Overview

overview

10

Static

static

10

NEAS.346e9...JC.exe

windows7-x64

10

NEAS.346e9...JC.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    138s
  • max time network
    157s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231023-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231023-enlocale:en-usos:windows10-2004-x64system
  • submitted
    28-10-2023 04:31

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    NEAS.346e98405290305ebf3f95411b795380_JC.exe

  • Size

    99KB

  • MD5

    346e98405290305ebf3f95411b795380

  • SHA1

    6a5d16e22d35a2b74deac2c5b482980984f41031

  • SHA256

    67c9ac0c939e0183fad7dec8e8ad2058139c8ee41ad684888234e4437b65c27d

  • SHA512

    b62446c6e89da0f300c461c9aabdfe1a5052f5a01c1b3fba760384a1525d495a1788336ef95ecfabe60c94e90f872fae55bb0c4c4661d60b1e962446c5189c24

  • SSDEEP

    1536:Loaj1hJL1S9t0MIeboal8bCKxo7h0RPaaml0Nz30rtrdxW:c0hpgz6xGhZamyF30BBxW

Score
10/10
sakulapersistencerattrojan

Malware Config

Signatures

  • Sakula

    Sakula is a remote access trojan with various capabilities.

    trojanratsakula
  • Sakula payload 7 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\NEAS.346e98405290305ebf3f95411b795380_JC.exe
    "C:\Users\Admin\AppData\Local\Temp\NEAS.346e98405290305ebf3f95411b795380_JC.exe"
    1⤵
    • Checks computer location settings
    • Adds Run key to start application
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:3868
    • C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
      C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
      2⤵
      • Executes dropped EXE
      PID:3492
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\NEAS.346e98405290305ebf3f95411b795380_JC.exe"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1192
      • C:\Windows\SysWOW64\PING.EXE
        ping 127.0.0.1
        3⤵
        • Runs ping.exe
        PID:4372

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
    Filesize

    99KB

    MD5

    8a284aee781210b8a8ca76b892d78882

    SHA1

    a005036c8f1eacfa5ebddd13b3fdb5269d35f9ef

    SHA256

    9f8a94c7cf470c0c0ec706d9671f77dda228d30a2919d409cda78853745a93e1

    SHA512

    51469b4917f65c07afa671bd320095dd1dfb13a6556dca22e4c9ece7fa7612375d44516e99dfa5217d311348662f43741ef5a7e621caa4121dcde53b31bcbf25

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
    Filesize

    99KB

    MD5

    8a284aee781210b8a8ca76b892d78882

    SHA1

    a005036c8f1eacfa5ebddd13b3fdb5269d35f9ef

    SHA256

    9f8a94c7cf470c0c0ec706d9671f77dda228d30a2919d409cda78853745a93e1

    SHA512

    51469b4917f65c07afa671bd320095dd1dfb13a6556dca22e4c9ece7fa7612375d44516e99dfa5217d311348662f43741ef5a7e621caa4121dcde53b31bcbf25

    Download Submit
  • memory/3492-4-0x0000000000400000-0x000000000041B000-memory.dmp
    Filesize

    108KB

    Download
  • memory/3492-7-0x0000000000400000-0x000000000041B000-memory.dmp
    Filesize

    108KB

    Download
  • memory/3868-0-0x0000000000400000-0x000000000041B000-memory.dmp
    Filesize

    108KB

    Download
  • memory/3868-6-0x0000000000400000-0x000000000041B000-memory.dmp
    Filesize

    108KB

    Download
  • memory/3868-8-0x0000000000400000-0x000000000041B000-memory.dmp
    Filesize

    108KB

    Download