Analysis
-
max time kernel
142s -
max time network
154s -
platform
windows7_x64 -
resource
win7-20230831-en -
resource tags
arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system -
submitted
15-10-2023 19:49
Static task
static1
Behavioral task
behavioral1
Sample
e8c9b7f59a3a01397d9e5a7be24aba70_exe32.exe
Resource
win7-20230831-en
Behavioral task
behavioral2
Sample
e8c9b7f59a3a01397d9e5a7be24aba70_exe32.exe
Resource
win10v2004-20230915-en
General
-
Target
e8c9b7f59a3a01397d9e5a7be24aba70_exe32.exe
-
Size
71KB
-
MD5
e8c9b7f59a3a01397d9e5a7be24aba70
-
SHA1
80605c6bfd3d014b0cf22cd42f392cbf7ad8d111
-
SHA256
bdca0c7f1c605c0c7276aace42c629d34351a3a96bc1e6f92143a574d7056448
-
SHA512
a773374c95ca19f9b3c0a3db87aecb0ade48b646df35da62dc917380cac32af2b5ff83b4aea70dac4d1bdd28fd2c6c75c909ed4d2d8e0b77c36b3d3fb490e07c
-
SSDEEP
768:bhSksandb4GgyMsp4hyYtoVxYGm1ZAe0oAGA:bTsGpehyYtkYvnr0o9A
Malware Config
Extracted
sakula
http://vpn.premrera.com:443/viewpre.asp?cstring=%s&tom=%d&id=%d
http://vpn.premrera.com:443/photo/%s.jpg?id=%d
http://173.254.226.212:443/viewpre.asp?cstring=%s&tom=%d&id=%d
http://173.254.226.212:443/photo/%s.jpg?id=%d
Signatures
-
Deletes itself 1 IoCs
Processes:
cmd.exepid process 2956 cmd.exe -
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 2704 MediaCenter.exe -
Loads dropped DLL 2 IoCs
Processes:
cmd.exepid process 2096 cmd.exe 2096 cmd.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
reg.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" reg.exe -
Modifies registry key 1 TTPs 1 IoCs
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of WriteProcessMemory 24 IoCs
Processes:
e8c9b7f59a3a01397d9e5a7be24aba70_exe32.execmd.execmd.execmd.exedescription pid process target process PID 2124 wrote to memory of 2640 2124 e8c9b7f59a3a01397d9e5a7be24aba70_exe32.exe cmd.exe PID 2124 wrote to memory of 2640 2124 e8c9b7f59a3a01397d9e5a7be24aba70_exe32.exe cmd.exe PID 2124 wrote to memory of 2640 2124 e8c9b7f59a3a01397d9e5a7be24aba70_exe32.exe cmd.exe PID 2124 wrote to memory of 2640 2124 e8c9b7f59a3a01397d9e5a7be24aba70_exe32.exe cmd.exe PID 2124 wrote to memory of 2096 2124 e8c9b7f59a3a01397d9e5a7be24aba70_exe32.exe cmd.exe PID 2124 wrote to memory of 2096 2124 e8c9b7f59a3a01397d9e5a7be24aba70_exe32.exe cmd.exe PID 2124 wrote to memory of 2096 2124 e8c9b7f59a3a01397d9e5a7be24aba70_exe32.exe cmd.exe PID 2124 wrote to memory of 2096 2124 e8c9b7f59a3a01397d9e5a7be24aba70_exe32.exe cmd.exe PID 2124 wrote to memory of 2956 2124 e8c9b7f59a3a01397d9e5a7be24aba70_exe32.exe cmd.exe PID 2124 wrote to memory of 2956 2124 e8c9b7f59a3a01397d9e5a7be24aba70_exe32.exe cmd.exe PID 2124 wrote to memory of 2956 2124 e8c9b7f59a3a01397d9e5a7be24aba70_exe32.exe cmd.exe PID 2124 wrote to memory of 2956 2124 e8c9b7f59a3a01397d9e5a7be24aba70_exe32.exe cmd.exe PID 2096 wrote to memory of 2704 2096 cmd.exe MediaCenter.exe PID 2096 wrote to memory of 2704 2096 cmd.exe MediaCenter.exe PID 2096 wrote to memory of 2704 2096 cmd.exe MediaCenter.exe PID 2096 wrote to memory of 2704 2096 cmd.exe MediaCenter.exe PID 2956 wrote to memory of 2580 2956 cmd.exe PING.EXE PID 2956 wrote to memory of 2580 2956 cmd.exe PING.EXE PID 2956 wrote to memory of 2580 2956 cmd.exe PING.EXE PID 2956 wrote to memory of 2580 2956 cmd.exe PING.EXE PID 2640 wrote to memory of 2812 2640 cmd.exe reg.exe PID 2640 wrote to memory of 2812 2640 cmd.exe reg.exe PID 2640 wrote to memory of 2812 2640 cmd.exe reg.exe PID 2640 wrote to memory of 2812 2640 cmd.exe reg.