Analysis

  • max time kernel
    141s
  • max time network
    159s
  • platform
    windows7_x64
  • resource
    win7-20230831-en
  • resource tags

    arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system
  • submitted
    13-10-2023 19:46

General

  • Target

    NEAS.1cf23f1a8d357c5e5466acdb7ed4dca0.exe

  • Size

    32KB

  • MD5

    1cf23f1a8d357c5e5466acdb7ed4dca0

  • SHA1

    ac7db1ace1a395b4eb815ff51f83349da9d97ae6

  • SHA256

    7111f7cdfe1b2b426fd0d98360f19b581896dde6f77997abaf6fededba0c420d

  • SHA512

    189d5168d41c2e1f4e1ff11faab3119e10f4715ac1e9a1ffe171a28033c63a79803a831be84afe6998821920d7dcdd07918cd63bd3beb7c300b1d8c1447f27fb

  • SSDEEP

    384:vnyhSksAVndb4G3w2NMsG9OqvhyY3Q6oVxYv0Dq6ULdAeMB:KhSksandb4GgyMsp4hyYtoVxYUZ

Malware Config

Extracted

Family

sakula

C2

http://vpn.premrera.com:443/viewpre.asp?cstring=%s&tom=%d&id=%d

http://vpn.premrera.com:443/photo/%s.jpg?id=%d

http://173.254.226.212:443/viewpre.asp?cstring=%s&tom=%d&id=%d

http://173.254.226.212:443/photo/%s.jpg?id=%d

Signatures

  • Sakula

    Sakula is a remote access trojan with various capabilities.

  • Deletes itself 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 2 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
  • Modifies registry key 1 TTPs 1 IoCs
  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious use of WriteProcessMemory 24 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\NEAS.1cf23f1a8d357c5e5466acdb7ed4dca0.exe
    "C:\Users\Admin\AppData\Local\Temp\NEAS.1cf23f1a8d357c5e5466acdb7ed4dca0.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2692
    • C:\Windows\SysWOW64\cmd.exe
      cmd.exe /c reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v "MicroMedia" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2368
      • C:\Windows\SysWOW64\reg.exe
        reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v "MicroMedia" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe"
        3⤵
        • Adds Run key to start application
        • Modifies registry key
        PID:1720
    • C:\Windows\SysWOW64\cmd.exe
      cmd.exe /c ping 127.0.0.1 & del "C:\Users\Admin\AppData\Local\Temp\NEAS.1cf23f1a8d357c5e5466acdb7ed4dca0.exe"
      2⤵
      • Deletes itself
      • Suspicious use of WriteProcessMemory
      PID:2704
      • C:\Windows\SysWOW64\PING.EXE
        ping 127.0.0.1
        3⤵
        • Runs ping.exe
        PID:2624
    • C:\Windows\SysWOW64\cmd.exe
      cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe"
      2⤵
      • Loads dropped DLL
      • Suspicious use of WriteProcessMemory
      PID:3068
      • C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
        C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
        3⤵
        • Executes dropped EXE
        PID:2652

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
    Filesize

    32KB

    MD5

    0b0eb4435d189829761fb935d047051d

    SHA1

    f42707bb6b9687f5b2172a50bbe325bfcd1156b0

    SHA256

    06588a9b1df750f826df0decf1584f2d3596acc21b125390ec473e986b6c3be5

    SHA512

    69e21955f2517121b2c3a939eb82020d109e552e148f764b1fab27d9f158a82a867b387a4ec3ceb1b30ccbf869feec7794f1ae7616ff662a88467bfb578f7701

  • C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
    Filesize

    32KB

    MD5

    0b0eb4435d189829761fb935d047051d

    SHA1

    f42707bb6b9687f5b2172a50bbe325bfcd1156b0

    SHA256

    06588a9b1df750f826df0decf1584f2d3596acc21b125390ec473e986b6c3be5

    SHA512

    69e21955f2517121b2c3a939eb82020d109e552e148f764b1fab27d9f158a82a867b387a4ec3ceb1b30ccbf869feec7794f1ae7616ff662a88467bfb578f7701

  • \Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
    Filesize

    32KB

    MD5

    0b0eb4435d189829761fb935d047051d

    SHA1

    f42707bb6b9687f5b2172a50bbe325bfcd1156b0

    SHA256

    06588a9b1df750f826df0decf1584f2d3596acc21b125390ec473e986b6c3be5

    SHA512

    69e21955f2517121b2c3a939eb82020d109e552e148f764b1fab27d9f158a82a867b387a4ec3ceb1b30ccbf869feec7794f1ae7616ff662a88467bfb578f7701

  • \Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
    Filesize

    32KB

    MD5

    0b0eb4435d189829761fb935d047051d

    SHA1

    f42707bb6b9687f5b2172a50bbe325bfcd1156b0

    SHA256

    06588a9b1df750f826df0decf1584f2d3596acc21b125390ec473e986b6c3be5

    SHA512

    69e21955f2517121b2c3a939eb82020d109e552e148f764b1fab27d9f158a82a867b387a4ec3ceb1b30ccbf869feec7794f1ae7616ff662a88467bfb578f7701

  • memory/2692-0-0x0000000000400000-0x0000000000409000-memory.dmp
    Filesize

    36KB

  • memory/2692-2-0x0000000000400000-0x0000000000409000-memory.dmp
    Filesize

    36KB