Analysis
-
max time kernel
146s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20231020-en -
resource tags
arch:x64arch:x86image:win10v2004-20231020-enlocale:en-usos:windows10-2004-x64system -
submitted
28-10-2023 07:51
Static task
static1
Behavioral task
behavioral1
Sample
NEAS.bf2d65783ee54ad44ccbd7de284a1390_JC.exe
Resource
win7-20231020-en
Behavioral task
behavioral2
Sample
NEAS.bf2d65783ee54ad44ccbd7de284a1390_JC.exe
Resource
win10v2004-20231020-en
General
-
Target
NEAS.bf2d65783ee54ad44ccbd7de284a1390_JC.exe
-
Size
37KB
-
MD5
bf2d65783ee54ad44ccbd7de284a1390
-
SHA1
cfca380487e20f6d26ee515a38d61a28b273b0f5
-
SHA256
1472b8e7a429d56cdd15143628c14567c8b21cf2eefdb532bdafe58a31b7f62c
-
SHA512
1fe67ef09861536b1db508bf26d5ac14d605e506a3a75f86f934869f8ccfd1bd9c7d77a3360fd0f8a16c77994d68b6dd5fa9dead74400926cf7fd463f27b0583
-
SSDEEP
768:D7Xezc/T6Zp14hyYtoVxYF9mH8VQ1PcPW/M9zn:n6zqhyYtkYWRPTEzn
Malware Config
Extracted
sakula
http://www.we11point.com:443/view.asp?cookie=%s&type=%d&vid=%d
http://www.we11point.com:443/photo/%s.jpg?vid=%d
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 3312 MediaCenter.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
reg.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" reg.exe -
Modifies registry key 1 TTPs 1 IoCs
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
svchost.exedescription pid process Token: SeManageVolumePrivilege 4612 svchost.exe -
Suspicious use of WriteProcessMemory 15 IoCs
Processes:
NEAS.bf2d65783ee54ad44ccbd7de284a1390_JC.execmd.execmd.exedescription pid process target process PID 3860 wrote to memory of 3064 3860 NEAS.bf2d65783ee54ad44ccbd7de284a1390_JC.exe cmd.exe PID 3860 wrote to memory of 3064 3860 NEAS.bf2d65783ee54ad44ccbd7de284a1390_JC.exe cmd.exe PID 3860 wrote to memory of 3064 3860 NEAS.bf2d65783ee54ad44ccbd7de284a1390_JC.exe cmd.exe PID 3860 wrote to memory of 3312 3860 NEAS.bf2d65783ee54ad44ccbd7de284a1390_JC.exe MediaCenter.exe PID 3860 wrote to memory of 3312 3860 NEAS.bf2d65783ee54ad44ccbd7de284a1390_JC.exe MediaCenter.exe PID 3860 wrote to memory of 3312 3860 NEAS.bf2d65783ee54ad44ccbd7de284a1390_JC.exe MediaCenter.exe PID 3064 wrote to memory of 3084 3064 cmd.exe reg.exe PID 3064 wrote to memory of 3084 3064 cmd.exe reg.exe PID 3064 wrote to memory of 3084 3064 cmd.exe reg.exe PID 3860 wrote to memory of 3080 3860 NEAS.bf2d65783ee54ad44ccbd7de284a1390_JC.exe cmd.exe PID 3860 wrote to memory of 3080 3860 NEAS.bf2d65783ee54ad44ccbd7de284a1390_JC.exe cmd.exe PID 3860 wrote to memory of 3080 3860 NEAS.bf2d65783ee54ad44ccbd7de284a1390_JC.exe cmd.exe PID 3080 wrote to memory of 3524 3080 cmd.exe PING.EXE PID 3080 wrote to memory of 3524 3080 cmd.exe PING.EXE PID 3080 wrote to memory of 3524 3080 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\NEAS.bf2d65783ee54ad44ccbd7de284a1390_JC.exe"C:\Users\Admin\AppData\Local\Temp\NEAS.bf2d65783ee54ad44ccbd7de284a1390_JC.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:3860 -
C:\Windows\SysWOW64\cmd.execmd.exe /c reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v "MicroMedia" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:3064 -
C:\Windows\SysWOW64\reg.exereg add HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v "MicroMedia" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe"3⤵
- Adds Run key to start application
- Modifies registry key
PID:3084 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:3312 -
C:\Windows\SysWOW64\cmd.execmd.exe /c ping 127.0.0.1 & del "C:\Users\Admin\AppData\Local\Temp\NEAS.bf2d65783ee54ad44ccbd7de284a1390_JC.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:3080 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:3524
-
C:\Windows\system32\rundll32.exe"C:\Windows\system32\rundll32.exe" "C:\Windows\SYSTEM32\EDGEHTML.dll",#141 Microsoft.VCLibs.140.00_8wekyb3d8bbwe1⤵PID:4048
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k UnistackSvcGroup1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4612
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeFilesize
37KB
MD5d70f635213a47ed715e56f02cb585859
SHA1944033617b40b3d8025f927e16dbb9f20b3d26e0
SHA2565066424b7be16436218e08c6609530f145894d5ee37bb2b9a5d6ca9064c198d3
SHA51285823953985546c417eeda1af84be587a3a16f85e767a6a2c768930d469cc365ca5a4d04f58763ec9c63803ac703c97b329c54e4233b49b1f75f3b609f18b924
-
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeFilesize
37KB
MD5d70f635213a47ed715e56f02cb585859
SHA1944033617b40b3d8025f927e16dbb9f20b3d26e0
SHA2565066424b7be16436218e08c6609530f145894d5ee37bb2b9a5d6ca9064c198d3
SHA51285823953985546c417eeda1af84be587a3a16f85e767a6a2c768930d469cc365ca5a4d04f58763ec9c63803ac703c97b329c54e4233b49b1f75f3b609f18b924
-
memory/3860-0-0x0000000000400000-0x0000000000408000-memory.dmpFilesize
32KB
-
memory/3860-5-0x0000000000400000-0x0000000000408000-memory.dmpFilesize
32KB
-
memory/4612-6-0x0000028314240000-0x0000028314250000-memory.dmpFilesize
64KB
-
memory/4612-22-0x0000028314340000-0x0000028314350000-memory.dmpFilesize
64KB
-
memory/4612-38-0x000002831C650000-0x000002831C651000-memory.dmpFilesize
4KB
-
memory/4612-40-0x000002831C680000-0x000002831C681000-memory.dmpFilesize
4KB
-
memory/4612-41-0x000002831C680000-0x000002831C681000-memory.dmpFilesize
4KB
-
memory/4612-42-0x000002831C790000-0x000002831C791000-memory.dmpFilesize
4KB