sakula | 9316a6a0165f0d65422350e779fb11c2903040c11fecd487b778d0e116c7e235

Analysis

max time kernel
149s
max time network
158s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
22-06-2024 11:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9316a6a0165f0d65422350e779fb11c2903040c11fecd487b778d0e116c7e235_NeikiAnalytics.exe
Size

114KB
MD5

820b0c6004ba8c3493c3436684b3ae30
SHA1

68af16b3b24db4f9a1049882b31fd7866d775181
SHA256

9316a6a0165f0d65422350e779fb11c2903040c11fecd487b778d0e116c7e235
SHA512

6e50536aa07bbc468b591038859bfe5b8631dd13e52c366e9359ee57f91d745222ec2f8e46f1bb8d26bc41080c8d26b26d0b4ed7490d68a776fd9c53fb0de3e0
SSDEEP

1536:Loaj1hJL1S9t0MIeboal8bCKxo7h0RPLJNz30rtriCr0nJnHPoq1nouy8uRg6:c0hpgz6xGhYJF30Blr0nhoutuRg6

Score

10^/10

sakula persistence rat trojan upx

Malware Config

Signatures

Sakula
Sakula is a remote access trojan with various capabilities.
trojan rat sakula

Sakula payload 6 IoCs

Processes:

resource	yara_rule
behavioral2/memory/4108-0-0x00000000007B0000-0x00000000007D1000-memory.dmp	family_sakula
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe	family_sakula
behavioral2/memory/4776-4-0x0000000000F10000-0x0000000000F31000-memory.dmp	family_sakula
behavioral2/memory/4108-6-0x00000000007B0000-0x00000000007D1000-memory.dmp	family_sakula
behavioral2/memory/4776-7-0x0000000000F10000-0x0000000000F31000-memory.dmp	family_sakula
behavioral2/memory/4108-8-0x00000000007B0000-0x00000000007D1000-memory.dmp	family_sakula

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

9316a6a0165f0d65422350e779fb11c2903040c11fecd487b778d0e116c7e235_NeikiAnalytics.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	9316a6a0165f0d65422350e779fb11c2903040c11fecd487b778d0e116c7e235_NeikiAnalytics.exe

Executes dropped EXE 1 IoCs

Processes:

MediaCenter.exe

pid process

4776 MediaCenter.exe

pid	process
4776	MediaCenter.exe

UPX packed file 6 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/4108-0-0x00000000007B0000-0x00000000007D1000-memory.dmp	upx
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe	upx
behavioral2/memory/4776-4-0x0000000000F10000-0x0000000000F31000-memory.dmp	upx
behavioral2/memory/4108-6-0x00000000007B0000-0x00000000007D1000-memory.dmp	upx
behavioral2/memory/4776-7-0x0000000000F10000-0x0000000000F31000-memory.dmp	upx
behavioral2/memory/4108-8-0x00000000007B0000-0x00000000007D1000-memory.dmp	upx

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

9316a6a0165f0d65422350e779fb11c2903040c11fecd487b778d0e116c7e235_NeikiAnalytics.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe"	9316a6a0165f0d65422350e779fb11c2903040c11fecd487b778d0e116c7e235_NeikiAnalytics.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

2520 PING.EXE
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

9316a6a0165f0d65422350e779fb11c2903040c11fecd487b778d0e116c7e235_NeikiAnalytics.exe

description pid process

Token: SeIncBasePriorityPrivilege 4108 9316a6a0165f0d65422350e779fb11c2903040c11fecd487b778d0e116c7e235_NeikiAnalytics.exe

pid	process
2520	PING.EXE

description	pid	process
Token: SeIncBasePriorityPrivilege	4108	9316a6a0165f0d65422350e779fb11c2903040c11fecd487b778d0e116c7e235_NeikiAnalytics.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

9316a6a0165f0d65422350e779fb11c2903040c11fecd487b778d0e116c7e235_NeikiAnalytics.execmd.exe

description	pid	process	target process
PID 4108 wrote to memory of 4776	4108	9316a6a0165f0d65422350e779fb11c2903040c11fecd487b778d0e116c7e235_NeikiAnalytics.exe	MediaCenter.exe
PID 4108 wrote to memory of 4776	4108	9316a6a0165f0d65422350e779fb11c2903040c11fecd487b778d0e116c7e235_NeikiAnalytics.exe	MediaCenter.exe
PID 4108 wrote to memory of 4776	4108	9316a6a0165f0d65422350e779fb11c2903040c11fecd487b778d0e116c7e235_NeikiAnalytics.exe	MediaCenter.exe
PID 4108 wrote to memory of 4884	4108	9316a6a0165f0d65422350e779fb11c2903040c11fecd487b778d0e116c7e235_NeikiAnalytics.exe	cmd.exe
PID 4108 wrote to memory of 4884	4108	9316a6a0165f0d65422350e779fb11c2903040c11fecd487b778d0e116c7e235_NeikiAnalytics.exe	cmd.exe
PID 4108 wrote to memory of 4884	4108	9316a6a0165f0d65422350e779fb11c2903040c11fecd487b778d0e116c7e235_NeikiAnalytics.exe	cmd.exe
PID 4884 wrote to memory of 2520	4884	cmd.exe	PING.EXE
PID 4884 wrote to memory of 2520	4884	cmd.exe	PING.EXE
PID 4884 wrote to memory of 2520	4884	cmd.exe	PING.EXE

C:\Users\Admin\AppData\Local\Temp\9316a6a0165f0d65422350e779fb11c2903040c11fecd487b778d0e116c7e235_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\9316a6a0165f0d65422350e779fb11c2903040c11fecd487b778d0e116c7e235_NeikiAnalytics.exe"
1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4108

C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
2⤵
- Executes dropped EXE
PID:4776

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\9316a6a0165f0d65422350e779fb11c2903040c11fecd487b778d0e116c7e235_NeikiAnalytics.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:4884

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1
3⤵
- Runs ping.exe
PID:2520

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4192 --field-trial-handle=2276,i,5697607538120380977,9987005253899555344,262144 --variations-seed-version /prefetch:8
1⤵
PID:488

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
Filesize
114KB

MD5
076ca9bb8f59bd2b6c2e5e79b7001342

SHA1
fdc4d6b70d456748d033598bd06baea4aeddae1a

SHA256
6beab435eafaf8375e1a10a2e92b6a9d57c60480d97a13f8cefb6d64afae5098

SHA512
7349301fb012192543485b4b20a78dc476b1b1ef29f9fcea9647a5baa81a99e37aaa6b1fa73c53f1472f9b65e6c360d0359c18431085d6fb8ff398f2889b3e6d

Download Submit
memory/4108-0-0x00000000007B0000-0x00000000007D1000-memory.dmp

Filesize
132KB

Download
memory/4108-6-0x00000000007B0000-0x00000000007D1000-memory.dmp

Filesize
132KB

Download
memory/4108-8-0x00000000007B0000-0x00000000007D1000-memory.dmp

Filesize
132KB

Download
memory/4776-4-0x0000000000F10000-0x0000000000F31000-memory.dmp

Filesize
132KB

Download
memory/4776-7-0x0000000000F10000-0x0000000000F31000-memory.dmp

Filesize
132KB

Download