Analysis
-
max time kernel
155s -
max time network
163s -
platform
windows10-2004_x64 -
resource
win10v2004-20230915-en -
resource tags
arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system -
submitted
13-10-2023 19:46
Static task
static1
Behavioral task
behavioral1
Sample
NEAS.1cf23f1a8d357c5e5466acdb7ed4dca0.exe
Resource
win7-20230831-en
Behavioral task
behavioral2
Sample
NEAS.1cf23f1a8d357c5e5466acdb7ed4dca0.exe
Resource
win10v2004-20230915-en
General
-
Target
NEAS.1cf23f1a8d357c5e5466acdb7ed4dca0.exe
-
Size
32KB
-
MD5
1cf23f1a8d357c5e5466acdb7ed4dca0
-
SHA1
ac7db1ace1a395b4eb815ff51f83349da9d97ae6
-
SHA256
7111f7cdfe1b2b426fd0d98360f19b581896dde6f77997abaf6fededba0c420d
-
SHA512
189d5168d41c2e1f4e1ff11faab3119e10f4715ac1e9a1ffe171a28033c63a79803a831be84afe6998821920d7dcdd07918cd63bd3beb7c300b1d8c1447f27fb
-
SSDEEP
384:vnyhSksAVndb4G3w2NMsG9OqvhyY3Q6oVxYv0Dq6ULdAeMB:KhSksandb4GgyMsp4hyYtoVxYUZ
Malware Config
Extracted
sakula
http://vpn.premrera.com:443/viewpre.asp?cstring=%s&tom=%d&id=%d
http://vpn.premrera.com:443/photo/%s.jpg?id=%d
http://173.254.226.212:443/viewpre.asp?cstring=%s&tom=%d&id=%d
http://173.254.226.212:443/photo/%s.jpg?id=%d
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 2416 MediaCenter.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
reg.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" reg.exe -
Modifies registry key 1 TTPs 1 IoCs
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of WriteProcessMemory 18 IoCs
Processes:
NEAS.1cf23f1a8d357c5e5466acdb7ed4dca0.execmd.execmd.execmd.exedescription pid process target process PID 2640 wrote to memory of 3956 2640 NEAS.1cf23f1a8d357c5e5466acdb7ed4dca0.exe cmd.exe PID 2640 wrote to memory of 3956 2640 NEAS.1cf23f1a8d357c5e5466acdb7ed4dca0.exe cmd.exe PID 2640 wrote to memory of 3956 2640 NEAS.1cf23f1a8d357c5e5466acdb7ed4dca0.exe cmd.exe PID 2640 wrote to memory of 4844 2640 NEAS.1cf23f1a8d357c5e5466acdb7ed4dca0.exe cmd.exe PID 2640 wrote to memory of 4844 2640 NEAS.1cf23f1a8d357c5e5466acdb7ed4dca0.exe cmd.exe PID 2640 wrote to memory of 4844 2640 NEAS.1cf23f1a8d357c5e5466acdb7ed4dca0.exe cmd.exe PID 2640 wrote to memory of 4040 2640 NEAS.1cf23f1a8d357c5e5466acdb7ed4dca0.exe cmd.exe PID 2640 wrote to memory of 4040 2640 NEAS.1cf23f1a8d357c5e5466acdb7ed4dca0.exe cmd.exe PID 2640 wrote to memory of 4040 2640 NEAS.1cf23f1a8d357c5e5466acdb7ed4dca0.exe cmd.exe PID 4844 wrote to memory of 2416 4844 cmd.exe MediaCenter.exe PID 4844 wrote to memory of 2416 4844 cmd.exe MediaCenter.exe PID 4844 wrote to memory of 2416 4844 cmd.exe MediaCenter.exe PID 3956 wrote to memory of 1196 3956 cmd.exe reg.exe PID 3956 wrote to memory of 1196 3956 cmd.exe reg.exe PID 3956 wrote to memory of 1196 3956 cmd.exe reg.exe PID 4040 wrote to memory of 3572 4040 cmd.exe PING.EXE PID 4040 wrote to memory of 3572 4040 cmd.exe PING.EXE PID 4040 wrote to memory of 3572 4040 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\NEAS.1cf23f1a8d357c5e5466acdb7ed4dca0.exe"C:\Users\Admin\AppData\Local\Temp\NEAS.1cf23f1a8d357c5e5466acdb7ed4dca0.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2640 -
C:\Windows\SysWOW64\cmd.execmd.exe /c reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v "MicroMedia" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:3956 -
C:\Windows\SysWOW64\reg.exereg add HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v "MicroMedia" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe"3⤵
- Adds Run key to start application
- Modifies registry key
PID:1196 -
C:\Windows\SysWOW64\cmd.execmd.exe /c "C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:4844 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe3⤵
- Executes dropped EXE
PID:2416 -
C:\Windows\SysWOW64\cmd.execmd.exe /c ping 127.0.0.1 & del "C:\Users\Admin\AppData\Local\Temp\NEAS.1cf23f1a8d357c5e5466acdb7ed4dca0.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:4040 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:3572
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeFilesize
32KB
MD531c36ac08fdf8f980b8059bd34c2550d
SHA1ac62cd3af80b5023caf87a1a21e2809be85b12c6
SHA256a5fbcc54fc8402fb47cc10cd0166dd8f10654d98265e12a6daf964460cddb8b6
SHA5123d9df91c063fbb714487dfb58fe38898e0ba5f577880fdb9ec82b0d07bd2d5b3223ca70e7a26df97f505c7ea1dbfd667b91d7ccbbf8477d400c480044d013555
-
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeFilesize
32KB
MD531c36ac08fdf8f980b8059bd34c2550d
SHA1ac62cd3af80b5023caf87a1a21e2809be85b12c6
SHA256a5fbcc54fc8402fb47cc10cd0166dd8f10654d98265e12a6daf964460cddb8b6
SHA5123d9df91c063fbb714487dfb58fe38898e0ba5f577880fdb9ec82b0d07bd2d5b3223ca70e7a26df97f505c7ea1dbfd667b91d7ccbbf8477d400c480044d013555
-
memory/2640-0-0x0000000000400000-0x0000000000409000-memory.dmpFilesize
36KB
-
memory/2640-2-0x0000000000400000-0x0000000000409000-memory.dmpFilesize
36KB