sakula | 28fcbc73c80a28e85e56537982269c9d91f3d2beb3b954e253efbc06ba0dcc2c

Analysis

max time kernel
31s
max time network
153s
platform
windows7_x64
resource
win7-20240611-en
resource tags

arch:x64arch:x86image:win7-20240611-enlocale:en-usos:windows7-x64system
submitted
01-07-2024 00:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

28fcbc73c80a28e85e56537982269c9d91f3d2beb3b954e253efbc06ba0dcc2c_NeikiAnalytics.exe
Size

283KB
MD5

6a67fe4188c03936d6ab6487123f5ea0
SHA1

086f6d8c9fe2464e2f275f04110c703c6e8b247c
SHA256

28fcbc73c80a28e85e56537982269c9d91f3d2beb3b954e253efbc06ba0dcc2c
SHA512

b43fe6db285096b4cbe6d145bd9a6abd8f20714a76b6d3263e8c74aa1651e2d54d047bf8c8b211bddc597933f6239f6d4062e40a1914235d42896f11c770c16b
SSDEEP

1536:NU9abrtX4oocIK3yQkaY9z/S0hhnDiKKJqTnouy8HeBsCXKTnhxJP:Nm2rocIyhYtJxKJqrout+BsZh3

Score

10^/10

sakula persistence rat trojan upx

Malware Config

Signatures

Sakula
Sakula is a remote access trojan with various capabilities.
trojan rat sakula

Sakula payload 4 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1700-13-0x0000000000A20000-0x0000000000A3F000-memory.dmp	family_sakula
behavioral1/memory/2200-12-0x0000000000FE0000-0x0000000000FFF000-memory.dmp	family_sakula
behavioral1/memory/2200-21-0x0000000000FE0000-0x0000000000FFF000-memory.dmp	family_sakula
behavioral1/memory/1700-26-0x0000000000A20000-0x0000000000A3F000-memory.dmp	family_sakula

Executes dropped EXE 1 IoCs

Processes:

MediaCenter.exe

pid process

1700 MediaCenter.exe
Loads dropped DLL 2 IoCs

Processes:

28fcbc73c80a28e85e56537982269c9d91f3d2beb3b954e253efbc06ba0dcc2c_NeikiAnalytics.exe

pid process

2200 28fcbc73c80a28e85e56537982269c9d91f3d2beb3b954e253efbc06ba0dcc2c_NeikiAnalytics.exe
2200 28fcbc73c80a28e85e56537982269c9d91f3d2beb3b954e253efbc06ba0dcc2c_NeikiAnalytics.exe

pid	process
1700	MediaCenter.exe

pid	process
2200	28fcbc73c80a28e85e56537982269c9d91f3d2beb3b954e253efbc06ba0dcc2c_NeikiAnalytics.exe
2200	28fcbc73c80a28e85e56537982269c9d91f3d2beb3b954e253efbc06ba0dcc2c_NeikiAnalytics.exe

UPX packed file 7 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/2200-0-0x0000000000FE0000-0x0000000000FFF000-memory.dmp	upx
behavioral1/memory/1700-11-0x0000000000A20000-0x0000000000A3F000-memory.dmp	upx
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe	upx
behavioral1/memory/1700-13-0x0000000000A20000-0x0000000000A3F000-memory.dmp	upx
behavioral1/memory/2200-12-0x0000000000FE0000-0x0000000000FFF000-memory.dmp	upx
behavioral1/memory/2200-21-0x0000000000FE0000-0x0000000000FFF000-memory.dmp	upx
behavioral1/memory/1700-26-0x0000000000A20000-0x0000000000A3F000-memory.dmp	upx

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

28fcbc73c80a28e85e56537982269c9d91f3d2beb3b954e253efbc06ba0dcc2c_NeikiAnalytics.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe"	28fcbc73c80a28e85e56537982269c9d91f3d2beb3b954e253efbc06ba0dcc2c_NeikiAnalytics.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

