Malware Analysis Report

2025-01-02 02:51

Sample ID 241203-mvz3naxmdj
Target b11720c9ea3e2089663b777628fa191663cb31a09fd4fdaf2f49f3ea6fcb1d2fN.exe
SHA256 b11720c9ea3e2089663b777628fa191663cb31a09fd4fdaf2f49f3ea6fcb1d2f
Tags
sakula discovery persistence rat trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

b11720c9ea3e2089663b777628fa191663cb31a09fd4fdaf2f49f3ea6fcb1d2f

Threat Level: Known bad

The file b11720c9ea3e2089663b777628fa191663cb31a09fd4fdaf2f49f3ea6fcb1d2fN.exe was found to be: Known bad.

Malicious Activity Summary

sakula discovery persistence rat trojan

Sakula family

Sakula

Sakula payload

Checks computer location settings

Executes dropped EXE

Loads dropped DLL

Deletes itself

Adds Run key to start application

System Location Discovery: System Language Discovery

System Network Configuration Discovery: Internet Connection Discovery

Unsigned PE

Enumerates physical storage devices

Runs ping.exe

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-12-03 10:47

Signatures

Sakula family

sakula

Sakula payload

Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-12-03 10:47

Reported

2024-12-03 10:49

Platform

win7-20240708-en

Max time kernel

117s

Max time network

117s

Command Line

"C:\Users\Admin\AppData\Local\Temp\b11720c9ea3e2089663b777628fa191663cb31a09fd4fdaf2f49f3ea6fcb1d2fN.exe"

Signatures

Sakula

trojan rat sakula

Sakula family

sakula

Sakula payload

Description Indicator Process Target
N/A N/A N/A N/A

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" C:\Users\Admin\AppData\Local\Temp\b11720c9ea3e2089663b777628fa191663cb31a09fd4fdaf2f49f3ea6fcb1d2fN.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\b11720c9ea3e2089663b777628fa191663cb31a09fd4fdaf2f49f3ea6fcb1d2fN.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\PING.EXE N/A

System Network Configuration Discovery: Internet Connection Discovery

discovery
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A

Runs ping.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\b11720c9ea3e2089663b777628fa191663cb31a09fd4fdaf2f49f3ea6fcb1d2fN.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2960 wrote to memory of 2116 N/A C:\Users\Admin\AppData\Local\Temp\b11720c9ea3e2089663b777628fa191663cb31a09fd4fdaf2f49f3ea6fcb1d2fN.exe C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
PID 2960 wrote to memory of 2116 N/A C:\Users\Admin\AppData\Local\Temp\b11720c9ea3e2089663b777628fa191663cb31a09fd4fdaf2f49f3ea6fcb1d2fN.exe C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
PID 2960 wrote to memory of 2116 N/A C:\Users\Admin\AppData\Local\Temp\b11720c9ea3e2089663b777628fa191663cb31a09fd4fdaf2f49f3ea6fcb1d2fN.exe C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
PID 2960 wrote to memory of 2116 N/A C:\Users\Admin\AppData\Local\Temp\b11720c9ea3e2089663b777628fa191663cb31a09fd4fdaf2f49f3ea6fcb1d2fN.exe C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
PID 2960 wrote to memory of 2676 N/A C:\Users\Admin\AppData\Local\Temp\b11720c9ea3e2089663b777628fa191663cb31a09fd4fdaf2f49f3ea6fcb1d2fN.exe C:\Windows\SysWOW64\cmd.exe
PID 2960 wrote to memory of 2676 N/A C:\Users\Admin\AppData\Local\Temp\b11720c9ea3e2089663b777628fa191663cb31a09fd4fdaf2f49f3ea6fcb1d2fN.exe C:\Windows\SysWOW64\cmd.exe
PID 2960 wrote to memory of 2676 N/A C:\Users\Admin\AppData\Local\Temp\b11720c9ea3e2089663b777628fa191663cb31a09fd4fdaf2f49f3ea6fcb1d2fN.exe C:\Windows\SysWOW64\cmd.exe
PID 2960 wrote to memory of 2676 N/A C:\Users\Admin\AppData\Local\Temp\b11720c9ea3e2089663b777628fa191663cb31a09fd4fdaf2f49f3ea6fcb1d2fN.exe C:\Windows\SysWOW64\cmd.exe
PID 2676 wrote to memory of 2892 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 2676 wrote to memory of 2892 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 2676 wrote to memory of 2892 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 2676 wrote to memory of 2892 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE

