Malware Analysis Report

2025-01-02 02:51

Sample ID 241125-qmznpsvndn
Target 6b938a685680764781b07aae0e03516333dae0594ff89d9da54e147ab3af7cbd.exe
SHA256 6b938a685680764781b07aae0e03516333dae0594ff89d9da54e147ab3af7cbd
Tags
upx sakula discovery persistence rat trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

6b938a685680764781b07aae0e03516333dae0594ff89d9da54e147ab3af7cbd

Threat Level: Known bad

The file 6b938a685680764781b07aae0e03516333dae0594ff89d9da54e147ab3af7cbd.exe was found to be: Known bad.

Malicious Activity Summary

upx sakula discovery persistence rat trojan

Sakula family

Sakula payload

Sakula

Deletes itself

Executes dropped EXE

Loads dropped DLL

Checks computer location settings

Adds Run key to start application

UPX packed file

Unsigned PE

System Location Discovery: System Language Discovery

System Network Configuration Discovery: Internet Connection Discovery

Enumerates physical storage devices

Runs ping.exe

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-25 13:23

Signatures

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-25 13:23

Reported

2024-11-25 13:25

Platform

win7-20240903-en

Max time kernel

142s

Max time network

146s

Command Line

"C:\Users\Admin\AppData\Local\Temp\6b938a685680764781b07aae0e03516333dae0594ff89d9da54e147ab3af7cbd.exe"

Signatures

Sakula

trojan rat sakula

Sakula family

sakula

Sakula payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" C:\Users\Admin\AppData\Local\Temp\6b938a685680764781b07aae0e03516333dae0594ff89d9da54e147ab3af7cbd.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\PING.EXE N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\6b938a685680764781b07aae0e03516333dae0594ff89d9da54e147ab3af7cbd.exe N/A

System Network Configuration Discovery: Internet Connection Discovery

discovery
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A

Runs ping.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\6b938a685680764781b07aae0e03516333dae0594ff89d9da54e147ab3af7cbd.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2828 wrote to memory of 2868 N/A C:\Users\Admin\AppData\Local\Temp\6b938a685680764781b07aae0e03516333dae0594ff89d9da54e147ab3af7cbd.exe C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
PID 2828 wrote to memory of 2868 N/A C:\Users\Admin\AppData\Local\Temp\6b938a685680764781b07aae0e03516333dae0594ff89d9da54e147ab3af7cbd.exe C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
PID 2828 wrote to memory of 2868 N/A C:\Users\Admin\AppData\Local\Temp\6b938a685680764781b07aae0e03516333dae0594ff89d9da54e147ab3af7cbd.exe C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
PID 2828 wrote to memory of 2868 N/A C:\Users\Admin\AppData\Local\Temp\6b938a685680764781b07aae0e03516333dae0594ff89d9da54e147ab3af7cbd.exe C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
PID 2828 wrote to memory of 2612 N/A C:\Users\Admin\AppData\Local\Temp\6b938a685680764781b07aae0e03516333dae0594ff89d9da54e147ab3af7cbd.exe C:\Windows\SysWOW64\cmd.exe
PID 2828 wrote to memory of 2612 N/A C:\Users\Admin\AppData\Local\Temp\6b938a685680764781b07aae0e03516333dae0594ff89d9da54e147ab3af7cbd.exe C:\Windows\SysWOW64\cmd.exe
PID 2828 wrote to memory of 2612 N/A C:\Users\Admin\AppData\Local\Temp\6b938a685680764781b07aae0e03516333dae0594ff89d9da54e147ab3af7cbd.exe C:\Windows\SysWOW64\cmd.exe
PID 2828 wrote to memory of 2612 N/A C:\Users\Admin\AppData\Local\Temp\6b938a685680764781b07aae0e03516333dae0594ff89d9da54e147ab3af7cbd.exe C:\Windows\SysWOW64\cmd.exe
PID 2612 wrote to memory of 1952 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 2612 wrote to memory of 1952 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 2612 wrote to memory of 1952 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 2612 wrote to memory of 1952 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE

Processes

C:\Users\Admin\AppData\Local\Temp\6b938a685680764781b07aae0e03516333dae0594ff89d9da54e147ab3af7cbd.exe

"C:\Users\Admin\AppData\Local\Temp\6b938a685680764781b07aae0e03516333dae0594ff89d9da54e147ab3af7cbd.exe"

