Analysis
-
max time kernel
144s -
max time network
159s -
platform
windows10-2004_x64 -
resource
win10v2004-20231023-en -
resource tags
arch:x64arch:x86image:win10v2004-20231023-enlocale:en-usos:windows10-2004-x64system -
submitted
01-11-2023 03:53
Static task
static1
Behavioral task
behavioral1
Sample
NEAS.85c76584a43e616210ec95497ef10f80.exe
Resource
win7-20231020-en
Behavioral task
behavioral2
Sample
NEAS.85c76584a43e616210ec95497ef10f80.exe
Resource
win10v2004-20231023-en
General
-
Target
NEAS.85c76584a43e616210ec95497ef10f80.exe
-
Size
72KB
-
MD5
85c76584a43e616210ec95497ef10f80
-
SHA1
13f8fa9c043fb4c05fc46c795373866f7dcf4b9b
-
SHA256
46f9d7d9716e66a5b7ed4600d5b0ffcdf9441322130558833af8879c34973245
-
SHA512
f55daa86a0186936f14ee9c53d8ff84b0bb6016820f0aadf596b46ed43830df222011e24cbb34cb5c460f85ed9ac139b0e9e3ddcdabdafaa46425fdc76a730b7
-
SSDEEP
768:ehSksandb4GgyMsp4hyYtoVxYGm1ZAfPsED3VK2+ZtyOjgO4r9vFAg2rql:eTsGpehyYtkYvnEYTjipvF2Y
Malware Config
Extracted
sakula
http://vpn.premrera.com:443/viewpre.asp?cstring=%s&tom=%d&id=%d
http://vpn.premrera.com:443/photo/%s.jpg?id=%d
http://173.254.226.212:443/viewpre.asp?cstring=%s&tom=%d&id=%d
http://173.254.226.212:443/photo/%s.jpg?id=%d
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 524 MediaCenter.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
reg.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" reg.exe -
Modifies registry key 1 TTPs 1 IoCs
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of WriteProcessMemory 18 IoCs
Processes:
NEAS.85c76584a43e616210ec95497ef10f80.execmd.execmd.execmd.exedescription pid process target process PID 4068 wrote to memory of 2956 4068 NEAS.85c76584a43e616210ec95497ef10f80.exe cmd.exe PID 4068 wrote to memory of 2956 4068 NEAS.85c76584a43e616210ec95497ef10f80.exe cmd.exe PID 4068 wrote to memory of 2956 4068 NEAS.85c76584a43e616210ec95497ef10f80.exe cmd.exe PID 4068 wrote to memory of 3268 4068 NEAS.85c76584a43e616210ec95497ef10f80.exe cmd.exe PID 4068 wrote to memory of 3268 4068 NEAS.85c76584a43e616210ec95497ef10f80.exe cmd.exe PID 4068 wrote to memory of 3268 4068 NEAS.85c76584a43e616210ec95497ef10f80.exe cmd.exe PID 4068 wrote to memory of 1160 4068 NEAS.85c76584a43e616210ec95497ef10f80.exe cmd.exe PID 4068 wrote to memory of 1160 4068 NEAS.85c76584a43e616210ec95497ef10f80.exe cmd.exe PID 4068 wrote to memory of 1160 4068 NEAS.85c76584a43e616210ec95497ef10f80.exe cmd.exe PID 2956 wrote to memory of 4108 2956 cmd.exe reg.exe PID 2956 wrote to memory of 4108 2956 cmd.exe reg.exe PID 2956 wrote to memory of 4108 2956 cmd.exe reg.exe PID 1160 wrote to memory of 1980 1160 cmd.exe PING.EXE PID 1160 wrote to memory of 1980 1160 cmd.exe PING.EXE PID 1160 wrote to memory of 1980 1160 cmd.exe PING.EXE PID 3268 wrote to memory of 524 3268 cmd.exe MediaCenter.exe PID 3268 wrote to memory of 524 3268 cmd.exe MediaCenter.exe PID 3268 wrote to memory of 524 3268 cmd.exe MediaCenter.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\NEAS.85c76584a43e616210ec95497ef10f80.exe"C:\Users\Admin\AppData\Local\Temp\NEAS.85c76584a43e616210ec95497ef10f80.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:4068 -
C:\Windows\SysWOW64\cmd.execmd.exe /c reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v "MicroMedia" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:2956 -
C:\Windows\SysWOW64\reg.exereg add HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v "MicroMedia" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe"3⤵
- Adds Run key to start application
- Modifies registry key
PID:4108 -
C:\Windows\SysWOW64\cmd.execmd.exe /c "C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:3268 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe3⤵
- Executes dropped EXE
PID:524 -
C:\Windows\SysWOW64\cmd.execmd.exe /c ping 127.0.0.1 & del "C:\Users\Admin\AppData\Local\Temp\NEAS.85c76584a43e616210ec95497ef10f80.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:1160 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:1980
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeFilesize
72KB
MD5829ef6cf118cd367d148403e2a44c15e
SHA141d39c1d50e202cf81c4eadc35c70f600a9c0636
SHA25655eb2db3419c01d7a4909da038a31ca84c4ccda988c0da7f2ae45bff5933b809
SHA5124355a393f3045b8aa5731150dfb270bc50e7b523c7bb2a6ba180f38c6c6aae47741d879f5af083d5c52a019b16847b2ff70e435878734ed064c82196447cac56
-
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeFilesize
72KB
MD5829ef6cf118cd367d148403e2a44c15e
SHA141d39c1d50e202cf81c4eadc35c70f600a9c0636
SHA25655eb2db3419c01d7a4909da038a31ca84c4ccda988c0da7f2ae45bff5933b809
SHA5124355a393f3045b8aa5731150dfb270bc50e7b523c7bb2a6ba180f38c6c6aae47741d879f5af083d5c52a019b16847b2ff70e435878734ed064c82196447cac56
-
memory/524-8-0x0000000000400000-0x000000000040C000-memory.dmpFilesize
48KB
-
memory/4068-0-0x0000000000400000-0x000000000040C000-memory.dmpFilesize
48KB
-
memory/4068-1-0x0000000000400000-0x000000000040C000-memory.dmpFilesize
48KB
-
memory/4068-2-0x0000000000400000-0x000000000040C000-memory.dmpFilesize
48KB
-
memory/4068-4-0x0000000000400000-0x000000000040C000-memory.dmpFilesize
48KB