Analysis
-
max time kernel
240s -
max time network
250s -
platform
windows10-2004_x64 -
resource
win10v2004-20231023-en -
resource tags
arch:x64arch:x86image:win10v2004-20231023-enlocale:en-usos:windows10-2004-x64system -
submitted
08-11-2023 13:45
Static task
static1
Behavioral task
behavioral1
Sample
87d289e296b3779a744d2ceac8ef592c510b7c6a34157a7f88ba19fa36113fbc.exe
Resource
win7-20231023-en
Behavioral task
behavioral2
Sample
87d289e296b3779a744d2ceac8ef592c510b7c6a34157a7f88ba19fa36113fbc.exe
Resource
win10v2004-20231023-en
General
-
Target
87d289e296b3779a744d2ceac8ef592c510b7c6a34157a7f88ba19fa36113fbc.exe
-
Size
44KB
-
MD5
1e25cb169893f2ce73e137ae18c6df82
-
SHA1
2112f760a5c3095fadeef5bd45fdc6979b07953b
-
SHA256
87d289e296b3779a744d2ceac8ef592c510b7c6a34157a7f88ba19fa36113fbc
-
SHA512
dd28f177631343a2c1ea5be0fd23329f40865681bf443c7e472a82cd85a7763ad3a84a7bd5569691b43160d826655e2884494f681074fdeabc70b979141057a5
-
SSDEEP
768:GhSksandb4GgyMsw4hyYtoVxYMcm1oUt1vnhBL:GTsGpjhyYtkYMRyUFp
Malware Config
Extracted
sakula
http://vpn.premrera.com:443/viewpre.asp?cstring=%s&tom=%d&id=%d
http://vpn.premrera.com:443/photo/%s.jpg?id=%d
http://173.254.226.212:443/viewpre.asp?cstring=%s&tom=%d&id=%d
http://173.254.226.212:443/photo/%s.jpg?id=%d
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 3524 MediaCenter.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
reg.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" reg.exe -
Modifies registry key 1 TTPs 1 IoCs
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of WriteProcessMemory 18 IoCs
Processes:
87d289e296b3779a744d2ceac8ef592c510b7c6a34157a7f88ba19fa36113fbc.execmd.execmd.execmd.exedescription pid process target process PID 4024 wrote to memory of 5012 4024 87d289e296b3779a744d2ceac8ef592c510b7c6a34157a7f88ba19fa36113fbc.exe cmd.exe PID 4024 wrote to memory of 5012 4024 87d289e296b3779a744d2ceac8ef592c510b7c6a34157a7f88ba19fa36113fbc.exe cmd.exe PID 4024 wrote to memory of 5012 4024 87d289e296b3779a744d2ceac8ef592c510b7c6a34157a7f88ba19fa36113fbc.exe cmd.exe PID 4024 wrote to memory of 4636 4024 87d289e296b3779a744d2ceac8ef592c510b7c6a34157a7f88ba19fa36113fbc.exe cmd.exe PID 4024 wrote to memory of 4636 4024 87d289e296b3779a744d2ceac8ef592c510b7c6a34157a7f88ba19fa36113fbc.exe cmd.exe PID 4024 wrote to memory of 4636 4024 87d289e296b3779a744d2ceac8ef592c510b7c6a34157a7f88ba19fa36113fbc.exe cmd.exe PID 4024 wrote to memory of 3644 4024 87d289e296b3779a744d2ceac8ef592c510b7c6a34157a7f88ba19fa36113fbc.exe cmd.exe PID 4024 wrote to memory of 3644 4024 87d289e296b3779a744d2ceac8ef592c510b7c6a34157a7f88ba19fa36113fbc.exe cmd.exe PID 4024 wrote to memory of 3644 4024 87d289e296b3779a744d2ceac8ef592c510b7c6a34157a7f88ba19fa36113fbc.exe cmd.exe PID 5012 wrote to memory of 3312 5012 cmd.exe reg.exe PID 5012 wrote to memory of 3312 5012 cmd.exe reg.exe PID 5012 wrote to memory of 3312 5012 cmd.exe reg.exe PID 3644 wrote to memory of 3872 3644 cmd.exe PING.EXE PID 3644 wrote to memory of 3872 3644 cmd.exe PING.EXE PID 3644 wrote to memory of 3872 3644 cmd.exe PING.EXE PID 4636 wrote to memory of 3524 4636 cmd.exe MediaCenter.exe PID 4636 wrote to memory of 3524 4636 cmd.exe MediaCenter.exe PID 4636 wrote to memory of 3524 4636 cmd.exe MediaCenter.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\87d289e296b3779a744d2ceac8ef592c510b7c6a34157a7f88ba19fa36113fbc.exe"C:\Users\Admin\AppData\Local\Temp\87d289e296b3779a744d2ceac8ef592c510b7c6a34157a7f88ba19fa36113fbc.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:4024 -
C:\Windows\SysWOW64\cmd.execmd.exe /c reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v "MicroMedia" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:5012 -
C:\Windows\SysWOW64\reg.exereg add HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v "MicroMedia" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe"3⤵
- Adds Run key to start application
- Modifies registry key
PID:3312 -
C:\Windows\SysWOW64\cmd.execmd.exe /c ping 127.0.0.1 & del "C:\Users\Admin\AppData\Local\Temp\87d289e296b3779a744d2ceac8ef592c510b7c6a34157a7f88ba19fa36113fbc.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:3644 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:3872 -
C:\Windows\SysWOW64\cmd.execmd.exe /c "C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:4636 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe3⤵
- Executes dropped EXE
PID:3524
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeFilesize
44KB
MD56e107a16dce62b1e4687628a9fc3db7a
SHA150daf211d931b731c843871f3b3f394cbc669139
SHA2565e16c7d19c35f02ee4b226bf2516655f2d621f6d6b087f0d1dd0e1952d1ec64e
SHA512f087b71cf5432ae4a21a362ac2372af5bcec1496640a0f6117869191d6267d1664351a20f1d953e3cdb6cbc4f70b8a6edf57ebaa270385b92283284405efd8b0
-
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeFilesize
44KB
MD56e107a16dce62b1e4687628a9fc3db7a
SHA150daf211d931b731c843871f3b3f394cbc669139
SHA2565e16c7d19c35f02ee4b226bf2516655f2d621f6d6b087f0d1dd0e1952d1ec64e
SHA512f087b71cf5432ae4a21a362ac2372af5bcec1496640a0f6117869191d6267d1664351a20f1d953e3cdb6cbc4f70b8a6edf57ebaa270385b92283284405efd8b0
-
memory/3524-6-0x0000000000400000-0x000000000040B000-memory.dmpFilesize
44KB
-
memory/3524-7-0x0000000000400000-0x000000000040B000-memory.dmpFilesize
44KB
-
memory/4024-0-0x0000000000400000-0x000000000040B000-memory.dmpFilesize
44KB
-
memory/4024-2-0x0000000000400000-0x000000000040B000-memory.dmpFilesize
44KB