C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe

C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\6b938a685680764781b07aae0e03516333dae0594ff89d9da54e147ab3af7cbd.exe"

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1

Network

Country Destination Domain Proto
US 8.8.8.8:53 citrix.vipreclod.com udp
TH 184.22.175.13:80 tcp
TH 184.22.175.13:80 tcp
TH 184.22.175.13:80 tcp

Files

memory/2828-0-0x00000000003F0000-0x000000000040F000-memory.dmp

\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe

MD5 5aba9884fd71de79119d58ef4450eecb
SHA1 d788d62dfe29a6372185d967b81ffc583bd5e1b5
SHA256 6e7b5f009493e51dcde222385d226acca897578e865e24c3e77bda629ace9ae0
SHA512 d4d12f6fcb98c42bf5bf5983e6e2b08749291e550e1ee77d2edb24a53a6fb5e442749aba3ad14653e01609362dd22269b8fd61fb693904e4d9a6487e10fd0249

memory/2868-11-0x0000000000F10000-0x0000000000F2F000-memory.dmp

memory/2828-10-0x00000000000E0000-0x00000000000FF000-memory.dmp

memory/2828-9-0x00000000000E0000-0x00000000000FF000-memory.dmp

memory/2828-12-0x00000000003F0000-0x000000000040F000-memory.dmp

memory/2828-13-0x00000000000E0000-0x00000000000FF000-memory.dmp

memory/2868-14-0x0000000000F10000-0x0000000000F2F000-memory.dmp

memory/2828-22-0x00000000003F0000-0x000000000040F000-memory.dmp

memory/2868-28-0x0000000000F10000-0x0000000000F2F000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-11-25 13:23

Reported

2024-11-25 13:25

Platform

win10v2004-20241007-en

Max time kernel

148s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\6b938a685680764781b07aae0e03516333dae0594ff89d9da54e147ab3af7cbd.exe"

Signatures

Sakula

trojan rat sakula

Sakula family

sakula

Sakula payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\6b938a685680764781b07aae0e03516333dae0594ff89d9da54e147ab3af7cbd.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" C:\Users\Admin\AppData\Local\Temp\6b938a685680764781b07aae0e03516333dae0594ff89d9da54e147ab3af7cbd.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\PING.EXE N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\6b938a685680764781b07aae0e03516333dae0594ff89d9da54e147ab3af7cbd.exe N/A

System Network Configuration Discovery: Internet Connection Discovery

discovery
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A

Runs ping.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\6b938a685680764781b07aae0e03516333dae0594ff89d9da54e147ab3af7cbd.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\6b938a685680764781b07aae0e03516333dae0594ff89d9da54e147ab3af7cbd.exe

"C:\Users\Admin\AppData\Local\Temp\6b938a685680764781b07aae0e03516333dae0594ff89d9da54e147ab3af7cbd.exe"

C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe

C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\6b938a685680764781b07aae0e03516333dae0594ff89d9da54e147ab3af7cbd.exe"

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 citrix.vipreclod.com udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 136.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 citrix.vipreclod.com udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 107.12.20.2.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 citrix.vipreclod.com udp
US 8.8.8.8:53 citrix.vipreclod.com udp
TH 184.22.175.13:80 tcp
TH 184.22.175.13:80 tcp
TH 184.22.175.13:80 tcp

Files

memory/1168-0-0x0000000000CD0000-0x0000000000CEF000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe

MD5 1880c3a30b274fdf20e08e92f50d72ac
SHA1 0e2a230a4cd3137acb28c40f9ba3d74732f4442d
SHA256 8154712657b5f64ca4f92e992ba9ec49c2b69974a7f7322d2d337496a06e5160
SHA512 66dc52bfe405e8bfee24d81ddcb984d988ccd240fc80084b0976b1a05c09d936256b01a4117f3e8c3a501f57c851ac6dc504f1f56aa5eb3d8c71bce5f2658f1e

memory/3948-4-0x00000000009B0000-0x00000000009CF000-memory.dmp

memory/1168-6-0x0000000000CD0000-0x0000000000CEF000-memory.dmp

memory/3948-8-0x00000000009B0000-0x00000000009CF000-memory.dmp

memory/1168-13-0x0000000000CD0000-0x0000000000CEF000-memory.dmp

memory/3948-17-0x00000000009B0000-0x00000000009CF000-memory.dmp