Analysis
-
max time kernel
157s -
max time network
173s -
platform
windows10-2004_x64 -
resource
win10v2004-20230915-en -
resource tags
arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system -
submitted
13-10-2023 19:43
Static task
static1
Behavioral task
behavioral1
Sample
NEAS.NEASe98b69ff231cf10e885c2421bd3c5fc5exe.exe
Resource
win7-20230831-en
Behavioral task
behavioral2
Sample
NEAS.NEASe98b69ff231cf10e885c2421bd3c5fc5exe.exe
Resource
win10v2004-20230915-en
General
-
Target
NEAS.NEASe98b69ff231cf10e885c2421bd3c5fc5exe.exe
-
Size
35KB
-
MD5
e98b69ff231cf10e885c2421bd3c5fc5
-
SHA1
88173852631dff2e54de5eff588b9c4d9b58758b
-
SHA256
389f4f8705e6017d42e3f637e5609c5d68fb1322ff836d354f99df9dbd374b8f
-
SHA512
6be189e42c93cc5cf7b3299d541e6aba23c9623a9d4df98fc44f6e1714d7ea627a76e5f08c72003c041dab84d061efca6573a7eca3130c8934d67237a37bbe09
-
SSDEEP
768:TwbYGCv4nuEcJpQK4TQbtKvXwXgA9lJJea+yGCJQqeWnAEv2647Dk:TwbYP4nuEApQK4TQbtY2gA9DX+ytBOu
Malware Config
Signatures
-
Sakula payload 4 IoCs
Processes:
resource yara_rule behavioral2/memory/4824-6-0x0000000000400000-0x000000000041A000-memory.dmp family_sakula behavioral2/memory/636-8-0x0000000000400000-0x000000000041A000-memory.dmp family_sakula behavioral2/memory/4824-13-0x0000000000400000-0x000000000041A000-memory.dmp family_sakula behavioral2/memory/636-18-0x0000000000400000-0x000000000041A000-memory.dmp family_sakula -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
NEAS.NEASe98b69ff231cf10e885c2421bd3c5fc5exe.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-3027552071-446050021-1254071215-1000\Control Panel\International\Geo\Nation NEAS.NEASe98b69ff231cf10e885c2421bd3c5fc5exe.exe -
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 636 MediaCenter.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
NEAS.NEASe98b69ff231cf10e885c2421bd3c5fc5exe.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" NEAS.NEASe98b69ff231cf10e885c2421bd3c5fc5exe.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
NEAS.NEASe98b69ff231cf10e885c2421bd3c5fc5exe.exedescription pid process Token: SeIncBasePriorityPrivilege 4824 NEAS.NEASe98b69ff231cf10e885c2421bd3c5fc5exe.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
NEAS.NEASe98b69ff231cf10e885c2421bd3c5fc5exe.execmd.exedescription pid process target process PID 4824 wrote to memory of 636 4824 NEAS.NEASe98b69ff231cf10e885c2421bd3c5fc5exe.exe MediaCenter.exe PID 4824 wrote to memory of 636 4824 NEAS.NEASe98b69ff231cf10e885c2421bd3c5fc5exe.exe MediaCenter.exe PID 4824 wrote to memory of 636 4824 NEAS.NEASe98b69ff231cf10e885c2421bd3c5fc5exe.exe MediaCenter.exe PID 4824 wrote to memory of 776 4824 NEAS.NEASe98b69ff231cf10e885c2421bd3c5fc5exe.exe cmd.exe PID 4824 wrote to memory of 776 4824 NEAS.NEASe98b69ff231cf10e885c2421bd3c5fc5exe.exe cmd.exe PID 4824 wrote to memory of 776 4824 NEAS.NEASe98b69ff231cf10e885c2421bd3c5fc5exe.exe cmd.exe PID 776 wrote to memory of 2228 776 cmd.exe PING.EXE PID 776 wrote to memory of 2228 776 cmd.exe PING.EXE PID 776 wrote to memory of 2228 776 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\NEAS.NEASe98b69ff231cf10e885c2421bd3c5fc5exe.exe"C:\Users\Admin\AppData\Local\Temp\NEAS.NEASe98b69ff231cf10e885c2421bd3c5fc5exe.exe"1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4824 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:636 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\NEAS.NEASe98b69ff231cf10e885c2421bd3c5fc5exe.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:776 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:2228
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeFilesize
35KB
MD5ea7ee4d712a7006da0d81e01e1cf936f
SHA16a54b34736bb3aaca3a9c79115db7c2398eb1d80
SHA256e38e757c49214ff3ba1a246e849ab6e463b5d446c01197444182956cd0ffe8c8
SHA512d27fa8d39b81432b9a9990ee7dc92211998f93118e7d6c220fb39d8e02bfee703a20caa3e9cdde7997bac10f4880ee9d01095a30be68969458775b3552abb1c4
-
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeFilesize
35KB
MD5ea7ee4d712a7006da0d81e01e1cf936f
SHA16a54b34736bb3aaca3a9c79115db7c2398eb1d80
SHA256e38e757c49214ff3ba1a246e849ab6e463b5d446c01197444182956cd0ffe8c8
SHA512d27fa8d39b81432b9a9990ee7dc92211998f93118e7d6c220fb39d8e02bfee703a20caa3e9cdde7997bac10f4880ee9d01095a30be68969458775b3552abb1c4
-
memory/636-4-0x0000000000400000-0x000000000041A000-memory.dmpFilesize
104KB
-
memory/636-8-0x0000000000400000-0x000000000041A000-memory.dmpFilesize
104KB
-
memory/636-18-0x0000000000400000-0x000000000041A000-memory.dmpFilesize
104KB
-
memory/4824-0-0x0000000000400000-0x000000000041A000-memory.dmpFilesize
104KB
-
memory/4824-6-0x0000000000400000-0x000000000041A000-memory.dmpFilesize
104KB
-
memory/4824-13-0x0000000000400000-0x000000000041A000-memory.dmpFilesize
104KB