sakula | 6cfc448eb004701b9c323726916578e7407eec863ee5be8d4a31afc6c8e85c79

Analysis

max time kernel
140s
max time network
121s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
21-06-2024 22:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6cfc448eb004701b9c323726916578e7407eec863ee5be8d4a31afc6c8e85c79_NeikiAnalytics.exe
Size

63KB
MD5

5c1ea9e69625ee8e2672e4993f4ddcf0
SHA1

13a831e1dd781eb500be3b308fbab2f79f9cb258
SHA256

6cfc448eb004701b9c323726916578e7407eec863ee5be8d4a31afc6c8e85c79
SHA512

a78046aaf370ecc0db825afc587be2920bdd7e9c3bf287666edc97bdf3941f5f33ea57ffb689187aedc063cbc1e0e897cafa14e58cf21e3e6c1047b941c097fe
SSDEEP

1536:zoxBP0D61Oj3+5FdOa52C8pdo95j6hZ2MzNDCkrY:0PPUj3+5FMIn8To94wa7Y

Score

10^/10

sakula persistence rat trojan upx

Malware Config

Extracted

Family

sakula

www.polarroute.com

Signatures

Sakula
Sakula is a remote access trojan with various capabilities.
trojan rat sakula

Sakula payload 4 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2032-1-0x0000000000400000-0x0000000000424000-memory.dmp	family_sakula
behavioral1/memory/1168-8-0x0000000000400000-0x0000000000424000-memory.dmp	family_sakula
behavioral1/memory/2032-14-0x0000000000400000-0x0000000000424000-memory.dmp	family_sakula
behavioral1/memory/1168-19-0x0000000000400000-0x0000000000424000-memory.dmp	family_sakula

Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

2852 cmd.exe
Executes dropped EXE 1 IoCs

Processes:

MediaCenter.exe

pid process

1168 MediaCenter.exe
Loads dropped DLL 1 IoCs

Processes:

6cfc448eb004701b9c323726916578e7407eec863ee5be8d4a31afc6c8e85c79_NeikiAnalytics.exe

pid process

2032 6cfc448eb004701b9c323726916578e7407eec863ee5be8d4a31afc6c8e85c79_NeikiAnalytics.exe

pid	process
2852	cmd.exe

pid	process
1168	MediaCenter.exe

pid	process
2032	6cfc448eb004701b9c323726916578e7407eec863ee5be8d4a31afc6c8e85c79_NeikiAnalytics.exe

UPX packed file 6 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/2032-1-0x0000000000400000-0x0000000000424000-memory.dmp	upx
\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe	upx
behavioral1/memory/1168-6-0x0000000000400000-0x0000000000424000-memory.dmp	upx
behavioral1/memory/1168-8-0x0000000000400000-0x0000000000424000-memory.dmp	upx
behavioral1/memory/2032-14-0x0000000000400000-0x0000000000424000-memory.dmp	upx
behavioral1/memory/1168-19-0x0000000000400000-0x0000000000424000-memory.dmp	upx

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

6cfc448eb004701b9c323726916578e7407eec863ee5be8d4a31afc6c8e85c79_NeikiAnalytics.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe"	6cfc448eb004701b9c323726916578e7407eec863ee5be8d4a31afc6c8e85c79_NeikiAnalytics.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

2596 PING.EXE
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

6cfc448eb004701b9c323726916578e7407eec863ee5be8d4a31afc6c8e85c79_NeikiAnalytics.exe

description pid process

Token: SeIncBasePriorityPrivilege 2032 6cfc448eb004701b9c323726916578e7407eec863ee5be8d4a31afc6c8e85c79_NeikiAnalytics.exe

pid	process
2596	PING.EXE

description	pid	process
Token: SeIncBasePriorityPrivilege	2032	6cfc448eb004701b9c323726916578e7407eec863ee5be8d4a31afc6c8e85c79_NeikiAnalytics.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

6cfc448eb004701b9c323726916578e7407eec863ee5be8d4a31afc6c8e85c79_NeikiAnalytics.execmd.exe

description	pid	process	target process
PID 2032 wrote to memory of 1168	2032	6cfc448eb004701b9c323726916578e7407eec863ee5be8d4a31afc6c8e85c79_NeikiAnalytics.exe	MediaCenter.exe
PID 2032 wrote to memory of 1168	2032	6cfc448eb004701b9c323726916578e7407eec863ee5be8d4a31afc6c8e85c79_NeikiAnalytics.exe	MediaCenter.exe
PID 2032 wrote to memory of 1168	2032	6cfc448eb004701b9c323726916578e7407eec863ee5be8d4a31afc6c8e85c79_NeikiAnalytics.exe	MediaCenter.exe
PID 2032 wrote to memory of 1168	2032	6cfc448eb004701b9c323726916578e7407eec863ee5be8d4a31afc6c8e85c79_NeikiAnalytics.exe	MediaCenter.exe
PID 2032 wrote to memory of 2852	2032	6cfc448eb004701b9c323726916578e7407eec863ee5be8d4a31afc6c8e85c79_NeikiAnalytics.exe	cmd.exe
PID 2032 wrote to memory of 2852	2032	6cfc448eb004701b9c323726916578e7407eec863ee5be8d4a31afc6c8e85c79_NeikiAnalytics.exe	cmd.exe
PID 2032 wrote to memory of 2852	2032	6cfc448eb004701b9c323726916578e7407eec863ee5be8d4a31afc6c8e85c79_NeikiAnalytics.exe	cmd.exe
PID 2032 wrote to memory of 2852	2032	6cfc448eb004701b9c323726916578e7407eec863ee5be8d4a31afc6c8e85c79_NeikiAnalytics.exe	cmd.exe
PID 2852 wrote to memory of 2596	2852	cmd.exe	PING.EXE
PID 2852 wrote to memory of 2596	2852	cmd.exe	PING.EXE
PID 2852 wrote to memory of 2596	2852	cmd.exe	PING.EXE
PID 2852 wrote to memory of 2596	2852	cmd.exe	PING.EXE

C:\Users\Admin\AppData\Local\Temp\6cfc448eb004701b9c323726916578e7407eec863ee5be8d4a31afc6c8e85c79_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\6cfc448eb004701b9c323726916578e7407eec863ee5be8d4a31afc6c8e85c79_NeikiAnalytics.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2032

C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
2⤵
- Executes dropped EXE
PID:1168

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\6cfc448eb004701b9c323726916578e7407eec863ee5be8d4a31afc6c8e85c79_NeikiAnalytics.exe"
2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:2852

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1
3⤵
- Runs ping.exe
PID:2596

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
Filesize
63KB

MD5
2f4dc141cf645abf25a32525334c4a9b

SHA1
dc0443e95c5651247bf9b8048da513ad509369c9

SHA256
9b83ea89a8a8c37bbc26a497460687c48056c453f4534cca37e1b9c5d5838082

SHA512
628be4af784b29eec5adb7d188c7261a467ab2036e04d53fd908ba69104f9a0778e2c94b00adf3e3cc0cbf55ac6a0ad87bfba30aa1e384ba00be75b4b186173b

Download Submit
memory/1168-6-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/1168-8-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/1168-19-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2032-1-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2032-11-0x0000000000230000-0x0000000000254000-memory.dmp

Filesize
144KB

Download
memory/2032-14-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download