Analysis
-
max time kernel
179s -
max time network
185s -
platform
windows10-2004_x64 -
resource
win10v2004-20230915-en -
resource tags
arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system -
submitted
13-10-2023 20:29
Behavioral task
behavioral1
Sample
NEAS.7fea47426d14645b7fdf87327f55f300.exe
Resource
win7-20230831-en
Behavioral task
behavioral2
Sample
NEAS.7fea47426d14645b7fdf87327f55f300.exe
Resource
win10v2004-20230915-en
General
-
Target
NEAS.7fea47426d14645b7fdf87327f55f300.exe
-
Size
99KB
-
MD5
7fea47426d14645b7fdf87327f55f300
-
SHA1
8e2efabb1da8456119ce8bab333a859585718f17
-
SHA256
1b50f21b6d6f70b36a2e171f67c2edd72bec16678bcb69856097b8f0b432ca1e
-
SHA512
fbf04ecfaaecf321e756644433ba5bb049c8783556c91a7dc77a1b36876922f81521938c640a2d747bc47935ad016a69e06e2b533825a6d9ecb1315b71e2d984
-
SSDEEP
1536:Loaj1hJL1S9t0MIeboal8bCKxo7h0RPaaml0Nz30rtrux:c0hpgz6xGhZamyF30BCx
Malware Config
Signatures
-
Sakula payload 7 IoCs
Processes:
resource yara_rule behavioral2/memory/976-0-0x0000000000400000-0x000000000041B000-memory.dmp family_sakula C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula behavioral2/memory/752-5-0x0000000000400000-0x000000000041B000-memory.dmp family_sakula C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula behavioral2/memory/976-6-0x0000000000400000-0x000000000041B000-memory.dmp family_sakula behavioral2/memory/752-7-0x0000000000400000-0x000000000041B000-memory.dmp family_sakula behavioral2/memory/976-8-0x0000000000400000-0x000000000041B000-memory.dmp family_sakula -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
NEAS.7fea47426d14645b7fdf87327f55f300.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-3027552071-446050021-1254071215-1000\Control Panel\International\Geo\Nation NEAS.7fea47426d14645b7fdf87327f55f300.exe -
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 752 MediaCenter.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
NEAS.7fea47426d14645b7fdf87327f55f300.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" NEAS.7fea47426d14645b7fdf87327f55f300.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
NEAS.7fea47426d14645b7fdf87327f55f300.exedescription pid process Token: SeIncBasePriorityPrivilege 976 NEAS.7fea47426d14645b7fdf87327f55f300.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
NEAS.7fea47426d14645b7fdf87327f55f300.execmd.exedescription pid process target process PID 976 wrote to memory of 752 976 NEAS.7fea47426d14645b7fdf87327f55f300.exe MediaCenter.exe PID 976 wrote to memory of 752 976 NEAS.7fea47426d14645b7fdf87327f55f300.exe MediaCenter.exe PID 976 wrote to memory of 752 976 NEAS.7fea47426d14645b7fdf87327f55f300.exe MediaCenter.exe PID 976 wrote to memory of 2408 976 NEAS.7fea47426d14645b7fdf87327f55f300.exe cmd.exe PID 976 wrote to memory of 2408 976 NEAS.7fea47426d14645b7fdf87327f55f300.exe cmd.exe PID 976 wrote to memory of 2408 976 NEAS.7fea47426d14645b7fdf87327f55f300.exe cmd.exe PID 2408 wrote to memory of 224 2408 cmd.exe PING.EXE PID 2408 wrote to memory of 224 2408 cmd.exe PING.EXE PID 2408 wrote to memory of 224 2408 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\NEAS.7fea47426d14645b7fdf87327f55f300.exe"C:\Users\Admin\AppData\Local\Temp\NEAS.7fea47426d14645b7fdf87327f55f300.exe"1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:976 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:752 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\NEAS.7fea47426d14645b7fdf87327f55f300.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:2408 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:224
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
99KB
MD5a3d1d825dbbf59847ce0497dbf582ea0
SHA1a3bf28ba18b475edd75020f8000e7b8dfcc34c0b
SHA256efc4ca81c6fbb9bd31eb3e43929603b1038a6c0eb156020ae9254a3235d4e45d
SHA5128b8552ca2dbf68c7431ecb122a17086848b746e5da7fc244ea7002e7f4cc59642b4515378686a9d132b2fb65f737fef06f03aacc0a9b58eca61512a9ab6c4c82
-
Filesize
99KB
MD5a3d1d825dbbf59847ce0497dbf582ea0
SHA1a3bf28ba18b475edd75020f8000e7b8dfcc34c0b
SHA256efc4ca81c6fbb9bd31eb3e43929603b1038a6c0eb156020ae9254a3235d4e45d
SHA5128b8552ca2dbf68c7431ecb122a17086848b746e5da7fc244ea7002e7f4cc59642b4515378686a9d132b2fb65f737fef06f03aacc0a9b58eca61512a9ab6c4c82