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\e8c9b7f59a3a01397d9e5a7be24aba70_exe32.exe"C:\Users\Admin\AppData\Local\Temp\e8c9b7f59a3a01397d9e5a7be24aba70_exe32.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2124 -
C:\Windows\SysWOW64\cmd.execmd.exe /c reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v "MicroMedia" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:2640 -
C:\Windows\SysWOW64\reg.exereg add HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v "MicroMedia" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe"3⤵
- Adds Run key to start application
- Modifies registry key
PID:2812 -
C:\Windows\SysWOW64\cmd.execmd.exe /c "C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe"2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2096 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe3⤵
- Executes dropped EXE
PID:2704 -
C:\Windows\SysWOW64\cmd.execmd.exe /c ping 127.0.0.1 & del "C:\Users\Admin\AppData\Local\Temp\e8c9b7f59a3a01397d9e5a7be24aba70_exe32.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:2956 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:2580
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeFilesize
71KB
MD5883951d65fa1f12b3c90532aa9ef7559
SHA16220f46ec93752e98a3f4963c38362347f309625
SHA256802eb58b93f000b19fab6f4283b5cfdbe9a7fd802536972931ad45004aae1b80
SHA51286b7fc6af4998e86705b2e8d21f6d1ef5e8bb914f6cb911effed464880cf929555a90abd395240b770cb4fe90228523f00d7832348be9bdf962bbfe30d203a7d
-
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeFilesize
71KB
MD5883951d65fa1f12b3c90532aa9ef7559
SHA16220f46ec93752e98a3f4963c38362347f309625
SHA256802eb58b93f000b19fab6f4283b5cfdbe9a7fd802536972931ad45004aae1b80
SHA51286b7fc6af4998e86705b2e8d21f6d1ef5e8bb914f6cb911effed464880cf929555a90abd395240b770cb4fe90228523f00d7832348be9bdf962bbfe30d203a7d
-
\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeFilesize
71KB
MD5883951d65fa1f12b3c90532aa9ef7559
SHA16220f46ec93752e98a3f4963c38362347f309625
SHA256802eb58b93f000b19fab6f4283b5cfdbe9a7fd802536972931ad45004aae1b80
SHA51286b7fc6af4998e86705b2e8d21f6d1ef5e8bb914f6cb911effed464880cf929555a90abd395240b770cb4fe90228523f00d7832348be9bdf962bbfe30d203a7d
-
\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeFilesize
71KB
MD5883951d65fa1f12b3c90532aa9ef7559
SHA16220f46ec93752e98a3f4963c38362347f309625
SHA256802eb58b93f000b19fab6f4283b5cfdbe9a7fd802536972931ad45004aae1b80
SHA51286b7fc6af4998e86705b2e8d21f6d1ef5e8bb914f6cb911effed464880cf929555a90abd395240b770cb4fe90228523f00d7832348be9bdf962bbfe30d203a7d
-
memory/2124-0-0x0000000000400000-0x000000000040B000-memory.dmpFilesize
44KB
-
memory/2124-1-0x0000000000400000-0x000000000040B000-memory.dmpFilesize
44KB
-
memory/2124-3-0x0000000000400000-0x000000000040B000-memory.dmpFilesize
44KB