a4c5faddc4d77ab34f702213ab16597b3586595b737cbf5.exe C:\Users\Admin\AppData\Local\Temp\MicroMedia\AdobeUpdate.exe
PID 2640 wrote to memory of 376 N/A C:\Users\Admin\AppData\Local\Temp\b85d0b465dca98653a4c5faddc4d77ab34f702213ab16597b3586595b737cbf5.exe C:\Users\Admin\AppData\Local\Temp\MicroMedia\AdobeUpdate.exe
PID 2640 wrote to memory of 2752 N/A C:\Users\Admin\AppData\Local\Temp\b85d0b465dca98653a4c5faddc4d77ab34f702213ab16597b3586595b737cbf5.exe C:\Windows\SysWOW64\cmd.exe
PID 2640 wrote to memory of 2752 N/A C:\Users\Admin\AppData\Local\Temp\b85d0b465dca98653a4c5faddc4d77ab34f702213ab16597b3586595b737cbf5.exe C:\Windows\SysWOW64\cmd.exe
PID 2640 wrote to memory of 2752 N/A C:\Users\Admin\AppData\Local\Temp\b85d0b465dca98653a4c5faddc4d77ab34f702213ab16597b3586595b737cbf5.exe C:\Windows\SysWOW64\cmd.exe
PID 2640 wrote to memory of 2752 N/A C:\Users\Admin\AppData\Local\Temp\b85d0b465dca98653a4c5faddc4d77ab34f702213ab16597b3586595b737cbf5.exe C:\Windows\SysWOW64\cmd.exe
PID 2752 wrote to memory of 1916 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 2752 wrote to memory of 1916 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 2752 wrote to memory of 1916 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 2752 wrote to memory of 1916 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE

Processes

C:\Users\Admin\AppData\Local\Temp\b85d0b465dca98653a4c5faddc4d77ab34f702213ab16597b3586595b737cbf5.exe

"C:\Users\Admin\AppData\Local\Temp\b85d0b465dca98653a4c5faddc4d77ab34f702213ab16597b3586595b737cbf5.exe"

C:\Users\Admin\AppData\Local\Temp\MicroMedia\AdobeUpdate.exe

C:\Users\Admin\AppData\Local\Temp\MicroMedia\AdobeUpdate.exe

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\b85d0b465dca98653a4c5faddc4d77ab34f702213ab16597b3586595b737cbf5.exe"

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1

Network

Country Destination Domain Proto
US 8.8.8.8:53 www.savmpet.com udp
US 52.34.198.229:80 www.savmpet.com tcp
US 52.34.198.229:80 www.savmpet.com tcp
US 52.34.198.229:80 www.savmpet.com tcp
US 52.34.198.229:80 www.savmpet.com tcp
US 52.34.198.229:80 www.savmpet.com tcp
US 52.34.198.229:80 www.savmpet.com tcp
US 52.34.198.229:80 www.savmpet.com tcp
US 52.34.198.229:80 www.savmpet.com tcp
US 52.34.198.229:80 www.savmpet.com tcp
US 52.34.198.229:80 www.savmpet.com tcp

Files

\Users\Admin\AppData\Local\Temp\MicroMedia\AdobeUpdate.exe

MD5 31f610ac8f44f1d27db6c21cb465bad7
SHA1 df0ff468ab0a0c54bd9a5753c5a701091c01cb3c
SHA256 e48e2aee81b1ed9eace601fd5f2b8d257ec9c002d1861d10cdcb8d30d24197c2
SHA512 d9a4208f29b463e1ee9f084dc84f0d64888673d84cbc5902926af03d11d143002f8b0378f94bc6e6f9bc47729c8cb9d3b281814d678aac656a5c511523e94814

Analysis: behavioral2

Detonation Overview

Submitted

2024-11-20 04:27

Reported

2024-11-20 04:30

Platform

win10v2004-20241007-en

Max time kernel

126s

Max time network

134s

Command Line

"C:\Users\Admin\AppData\Local\Temp\b85d0b465dca98653a4c5faddc4d77ab34f702213ab16597b3586595b737cbf5.exe"

Signatures

Sakula

trojan rat sakula

Sakula family

sakula

Sakula payload

Description Indicator Process Target
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\b85d0b465dca98653a4c5faddc4d77ab34f702213ab16597b3586595b737cbf5.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\MicroMedia\AdobeUpdate.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\AdobeUpdate = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\AdobeUpdate.exe" C:\Users\Admin\AppData\Local\Temp\b85d0b465dca98653a4c5faddc4d77ab34f702213ab16597b3586595b737cbf5.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\MicroMedia\AdobeUpdate.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\PING.EXE N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\b85d0b465dca98653a4c5faddc4d77ab34f702213ab16597b3586595b737cbf5.exe N/A

System Network Configuration Discovery: Internet Connection Discovery

discovery
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A

Runs ping.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\b85d0b465dca98653a4c5faddc4d77ab34f702213ab16597b3586595b737cbf5.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\b85d0b465dca98653a4c5faddc4d77ab34f702213ab16597b3586595b737cbf5.exe

"C:\Users\Admin\AppData\Local\Temp\b85d0b465dca98653a4c5faddc4d77ab34f702213ab16597b3586595b737cbf5.exe"

C:\Users\Admin\AppData\Local\Temp\MicroMedia\AdobeUpdate.exe

C:\Users\Admin\AppData\Local\Temp\MicroMedia\AdobeUpdate.exe

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\b85d0b465dca98653a4c5faddc4d77ab34f702213ab16597b3586595b737cbf5.exe"

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1

Network

Country Destination Domain Proto
US 8.8.8.8:53 www.savmpet.com udp
US 52.34.198.229:80 www.savmpet.com tcp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 20.49.80.91.in-addr.arpa udp
US 52.34.198.229:80 www.savmpet.com tcp
US 8.8.8.8:53 229.198.34.52.in-addr.arpa udp
US 8.8.8.8:53 134.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 200.163.202.172.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 52.34.198.229:80 www.savmpet.com tcp
US 52.34.198.229:80 www.savmpet.com tcp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 52.34.198.229:80 www.savmpet.com tcp
US 52.34.198.229:80 www.savmpet.com tcp
US 52.34.198.229:80 www.savmpet.com tcp
US 52.34.198.229:80 www.savmpet.com tcp
US 52.34.198.229:80 www.savmpet.com tcp
US 52.34.198.229:80 www.savmpet.com tcp

Files

C:\Users\Admin\AppData\Local\Temp\MicroMedia\AdobeUpdate.exe

MD5 e43c6f1501b4bdc83538c36dc29fbf1d
SHA1 cb4d1e2b3e0cdf012945ffc7133ffe65582c7ef7
SHA256 8150e2b9bf631e400ed63dbb339bbc9161da123dc6cf3c7d9bd8a8c0bddf845a
SHA512 8e3ae36fb47c628f5bd343dda7f424d04227740938b779588884fc8b46cf82b3f6b2ddd7cb5ffe4b6ccc864ff398a829bd3715a3e15a103cd036c215263c2c8c