Malware Analysis Report

2024-12-07 22:04

Sample ID 241122-qz9z7s1qfy
Target d99e5e62549e4e356392bd5c304172a695d1393f5999efdd1756f05f6e580da0N.exe
SHA256 d99e5e62549e4e356392bd5c304172a695d1393f5999efdd1756f05f6e580da0
Tags
sakula discovery persistence rat trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

d99e5e62549e4e356392bd5c304172a695d1393f5999efdd1756f05f6e580da0

Threat Level: Known bad

The file d99e5e62549e4e356392bd5c304172a695d1393f5999efdd1756f05f6e580da0N.exe was found to be: Known bad.

Malicious Activity Summary

sakula discovery persistence rat trojan

Sakula

Sakula payload

Sakula family

Deletes itself

Loads dropped DLL

Checks computer location settings

Executes dropped EXE

Adds Run key to start application

Unsigned PE

System Network Configuration Discovery: Internet Connection Discovery

System Location Discovery: System Language Discovery

Enumerates physical storage devices

Runs ping.exe

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-22 13:43

Signatures

Sakula family

sakula

Sakula payload

Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-22 13:43

Reported

2024-11-22 13:45

Platform

win7-20241010-en

Max time kernel

117s

Max time network

118s

Command Line

"C:\Users\Admin\AppData\Local\Temp\d99e5e62549e4e356392bd5c304172a695d1393f5999efdd1756f05f6e580da0N.exe"

Signatures

Sakula

trojan rat sakula

Sakula family

sakula

Sakula payload

Description Indicator Process Target
N/A N/A N/A N/A

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\MicroMedia\AdobeUpdate.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\AdobeUpdate = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\AdobeUpdate.exe" C:\Users\Admin\AppData\Local\Temp\d99e5e62549e4e356392bd5c304172a695d1393f5999efdd1756f05f6e580da0N.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\d99e5e62549e4e356392bd5c304172a695d1393f5999efdd1756f05f6e580da0N.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\MicroMedia\AdobeUpdate.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\PING.EXE N/A

System Network Configuration Discovery: Internet Connection Discovery

discovery
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A

Runs ping.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\d99e5e62549e4e356392bd5c304172a695d1393f5999efdd1756f05f6e580da0N.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2724 wrote to memory of 2380 N/A C:\Users\Admin\AppData\Local\Temp\d99e5e62549e4e356392bd5c304172a695d1393f5999efdd1756f05f6e580da0N.exe C:\Users\Admin\AppData\Local\Temp\MicroMedia\AdobeUpdate.exe
PID 2724 wrote to memory of 2380 N/A C:\Users\Admin\AppData\Local\Temp\d99e5e62549e4e356392bd5c304172a695d1393f5999efdd1756f05f6e580da0N.exe C:\Users\Admin\AppData\Local\Temp\MicroMedia\AdobeUpdate.exe
PID 2724 wrote to memory of 2380 N/A C:\Users\Admin\AppData\Local\Temp\d99e5e62549e4e356392bd5c304172a695d1393f5999efdd1756f05f6e580da0N.exe C:\Users\Admin\AppData\Local\Temp\MicroMedia\AdobeUpdate.exe
PID 2724 wrote to memory of 2380 N/A C:\Users\Admin\AppData\Local\Temp\d99e5e62549e4e356392bd5c304172a695d1393f5999efdd1756f05f6e580da0N.exe C:\Users\Admin\AppData\Local\Temp\MicroMedia\AdobeUpdate.exe
PID 2724 wrote to memory of 2380 N/A C:\Users\Admin\AppData\Local\Temp\d99e5e62549e4e356392bd5c304172a695d1393f5999efdd1756f05f6e580da0N.exe C:\Users\Admin\AppData\Local\Temp\MicroMedia\AdobeUpdate.exe
PID 2724 wrote to memory of 2380 N/A C:\Users\Admin\AppData\Local\Temp\d99e5e62549e4e356392bd5c304172a695d1393f5999efdd1756f05f6e580da0N.exe C:\Users\Admin\AppData\Local\Temp\MicroMedia\AdobeUpdate.exe
PID 2724 wrote to memory of 2380 N/A C:\Users\Admin\AppData\Local\Temp\d99e5e62549e4e356392bd5c304172a695d1393f5999efdd1756f05f6e580da0N.exe C:\Users\Admin\AppData\Local\Temp\MicroMedia\AdobeUpdate.exe
PID 2724 wrote to memory of 2632 N/A C:\Users\Admin\AppData\Local\Temp\d99e5e62549e4e356392bd5c304172a695d1393f5999efdd1756f05f6e580da0N.exe C:\Windows\SysWOW64\cmd.exe
PID 2724 wrote to memory of 2632 N/A C:\Users\Admin\AppData\Local\Temp\d99e5e62549e4e356392bd5c304172a695d1393f5999efdd1756f05f6e580da0N.exe C:\Windows\SysWOW64\cmd.exe
PID 2724 wrote to memory of 2632 N/A C:\Users\Admin\AppData\Local\Temp\d99e5e62549e4e356392bd5c304172a695d1393f5999efdd1756f05f6e580da0N.exe C:\Windows\SysWOW64\cmd.exe
PID 2724 wrote to memory of 2632 N/A C:\Users\Admin\AppData\Local\Temp\d99e5e62549e4e356392bd5c304172a695d1393f5999efdd1756f05f6e580da0N.exe C:\Windows\SysWOW64\cmd.exe
PID 2632 wrote to memory of 2664 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 2632 wrote to memory of 2664 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 2632 wrote to memory of 2664 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 2632 wrote to memory of 2664 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE

