Analysis
-
max time kernel
138s -
max time network
157s -
platform
windows10-2004_x64 -
resource
win10v2004-20231023-en -
resource tags
arch:x64arch:x86image:win10v2004-20231023-enlocale:en-usos:windows10-2004-x64system -
submitted
28-10-2023 04:31
Behavioral task
behavioral1
Sample
NEAS.346e98405290305ebf3f95411b795380_JC.exe
Resource
win7-20231023-en
Behavioral task
behavioral2
Sample
NEAS.346e98405290305ebf3f95411b795380_JC.exe
Resource
win10v2004-20231023-en
General
-
Target
NEAS.346e98405290305ebf3f95411b795380_JC.exe
-
Size
99KB
-
MD5
346e98405290305ebf3f95411b795380
-
SHA1
6a5d16e22d35a2b74deac2c5b482980984f41031
-
SHA256
67c9ac0c939e0183fad7dec8e8ad2058139c8ee41ad684888234e4437b65c27d
-
SHA512
b62446c6e89da0f300c461c9aabdfe1a5052f5a01c1b3fba760384a1525d495a1788336ef95ecfabe60c94e90f872fae55bb0c4c4661d60b1e962446c5189c24
-
SSDEEP
1536:Loaj1hJL1S9t0MIeboal8bCKxo7h0RPaaml0Nz30rtrdxW:c0hpgz6xGhZamyF30BBxW
Malware Config
Signatures
-
Sakula payload 7 IoCs
Processes:
resource yara_rule behavioral2/memory/3868-0-0x0000000000400000-0x000000000041B000-memory.dmp family_sakula C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula behavioral2/memory/3492-4-0x0000000000400000-0x000000000041B000-memory.dmp family_sakula behavioral2/memory/3868-6-0x0000000000400000-0x000000000041B000-memory.dmp family_sakula behavioral2/memory/3492-7-0x0000000000400000-0x000000000041B000-memory.dmp family_sakula behavioral2/memory/3868-8-0x0000000000400000-0x000000000041B000-memory.dmp family_sakula -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
NEAS.346e98405290305ebf3f95411b795380_JC.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000\Control Panel\International\Geo\Nation NEAS.346e98405290305ebf3f95411b795380_JC.exe -
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 3492 MediaCenter.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
NEAS.346e98405290305ebf3f95411b795380_JC.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" NEAS.346e98405290305ebf3f95411b795380_JC.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
NEAS.346e98405290305ebf3f95411b795380_JC.exedescription pid process Token: SeIncBasePriorityPrivilege 3868 NEAS.346e98405290305ebf3f95411b795380_JC.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
NEAS.346e98405290305ebf3f95411b795380_JC.execmd.exedescription pid process target process PID 3868 wrote to memory of 3492 3868 NEAS.346e98405290305ebf3f95411b795380_JC.exe MediaCenter.exe PID 3868 wrote to memory of 3492 3868 NEAS.346e98405290305ebf3f95411b795380_JC.exe MediaCenter.exe PID 3868 wrote to memory of 3492 3868 NEAS.346e98405290305ebf3f95411b795380_JC.exe MediaCenter.exe PID 3868 wrote to memory of 1192 3868 NEAS.346e98405290305ebf3f95411b795380_JC.exe cmd.exe PID 3868 wrote to memory of 1192 3868 NEAS.346e98405290305ebf3f95411b795380_JC.exe cmd.exe PID 3868 wrote to memory of 1192 3868 NEAS.346e98405290305ebf3f95411b795380_JC.exe cmd.exe PID 1192 wrote to memory of 4372 1192 cmd.exe PING.EXE PID 1192 wrote to memory of 4372 1192 cmd.exe PING.EXE PID 1192 wrote to memory of 4372 1192 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\NEAS.346e98405290305ebf3f95411b795380_JC.exe"C:\Users\Admin\AppData\Local\Temp\NEAS.346e98405290305ebf3f95411b795380_JC.exe"1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3868 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:3492 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\NEAS.346e98405290305ebf3f95411b795380_JC.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:1192 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:4372
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeFilesize
99KB
MD58a284aee781210b8a8ca76b892d78882
SHA1a005036c8f1eacfa5ebddd13b3fdb5269d35f9ef
SHA2569f8a94c7cf470c0c0ec706d9671f77dda228d30a2919d409cda78853745a93e1
SHA51251469b4917f65c07afa671bd320095dd1dfb13a6556dca22e4c9ece7fa7612375d44516e99dfa5217d311348662f43741ef5a7e621caa4121dcde53b31bcbf25
-
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeFilesize
99KB
MD58a284aee781210b8a8ca76b892d78882
SHA1a005036c8f1eacfa5ebddd13b3fdb5269d35f9ef
SHA2569f8a94c7cf470c0c0ec706d9671f77dda228d30a2919d409cda78853745a93e1
SHA51251469b4917f65c07afa671bd320095dd1dfb13a6556dca22e4c9ece7fa7612375d44516e99dfa5217d311348662f43741ef5a7e621caa4121dcde53b31bcbf25
-
memory/3492-4-0x0000000000400000-0x000000000041B000-memory.dmpFilesize
108KB
-
memory/3492-7-0x0000000000400000-0x000000000041B000-memory.dmpFilesize
108KB
-
memory/3868-0-0x0000000000400000-0x000000000041B000-memory.dmpFilesize
108KB
-
memory/3868-6-0x0000000000400000-0x000000000041B000-memory.dmpFilesize
108KB
-
memory/3868-8-0x0000000000400000-0x000000000041B000-memory.dmpFilesize
108KB