sakula | 28fcbc73c80a28e85e56537982269c9d91f3d2beb3b954e253efbc06ba0dcc2c

Analysis

max time kernel
30s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
01-07-2024 00:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

28fcbc73c80a28e85e56537982269c9d91f3d2beb3b954e253efbc06ba0dcc2c_NeikiAnalytics.exe
Size

283KB
MD5

6a67fe4188c03936d6ab6487123f5ea0
SHA1

086f6d8c9fe2464e2f275f04110c703c6e8b247c
SHA256

28fcbc73c80a28e85e56537982269c9d91f3d2beb3b954e253efbc06ba0dcc2c
SHA512

b43fe6db285096b4cbe6d145bd9a6abd8f20714a76b6d3263e8c74aa1651e2d54d047bf8c8b211bddc597933f6239f6d4062e40a1914235d42896f11c770c16b
SSDEEP

1536:NU9abrtX4oocIK3yQkaY9z/S0hhnDiKKJqTnouy8HeBsCXKTnhxJP:Nm2rocIyhYtJxKJqrout+BsZh3

Score

10^/10

sakula persistence rat trojan upx

Malware Config

Signatures

Sakula
Sakula is a remote access trojan with various capabilities.
trojan rat sakula

Sakula payload 4 IoCs

Processes:

resource	yara_rule
behavioral2/memory/932-7-0x0000000000A90000-0x0000000000AAF000-memory.dmp	family_sakula
behavioral2/memory/4496-6-0x0000000000880000-0x000000000089F000-memory.dmp	family_sakula
behavioral2/memory/4496-10-0x0000000000880000-0x000000000089F000-memory.dmp	family_sakula
behavioral2/memory/932-15-0x0000000000A90000-0x0000000000AAF000-memory.dmp	family_sakula

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

28fcbc73c80a28e85e56537982269c9d91f3d2beb3b954e253efbc06ba0dcc2c_NeikiAnalytics.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	28fcbc73c80a28e85e56537982269c9d91f3d2beb3b954e253efbc06ba0dcc2c_NeikiAnalytics.exe

Executes dropped EXE 1 IoCs

Processes:

MediaCenter.exe

pid process

932 MediaCenter.exe

pid	process
932	MediaCenter.exe

UPX packed file 7 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/932-5-0x0000000000A90000-0x0000000000AAF000-memory.dmp	upx
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe	upx
behavioral2/memory/4496-0-0x0000000000880000-0x000000000089F000-memory.dmp	upx
behavioral2/memory/932-7-0x0000000000A90000-0x0000000000AAF000-memory.dmp	upx
behavioral2/memory/4496-6-0x0000000000880000-0x000000000089F000-memory.dmp	upx
behavioral2/memory/4496-10-0x0000000000880000-0x000000000089F000-memory.dmp	upx
behavioral2/memory/932-15-0x0000000000A90000-0x0000000000AAF000-memory.dmp	upx

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

28fcbc73c80a28e85e56537982269c9d91f3d2beb3b954e253efbc06ba0dcc2c_NeikiAnalytics.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe"	28fcbc73c80a28e85e56537982269c9d91f3d2beb3b954e253efbc06ba0dcc2c_NeikiAnalytics.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

3424 PING.EXE
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

28fcbc73c80a28e85e56537982269c9d91f3d2beb3b954e253efbc06ba0dcc2c_NeikiAnalytics.exe

description pid process

Token: SeIncBasePriorityPrivilege 4496 28fcbc73c80a28e85e56537982269c9d91f3d2beb3b954e253efbc06ba0dcc2c_NeikiAnalytics.exe

pid	process
3424	PING.EXE

description	pid	process
Token: SeIncBasePriorityPrivilege	4496	28fcbc73c80a28e85e56537982269c9d91f3d2beb3b954e253efbc06ba0dcc2c_NeikiAnalytics.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

28fcbc73c80a28e85e56537982269c9d91f3d2beb3b954e253efbc06ba0dcc2c_NeikiAnalytics.exe

description	pid	process	target process
PID 4496 wrote to memory of 932	4496	28fcbc73c80a28e85e56537982269c9d91f3d2beb3b954e253efbc06ba0dcc2c_NeikiAnalytics.exe	MediaCenter.exe
PID 4496 wrote to memory of 932	4496	28fcbc73c80a28e85e56537982269c9d91f3d2beb3b954e253efbc06ba0dcc2c_NeikiAnalytics.exe	MediaCenter.exe
PID 4496 wrote to memory of 932	4496	28fcbc73c80a28e85e56537982269c9d91f3d2beb3b954e253efbc06ba0dcc2c_NeikiAnalytics.exe	MediaCenter.exe
PID 4496 wrote to memory of 2572	4496	28fcbc73c80a28e85e56537982269c9d91f3d2beb3b954e253efbc06ba0dcc2c_NeikiAnalytics.exe	cmd.exe
PID 4496 wrote to memory of 2572	4496	28fcbc73c80a28e85e56537982269c9d91f3d2beb3b954e253efbc06ba0dcc2c_NeikiAnalytics.exe	cmd.exe
PID 4496 wrote to memory of 2572	4496	28fcbc73c80a28e85e56537982269c9d91f3d2beb3b954e253efbc06ba0dcc2c_NeikiAnalytics.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\28fcbc73c80a28e85e56537982269c9d91f3d2beb3b954e253efbc06ba0dcc2c_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\28fcbc73c80a28e85e56537982269c9d91f3d2beb3b954e253efbc06ba0dcc2c_NeikiAnalytics.exe"
1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4496

C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
2⤵
- Executes dropped EXE
PID:932

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\28fcbc73c80a28e85e56537982269c9d91f3d2beb3b954e253efbc06ba0dcc2c_NeikiAnalytics.exe"
2⤵
PID:2572

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1
3⤵
- Runs ping.exe
PID:3424

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
Filesize
283KB

MD5
29140250f5f7acefaf945a544c2a8634

SHA1
7528ffaec79897a1ccd7fe08275f8edfee4ceafd

SHA256
37b19490eb5583a5b55f65dc997a1de2936198a951621b97df5e31453cc80167

SHA512
011b9ec54deaddea5dfa6348af1b13e0136871b5d60fd3f8cfe2c3bfcb9c090fc7159733eb5da2fc03fbd707667fcd8783d95f3600a9c6c7454e64ecc48d81b1

Download Submit
memory/932-5-0x0000000000A90000-0x0000000000AAF000-memory.dmp

Filesize
124KB

Download
memory/932-7-0x0000000000A90000-0x0000000000AAF000-memory.dmp

Filesize
124KB

Download
memory/932-15-0x0000000000A90000-0x0000000000AAF000-memory.dmp

Filesize
124KB

Download
memory/4496-0-0x0000000000880000-0x000000000089F000-memory.dmp

Filesize
124KB

Download
memory/4496-6-0x0000000000880000-0x000000000089F000-memory.dmp

Filesize
124KB

Download
memory/4496-10-0x0000000000880000-0x000000000089F000-memory.dmp

Filesize
124KB

Download