Analysis
-
max time kernel
140s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20231020-en -
resource tags
arch:x64arch:x86image:win10v2004-20231020-enlocale:en-usos:windows10-2004-x64system -
submitted
24-10-2023 20:47
Static task
static1
Behavioral task
behavioral1
Sample
NEAS.d1ae88b6359c014db3936ee49b49ae10.exe
Resource
win7-20231020-en
Behavioral task
behavioral2
Sample
NEAS.d1ae88b6359c014db3936ee49b49ae10.exe
Resource
win10v2004-20231020-en
General
-
Target
NEAS.d1ae88b6359c014db3936ee49b49ae10.exe
-
Size
76KB
-
MD5
d1ae88b6359c014db3936ee49b49ae10
-
SHA1
fe4b9dfed33cbf0ef5faedcf4bac33f8910d28be
-
SHA256
63021500b354f3f4e5a97eefcc5c97958377945ca6cb90c9b9242b1e3eecfd03
-
SHA512
2546cbe0da5451df23a30b085d81af08e09ceadb0660e67d89d7855c47fd3615c8835c40e1cb0363edc00dd7a7765e2bcb86612043df6b5f8ea20e08b4100924
-
SSDEEP
768:FhSksandb4GgyMsp4hyYtoVxYGm1ZAIPsED3VK2+ZtyOjgO4r9vFAg2rqK:FTsGpehyYtkYvnbYTjipvF2L
Malware Config
Extracted
sakula
http://vpn.premrera.com:443/viewpre.asp?cstring=%s&tom=%d&id=%d
http://vpn.premrera.com:443/photo/%s.jpg?id=%d
http://173.254.226.212:443/viewpre.asp?cstring=%s&tom=%d&id=%d
http://173.254.226.212:443/photo/%s.jpg?id=%d
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 3776 MediaCenter.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
reg.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" reg.exe -
Modifies registry key 1 TTPs 1 IoCs
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of WriteProcessMemory 18 IoCs
Processes:
NEAS.d1ae88b6359c014db3936ee49b49ae10.execmd.execmd.execmd.exedescription pid process target process PID 5020 wrote to memory of 1844 5020 NEAS.d1ae88b6359c014db3936ee49b49ae10.exe cmd.exe PID 5020 wrote to memory of 1844 5020 NEAS.d1ae88b6359c014db3936ee49b49ae10.exe cmd.exe PID 5020 wrote to memory of 1844 5020 NEAS.d1ae88b6359c014db3936ee49b49ae10.exe cmd.exe PID 5020 wrote to memory of 1056 5020 NEAS.d1ae88b6359c014db3936ee49b49ae10.exe cmd.exe PID 5020 wrote to memory of 1056 5020 NEAS.d1ae88b6359c014db3936ee49b49ae10.exe cmd.exe PID 5020 wrote to memory of 1056 5020 NEAS.d1ae88b6359c014db3936ee49b49ae10.exe cmd.exe PID 5020 wrote to memory of 4084 5020 NEAS.d1ae88b6359c014db3936ee49b49ae10.exe cmd.exe PID 5020 wrote to memory of 4084 5020 NEAS.d1ae88b6359c014db3936ee49b49ae10.exe cmd.exe PID 5020 wrote to memory of 4084 5020 NEAS.d1ae88b6359c014db3936ee49b49ae10.exe cmd.exe PID 4084 wrote to memory of 2096 4084 cmd.exe PING.EXE PID 4084 wrote to memory of 2096 4084 cmd.exe PING.EXE PID 4084 wrote to memory of 2096 4084 cmd.exe PING.EXE PID 1844 wrote to memory of 4292 1844 cmd.exe reg.exe PID 1844 wrote to memory of 4292 1844 cmd.exe reg.exe PID 1844 wrote to memory of 4292 1844 cmd.exe reg.exe PID 1056 wrote to memory of 3776 1056 cmd.exe MediaCenter.exe PID 1056 wrote to memory of 3776 1056 cmd.exe MediaCenter.exe PID 1056 wrote to memory of 3776 1056 cmd.exe MediaCenter.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\NEAS.d1ae88b6359c014db3936ee49b49ae10.exe"C:\Users\Admin\AppData\Local\Temp\NEAS.d1ae88b6359c014db3936ee49b49ae10.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:5020 -
C:\Windows\SysWOW64\cmd.execmd.exe /c reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v "MicroMedia" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:1844 -
C:\Windows\SysWOW64\reg.exereg add HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v "MicroMedia" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe"3⤵
- Adds Run key to start application
- Modifies registry key
PID:4292 -
C:\Windows\SysWOW64\cmd.execmd.exe /c ping 127.0.0.1 & del "C:\Users\Admin\AppData\Local\Temp\NEAS.d1ae88b6359c014db3936ee49b49ae10.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:4084 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:2096 -
C:\Windows\SysWOW64\cmd.execmd.exe /c "C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:1056 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe3⤵
- Executes dropped EXE
PID:3776
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeFilesize
76KB
MD53db650beba143a4e3542c30ae12581d0
SHA1253c893ed5144c7f385a195c65151388cbe3df79
SHA256443ee05de164ed05aa23e442fc26b521c5629243165fd031edc4a747d48eec60
SHA5127feaabd17129e480edee8b1620ce5c5db8986cb0c4f7a9802bbedd8d655f9c1989e805e8bd2b0fc37d24feebeac29379b243fd59c7e18a9ed2a0e7ff306e18ae
-
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeFilesize
76KB
MD53db650beba143a4e3542c30ae12581d0
SHA1253c893ed5144c7f385a195c65151388cbe3df79
SHA256443ee05de164ed05aa23e442fc26b521c5629243165fd031edc4a747d48eec60
SHA5127feaabd17129e480edee8b1620ce5c5db8986cb0c4f7a9802bbedd8d655f9c1989e805e8bd2b0fc37d24feebeac29379b243fd59c7e18a9ed2a0e7ff306e18ae
-
memory/3776-8-0x0000000000400000-0x000000000040C000-memory.dmpFilesize
48KB
-
memory/3776-9-0x0000000000400000-0x000000000040C000-memory.dmpFilesize
48KB
-
memory/3776-10-0x0000000000400000-0x000000000040C000-memory.dmpFilesize
48KB
-
memory/5020-0-0x0000000000400000-0x000000000040C000-memory.dmpFilesize
48KB
-
memory/5020-1-0x0000000000400000-0x000000000040C000-memory.dmpFilesize
48KB
-
memory/5020-2-0x0000000000400000-0x000000000040C000-memory.dmpFilesize
48KB
-
memory/5020-4-0x0000000000400000-0x000000000040C000-memory.dmpFilesize
48KB