2068 PING.EXE
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

28fcbc73c80a28e85e56537982269c9d91f3d2beb3b954e253efbc06ba0dcc2c_NeikiAnalytics.exe

description pid process

Token: SeIncBasePriorityPrivilege 2200 28fcbc73c80a28e85e56537982269c9d91f3d2beb3b954e253efbc06ba0dcc2c_NeikiAnalytics.exe

pid	process
2068	PING.EXE

description	pid	process
Token: SeIncBasePriorityPrivilege	2200	28fcbc73c80a28e85e56537982269c9d91f3d2beb3b954e253efbc06ba0dcc2c_NeikiAnalytics.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

28fcbc73c80a28e85e56537982269c9d91f3d2beb3b954e253efbc06ba0dcc2c_NeikiAnalytics.exe

description	pid	process	target process
PID 2200 wrote to memory of 1700	2200	28fcbc73c80a28e85e56537982269c9d91f3d2beb3b954e253efbc06ba0dcc2c_NeikiAnalytics.exe	MediaCenter.exe
PID 2200 wrote to memory of 1700	2200	28fcbc73c80a28e85e56537982269c9d91f3d2beb3b954e253efbc06ba0dcc2c_NeikiAnalytics.exe	MediaCenter.exe
PID 2200 wrote to memory of 1700	2200	28fcbc73c80a28e85e56537982269c9d91f3d2beb3b954e253efbc06ba0dcc2c_NeikiAnalytics.exe	MediaCenter.exe
PID 2200 wrote to memory of 1700	2200	28fcbc73c80a28e85e56537982269c9d91f3d2beb3b954e253efbc06ba0dcc2c_NeikiAnalytics.exe	MediaCenter.exe

C:\Users\Admin\AppData\Local\Temp\28fcbc73c80a28e85e56537982269c9d91f3d2beb3b954e253efbc06ba0dcc2c_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\28fcbc73c80a28e85e56537982269c9d91f3d2beb3b954e253efbc06ba0dcc2c_NeikiAnalytics.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2200

C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
2⤵
- Executes dropped EXE
PID:1700

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\28fcbc73c80a28e85e56537982269c9d91f3d2beb3b954e253efbc06ba0dcc2c_NeikiAnalytics.exe"
2⤵
PID:2400

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1
3⤵
- Runs ping.exe
PID:2068

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
Filesize
283KB

MD5
4654a656809fcfabebee50d0372872a3

SHA1
bf1d2abe5973d49bce1f63adde051a6f5e2f55e7

SHA256
78d822b6f9372d27287b2feea7c088ab604bda656916546bfe88550b9eb0b000

SHA512
98699bffa657b3fcc5b632bf48c37525e85bfdb970acb2af9227df9f6346fc2c66a62d25d8fb774701257dc1bdefc9615e3ebf60e13a01e282013ce1ffc8c1a9

Download Submit
memory/1700-11-0x0000000000A20000-0x0000000000A3F000-memory.dmp

Filesize
124KB

Download
memory/1700-13-0x0000000000A20000-0x0000000000A3F000-memory.dmp

Filesize
124KB

Download
memory/1700-26-0x0000000000A20000-0x0000000000A3F000-memory.dmp

Filesize
124KB

Download
memory/2200-0-0x0000000000FE0000-0x0000000000FFF000-memory.dmp

Filesize
124KB

Download
memory/2200-9-0x0000000000130000-0x000000000014F000-memory.dmp

Filesize
124KB

Download
memory/2200-8-0x0000000000130000-0x000000000014F000-memory.dmp

Filesize
124KB

Download
memory/2200-12-0x0000000000FE0000-0x0000000000FFF000-memory.dmp

Filesize
124KB

Download
memory/2200-17-0x0000000000130000-0x000000000014F000-memory.dmp

Filesize
124KB

Download
memory/2200-16-0x0000000000130000-0x000000000014F000-memory.dmp

Filesize
124KB

Download
memory/2200-21-0x0000000000FE0000-0x0000000000FFF000-memory.dmp

Filesize
124KB

Download