Overview

overview

10

Static

static

3

NEAS.9a34b...50.exe

windows7-x64

10

NEAS.9a34b...50.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    168s
  • max time network
    184s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231023-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231023-enlocale:en-usos:windows10-2004-x64system
  • submitted
    11-11-2023 06:01

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    NEAS.9a34b739c35e37e7bffa7e46b73a0b50.exe

  • Size

    40KB

  • MD5

    9a34b739c35e37e7bffa7e46b73a0b50

  • SHA1

    c0d7c30c0a973a501ef3365032607828a80ae2aa

  • SHA256

    26fc1f02e0b88017b99d811342a5b00753a944832fcf94b2a08b59065eeaa590

  • SHA512

    dcbb30236d5c4f76f124ac41507e51d5de37773f3a5b91223f6eba62015aba0b7305cfe6d875606d3ea3e10bebe7850c7b003873e95a6c973ab65c6362625b83

  • SSDEEP

    768:q7Xezc/T6Zp14hyYtoVxYF9mHfCBJTAIO3OtYVo:G6zqhyYtkYW/CPnO3A

Score
10/10
sakulapersistencerattrojan

Malware Config

Extracted

Family

sakula

C2

http://www.we11point.com:443/view.asp?cookie=%s&type=%d&vid=%d

http://www.we11point.com:443/photo/%s.jpg?vid=%d

Signatures

  • Sakula

    Sakula is a remote access trojan with various capabilities.

    trojanratsakula
  • Executes dropped EXE 1 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Modifies registry key 1 TTPs 1 IoCs
  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious use of WriteProcessMemory 15 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\NEAS.9a34b739c35e37e7bffa7e46b73a0b50.exe
    "C:\Users\Admin\AppData\Local\Temp\NEAS.9a34b739c35e37e7bffa7e46b73a0b50.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1972
    • C:\Windows\SysWOW64\cmd.exe
      cmd.exe /c reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v "MicroMedia" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:4176
      • C:\Windows\SysWOW64\reg.exe
        reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v "MicroMedia" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe"
        3⤵
        • Adds Run key to start application
        • Modifies registry key
        PID:5056
    • C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
      C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
      2⤵
      • Executes dropped EXE
      PID:3580
    • C:\Windows\SysWOW64\cmd.exe
      cmd.exe /c ping 127.0.0.1 & del "C:\Users\Admin\AppData\Local\Temp\NEAS.9a34b739c35e37e7bffa7e46b73a0b50.exe"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:372
      • C:\Windows\SysWOW64\PING.EXE
        ping 127.0.0.1
        3⤵
        • Runs ping.exe
        PID:5080

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
    Filesize

    40KB

    MD5

    e1f2a812be2609e8da8a0a56557521d3

    SHA1

    c33f9fa2f52d3edc05d0ac30a64c9d5062b71906

    SHA256

    ce4af4c1fdcbeda0fc849b4557354a92dc092e6a17da185b0f6c0019131be969

    SHA512

    c0b250b02f1991bd98d306f5c7dc4878990462809171e3faa4f11134679747cb7ca2be04490c1d021205ccd7b834240ff07be230aa74b4a1d06f53c7b552bd2a

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
    Filesize

    40KB

    MD5

    e1f2a812be2609e8da8a0a56557521d3

    SHA1

    c33f9fa2f52d3edc05d0ac30a64c9d5062b71906

    SHA256

    ce4af4c1fdcbeda0fc849b4557354a92dc092e6a17da185b0f6c0019131be969

    SHA512

    c0b250b02f1991bd98d306f5c7dc4878990462809171e3faa4f11134679747cb7ca2be04490c1d021205ccd7b834240ff07be230aa74b4a1d06f53c7b552bd2a

    Download Submit
  • memory/1972-0-0x0000000000400000-0x000000000040A000-memory.dmp
    Filesize

    40KB

    Download
  • memory/1972-1-0x0000000000400000-0x000000000040A000-memory.dmp
    Filesize

    40KB

    Download
  • memory/1972-3-0x0000000000400000-0x000000000040A000-memory.dmp
    Filesize

    40KB

    Download
  • memory/3580-7-0x0000000000400000-0x000000000040A000-memory.dmp
    Filesize

    40KB

    Download
  • memory/3580-8-0x0000000000400000-0x000000000040A000-memory.dmp
    Filesize

    40KB

    Download