Analysis
-
max time kernel
175s -
max time network
176s -
platform
windows10-2004_x64 -
resource
win10v2004-20231023-en -
resource tags
arch:x64arch:x86image:win10v2004-20231023-enlocale:en-usos:windows10-2004-x64system -
submitted
01-11-2023 14:14
Behavioral task
behavioral1
Sample
NEAS.895ac5f3879eb59072aa62acfb199ea0.exe
Resource
win7-20231023-en
Behavioral task
behavioral2
Sample
NEAS.895ac5f3879eb59072aa62acfb199ea0.exe
Resource
win10v2004-20231023-en
General
-
Target
NEAS.895ac5f3879eb59072aa62acfb199ea0.exe
-
Size
42KB
-
MD5
895ac5f3879eb59072aa62acfb199ea0
-
SHA1
345c7505418c4b12abd53d431037fcadc191a854
-
SHA256
3be8c5f9e27fefd24fa6f92e11bc970a3b858776758aa28e6e0e26c5aa5d4cdb
-
SHA512
a7af1baf4c97701a2fd61f89cf896e0120f9ce879ef05e9fe4dc5cd7ea53c6b9dbf06e209e3535aad22bba4db3dbe7071b38d5a369e9e1c9ed8f67dd9bbcf3bc
-
SSDEEP
192:+UoHtBBPR/wn3VGswB1ZztrM5gwX/wJlB5rC/42oq+vLtr9ZCspE+TMgrZMVQ/Eg:Hk6g7trW54DLdAeMvVQ/97wRiVojZG
Malware Config
Extracted
sakula
http://www.we11point.com:443/view.asp?cookie=%s&type=%d&vid=%d
http://www.we11point.com:443/photo/%s.jpg?vid=%d
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 3008 MediaCenter.exe -
Processes:
resource yara_rule behavioral2/memory/2560-0-0x0000000000400000-0x000000000040B000-memory.dmp upx behavioral2/memory/2560-1-0x0000000000400000-0x000000000040B000-memory.dmp upx behavioral2/memory/2560-2-0x0000000000400000-0x000000000040B000-memory.dmp upx C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe upx C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe upx behavioral2/memory/2560-7-0x0000000000400000-0x000000000040B000-memory.dmp upx behavioral2/memory/3008-10-0x0000000000400000-0x000000000040B000-memory.dmp upx -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
reg.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" reg.exe -
Modifies registry key 1 TTPs 1 IoCs
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of WriteProcessMemory 15 IoCs
Processes:
NEAS.895ac5f3879eb59072aa62acfb199ea0.execmd.execmd.exedescription pid process target process PID 2560 wrote to memory of 2736 2560 NEAS.895ac5f3879eb59072aa62acfb199ea0.exe cmd.exe PID 2560 wrote to memory of 2736 2560 NEAS.895ac5f3879eb59072aa62acfb199ea0.exe cmd.exe PID 2560 wrote to memory of 2736 2560 NEAS.895ac5f3879eb59072aa62acfb199ea0.exe cmd.exe PID 2560 wrote to memory of 3008 2560 NEAS.895ac5f3879eb59072aa62acfb199ea0.exe MediaCenter.exe PID 2560 wrote to memory of 3008 2560 NEAS.895ac5f3879eb59072aa62acfb199ea0.exe MediaCenter.exe PID 2560 wrote to memory of 3008 2560 NEAS.895ac5f3879eb59072aa62acfb199ea0.exe MediaCenter.exe PID 2736 wrote to memory of 1184 2736 cmd.exe reg.exe PID 2736 wrote to memory of 1184 2736 cmd.exe reg.exe PID 2736 wrote to memory of 1184 2736 cmd.exe reg.exe PID 2560 wrote to memory of 4864 2560 NEAS.895ac5f3879eb59072aa62acfb199ea0.exe cmd.exe PID 2560 wrote to memory of 4864 2560 NEAS.895ac5f3879eb59072aa62acfb199ea0.exe cmd.exe PID 2560 wrote to memory of 4864 2560 NEAS.895ac5f3879eb59072aa62acfb199ea0.exe cmd.exe PID 4864 wrote to memory of 4984 4864 cmd.exe PING.EXE PID 4864 wrote to memory of 4984 4864 cmd.exe PING.EXE PID 4864 wrote to memory of 4984 4864 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\NEAS.895ac5f3879eb59072aa62acfb199ea0.exe"C:\Users\Admin\AppData\Local\Temp\NEAS.895ac5f3879eb59072aa62acfb199ea0.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2560 -
C:\Windows\SysWOW64\cmd.execmd.exe /c reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v "MicroMedia" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:2736 -
C:\Windows\SysWOW64\reg.exereg add HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v "MicroMedia" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe"3⤵
- Adds Run key to start application
- Modifies registry key
PID:1184 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:3008 -
C:\Windows\SysWOW64\cmd.execmd.exe /c ping 127.0.0.1 & del "C:\Users\Admin\AppData\Local\Temp\NEAS.895ac5f3879eb59072aa62acfb199ea0.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:4864 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:4984
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeFilesize
42KB
MD506018d8e4fb909a977e386ad84559865
SHA120ec00b98600c2551d4eaf3b75ed8232f0da120b
SHA256b25a56478f6464783244b25143fa99487943511f7c8f0598590ddb11a83b0aa0
SHA512c4ae2403d6eebed358a8c4785bacdba4c7fa3a312802f17d23345105a0c8276c78fe120f3f996a36b48b8968178be1a9769be3af2f896264de02ad19128104f7
-
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeFilesize
42KB
MD506018d8e4fb909a977e386ad84559865
SHA120ec00b98600c2551d4eaf3b75ed8232f0da120b
SHA256b25a56478f6464783244b25143fa99487943511f7c8f0598590ddb11a83b0aa0
SHA512c4ae2403d6eebed358a8c4785bacdba4c7fa3a312802f17d23345105a0c8276c78fe120f3f996a36b48b8968178be1a9769be3af2f896264de02ad19128104f7
-
memory/2560-0-0x0000000000400000-0x000000000040B000-memory.dmpFilesize
44KB
-
memory/2560-1-0x0000000000400000-0x000000000040B000-memory.dmpFilesize
44KB
-
memory/2560-2-0x0000000000400000-0x000000000040B000-memory.dmpFilesize
44KB
-
memory/2560-7-0x0000000000400000-0x000000000040B000-memory.dmpFilesize
44KB
-
memory/3008-10-0x0000000000400000-0x000000000040B000-memory.dmpFilesize
44KB