Processes

C:\Users\Admin\AppData\Local\Temp\b11720c9ea3e2089663b777628fa191663cb31a09fd4fdaf2f49f3ea6fcb1d2fN.exe

"C:\Users\Admin\AppData\Local\Temp\b11720c9ea3e2089663b777628fa191663cb31a09fd4fdaf2f49f3ea6fcb1d2fN.exe"

C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe

C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\b11720c9ea3e2089663b777628fa191663cb31a09fd4fdaf2f49f3ea6fcb1d2fN.exe"

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1

Network

Country Destination Domain Proto
US 8.8.8.8:53 www.polarroute.com udp
US 76.223.54.146:80 www.polarroute.com tcp
US 76.223.54.146:80 www.polarroute.com tcp
US 76.223.54.146:80 www.polarroute.com tcp
US 76.223.54.146:80 www.polarroute.com tcp
US 8.8.8.8:53 www.northpoleroute.com udp

Files

\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe

MD5 c9677e68e29699101014727ecc102c2e
SHA1 74304378ea06dee5a1574dd86c191dfa795e3ace
SHA256 cad1396cbc2cdd24b3927ae7d553c24ab4a8ead62673607a384ecc64fe53508f
SHA512 78bdd31c0ea1dcdf05d4c915c60ed1a1ee2d31e44dbc0ba451e87a3ee885f72f7f4425a03f5b432693e97e18e1343394a4a611849113e76da8c7395e20d0de2f

Analysis: behavioral2

Detonation Overview

Submitted

2024-12-03 10:47

Reported

2024-12-03 10:49

Platform

win10v2004-20241007-en

Max time kernel

108s

Max time network

110s

Command Line

"C:\Users\Admin\AppData\Local\Temp\b11720c9ea3e2089663b777628fa191663cb31a09fd4fdaf2f49f3ea6fcb1d2fN.exe"

Signatures

Sakula

trojan rat sakula

Sakula family

sakula

Sakula payload

Description Indicator Process Target
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\b11720c9ea3e2089663b777628fa191663cb31a09fd4fdaf2f49f3ea6fcb1d2fN.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" C:\Users\Admin\AppData\Local\Temp\b11720c9ea3e2089663b777628fa191663cb31a09fd4fdaf2f49f3ea6fcb1d2fN.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\PING.EXE N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\b11720c9ea3e2089663b777628fa191663cb31a09fd4fdaf2f49f3ea6fcb1d2fN.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe N/A

System Network Configuration Discovery: Internet Connection Discovery

discovery
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A

Runs ping.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\b11720c9ea3e2089663b777628fa191663cb31a09fd4fdaf2f49f3ea6fcb1d2fN.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\b11720c9ea3e2089663b777628fa191663cb31a09fd4fdaf2f49f3ea6fcb1d2fN.exe

"C:\Users\Admin\AppData\Local\Temp\b11720c9ea3e2089663b777628fa191663cb31a09fd4fdaf2f49f3ea6fcb1d2fN.exe"

C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe

C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\b11720c9ea3e2089663b777628fa191663cb31a09fd4fdaf2f49f3ea6fcb1d2fN.exe"

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1

Network

Country Destination Domain Proto
US 8.8.8.8:53 www.polarroute.com udp
US 76.223.54.146:80 www.polarroute.com tcp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 146.54.223.76.in-addr.arpa udp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 73.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 76.223.54.146:80 www.polarroute.com tcp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 197.87.175.4.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 186.115.16.2.in-addr.arpa udp
US 76.223.54.146:80 www.polarroute.com tcp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 76.223.54.146:80 www.polarroute.com tcp
US 8.8.8.8:53 www.northpoleroute.com udp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 www.northpoleroute.com udp

Files

C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe

MD5 4246a528223f0c80aa0d86c9599b83e3
SHA1 8b3ec641297720fa5c7c5c052a31e7b769221e6b
SHA256 5a517570fda53193053cb94e55a22c4a468c6265d1348a4e44c9b260fba918ab
SHA512 79eee074c87aba5d36f1d2fba639906711026eb84e8cfecb975b220d61e40308458ca7e79abaab178fb8c15c6f4a47a6071bb8d0c59962f460e81344997c31ca