Analysis
-
max time kernel
144s -
max time network
160s -
platform
windows10-2004_x64 -
resource
win10v2004-20230915-en -
resource tags
arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system -
submitted
14-10-2023 03:40
Static task
static1
Behavioral task
behavioral1
Sample
cd64145da6ddb5857039ef96ca9b47d0_JC.exe
Resource
win7-20230831-en
Behavioral task
behavioral2
Sample
cd64145da6ddb5857039ef96ca9b47d0_JC.exe
Resource
win10v2004-20230915-en
General
-
Target
cd64145da6ddb5857039ef96ca9b47d0_JC.exe
-
Size
42KB
-
MD5
cd64145da6ddb5857039ef96ca9b47d0
-
SHA1
75917fb5294498f70f1472aaafab27a892e3e614
-
SHA256
4e64e96e5f49908f9bd44176dbdd2012e84bb6e7bde72af419ada7e8a17e303a
-
SHA512
ae2a4586d7881811031e441b1ee62ee7a6bc6bbf1e86679c6ef5b695969e7426f7a6d3fff244a8e6cbcb50e31adf1e8ed76947123f898c79634f6df987329be2
-
SSDEEP
768:/hSksandb4GgyMsp4hyYtoVxYGm1q+R9cFDBMm:/TsGpehyYtkYvYm9cHMm
Malware Config
Extracted
sakula
http://vpn.premrera.com:443/viewpre.asp?cstring=%s&tom=%d&id=%d
http://vpn.premrera.com:443/photo/%s.jpg?id=%d
http://173.254.226.212:443/viewpre.asp?cstring=%s&tom=%d&id=%d
http://173.254.226.212:443/photo/%s.jpg?id=%d
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 4344 MediaCenter.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
reg.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" reg.exe -
Modifies registry key 1 TTPs 1 IoCs
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of WriteProcessMemory 18 IoCs
Processes:
cd64145da6ddb5857039ef96ca9b47d0_JC.execmd.execmd.execmd.exedescription pid process target process PID 4088 wrote to memory of 1748 4088 cd64145da6ddb5857039ef96ca9b47d0_JC.exe cmd.exe PID 4088 wrote to memory of 1748 4088 cd64145da6ddb5857039ef96ca9b47d0_JC.exe cmd.exe PID 4088 wrote to memory of 1748 4088 cd64145da6ddb5857039ef96ca9b47d0_JC.exe cmd.exe PID 4088 wrote to memory of 2504 4088 cd64145da6ddb5857039ef96ca9b47d0_JC.exe cmd.exe PID 4088 wrote to memory of 2504 4088 cd64145da6ddb5857039ef96ca9b47d0_JC.exe cmd.exe PID 4088 wrote to memory of 2504 4088 cd64145da6ddb5857039ef96ca9b47d0_JC.exe cmd.exe PID 4088 wrote to memory of 5060 4088 cd64145da6ddb5857039ef96ca9b47d0_JC.exe cmd.exe PID 4088 wrote to memory of 5060 4088 cd64145da6ddb5857039ef96ca9b47d0_JC.exe cmd.exe PID 4088 wrote to memory of 5060 4088 cd64145da6ddb5857039ef96ca9b47d0_JC.exe cmd.exe PID 2504 wrote to memory of 4344 2504 cmd.exe MediaCenter.exe PID 2504 wrote to memory of 4344 2504 cmd.exe MediaCenter.exe PID 2504 wrote to memory of 4344 2504 cmd.exe MediaCenter.exe PID 5060 wrote to memory of 1476 5060 cmd.exe PING.EXE PID 5060 wrote to memory of 1476 5060 cmd.exe PING.EXE PID 5060 wrote to memory of 1476 5060 cmd.exe PING.EXE PID 1748 wrote to memory of 2276 1748 cmd.exe reg.exe PID 1748 wrote to memory of 2276 1748 cmd.exe reg.exe PID 1748 wrote to memory of 2276 1748 cmd.exe reg.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\cd64145da6ddb5857039ef96ca9b47d0_JC.exe"C:\Users\Admin\AppData\Local\Temp\cd64145da6ddb5857039ef96ca9b47d0_JC.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:4088 -
C:\Windows\SysWOW64\cmd.execmd.exe /c reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v "MicroMedia" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:1748 -
C:\Windows\SysWOW64\reg.exereg add HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v "MicroMedia" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe"3⤵
- Adds Run key to start application
- Modifies registry key
PID:2276 -
C:\Windows\SysWOW64\cmd.execmd.exe /c "C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:2504 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe3⤵
- Executes dropped EXE
PID:4344 -
C:\Windows\SysWOW64\cmd.execmd.exe /c ping 127.0.0.1 & del "C:\Users\Admin\AppData\Local\Temp\cd64145da6ddb5857039ef96ca9b47d0_JC.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:5060 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:1476
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
42KB
MD55828e6ee661b0fb65a47b279d3683e24
SHA1cb6541f5f7acee95b2d52dfd434eaa693f79d057
SHA2565da3e5d55a901edef3a70f28083dc216624b55ce59c82f6eaea717b2ac8aa7db
SHA51274ceabf859d04839d7511e4660a8ec165283be2173e632d943cc00befd3659d0d79e78645cea139b276ea8aa7045c8efe429137e6b2b6bf94cdc6e002bcc1c93
-
Filesize
42KB
MD55828e6ee661b0fb65a47b279d3683e24
SHA1cb6541f5f7acee95b2d52dfd434eaa693f79d057
SHA2565da3e5d55a901edef3a70f28083dc216624b55ce59c82f6eaea717b2ac8aa7db
SHA51274ceabf859d04839d7511e4660a8ec165283be2173e632d943cc00befd3659d0d79e78645cea139b276ea8aa7045c8efe429137e6b2b6bf94cdc6e002bcc1c93