Processes

C:\Users\Admin\AppData\Local\Temp\d99e5e62549e4e356392bd5c304172a695d1393f5999efdd1756f05f6e580da0N.exe

"C:\Users\Admin\AppData\Local\Temp\d99e5e62549e4e356392bd5c304172a695d1393f5999efdd1756f05f6e580da0N.exe"

C:\Users\Admin\AppData\Local\Temp\MicroMedia\AdobeUpdate.exe

C:\Users\Admin\AppData\Local\Temp\MicroMedia\AdobeUpdate.exe

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\d99e5e62549e4e356392bd5c304172a695d1393f5999efdd1756f05f6e580da0N.exe"

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1

Network

Country Destination Domain Proto
US 8.8.8.8:53 www.savmpet.com udp
US 52.34.198.229:80 www.savmpet.com tcp
US 52.34.198.229:80 www.savmpet.com tcp
US 52.34.198.229:80 www.savmpet.com tcp
US 52.34.198.229:80 www.savmpet.com tcp
US 52.34.198.229:80 www.savmpet.com tcp
US 52.34.198.229:80 www.savmpet.com tcp
US 52.34.198.229:80 www.savmpet.com tcp
US 52.34.198.229:80 www.savmpet.com tcp

Files

\Users\Admin\AppData\Local\Temp\MicroMedia\AdobeUpdate.exe

MD5 8dc25aec0736de98d8287a4c7491ff40
SHA1 d69c86d66157d46d31f7ed863ac78cf39b533b83
SHA256 7fc2a16c530868accd27d8e4d47a4f56effec8c241d12928e432ceddd679806a
SHA512 ad434a6e4ba8495206bb020f7e17444064fc322d3abb4a58c3a3529dddb07aff08b1db24ebfd055df675a845de52709fa1910d3e1d3d47ab6c6d8f7e2a82d016

Analysis: behavioral2

Detonation Overview

Submitted

2024-11-22 13:43

Reported

2024-11-22 13:45

Platform

win10v2004-20241007-en

Max time kernel

98s

Max time network

106s

Command Line

"C:\Users\Admin\AppData\Local\Temp\d99e5e62549e4e356392bd5c304172a695d1393f5999efdd1756f05f6e580da0N.exe"

Signatures

Sakula

trojan rat sakula

Sakula family

sakula

Sakula payload

Description Indicator Process Target
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\d99e5e62549e4e356392bd5c304172a695d1393f5999efdd1756f05f6e580da0N.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\MicroMedia\AdobeUpdate.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\AdobeUpdate = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\AdobeUpdate.exe" C:\Users\Admin\AppData\Local\Temp\d99e5e62549e4e356392bd5c304172a695d1393f5999efdd1756f05f6e580da0N.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\MicroMedia\AdobeUpdate.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\PING.EXE N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\d99e5e62549e4e356392bd5c304172a695d1393f5999efdd1756f05f6e580da0N.exe N/A

System Network Configuration Discovery: Internet Connection Discovery

discovery
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A

Runs ping.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\d99e5e62549e4e356392bd5c304172a695d1393f5999efdd1756f05f6e580da0N.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\d99e5e62549e4e356392bd5c304172a695d1393f5999efdd1756f05f6e580da0N.exe

"C:\Users\Admin\AppData\Local\Temp\d99e5e62549e4e356392bd5c304172a695d1393f5999efdd1756f05f6e580da0N.exe"

C:\Users\Admin\AppData\Local\Temp\MicroMedia\AdobeUpdate.exe

C:\Users\Admin\AppData\Local\Temp\MicroMedia\AdobeUpdate.exe

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\d99e5e62549e4e356392bd5c304172a695d1393f5999efdd1756f05f6e580da0N.exe"

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1

Network

Country Destination Domain Proto
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 www.savmpet.com udp
US 52.34.198.229:80 www.savmpet.com tcp
US 52.34.198.229:80 www.savmpet.com tcp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 229.198.34.52.in-addr.arpa udp
US 8.8.8.8:53 2.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 197.87.175.4.in-addr.arpa udp
US 52.34.198.229:80 www.savmpet.com tcp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 52.34.198.229:80 www.savmpet.com tcp
US 8.8.8.8:53 138.121.18.2.in-addr.arpa udp
US 52.34.198.229:80 www.savmpet.com tcp
US 52.34.198.229:80 www.savmpet.com tcp
US 8.8.8.8:53 140.121.18.2.in-addr.arpa udp
US 52.34.198.229:80 www.savmpet.com tcp
US 52.34.198.229:80 www.savmpet.com tcp

Files

C:\Users\Admin\AppData\Local\Temp\MicroMedia\AdobeUpdate.exe

MD5 8c0d6ccfc003ce83d08dc8c0c8f91574
SHA1 522ff28412a3e833facbb94c64a2d6a4fd122b49
SHA256 c6cf555acef84695de2cc109588085f80a02086175f21f88f5bfd13a2641ff07
SHA512 6c18417ed229f3f0cfe83a8ff749b8b24efa874f1f7a2adb107e3f50ecadca2464ab1b2bcbe529a21bc71197bf0c79512ac9a1e6630e933b3d0b8d3a5f3f2633