Analysis
-
max time kernel
144s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20231020-en -
resource tags
arch:x64arch:x86image:win10v2004-20231020-enlocale:en-usos:windows10-2004-x64system -
submitted
15-11-2023 03:27
Behavioral task
behavioral1
Sample
NEAS.76742b2efc5720b65781c32e1d46c2b0.exe
Resource
win7-20231023-en
Behavioral task
behavioral2
Sample
NEAS.76742b2efc5720b65781c32e1d46c2b0.exe
Resource
win10v2004-20231020-en
General
-
Target
NEAS.76742b2efc5720b65781c32e1d46c2b0.exe
-
Size
39KB
-
MD5
76742b2efc5720b65781c32e1d46c2b0
-
SHA1
b3eb4fb62baabae404cfaa20cbaafc3d0b9653d4
-
SHA256
19a49ff73475d5791e5321ed0e97c27506a29f42f7aaddd046b4f2803d6c966a
-
SHA512
71639a732333e73d998a474c5d1882c1c207871a6878b43c2399ed890a25ba50ec8f90ad8e5bb7c167ed1e71b05d0a27fe2cd3680805518a9e481dc7f8af96c1
-
SSDEEP
384:Em7SCFozc/T94Umdjpxq4TqvhyY3Q6oVxYiOws0me86g7trW540hd76QLdAeMvVt:n7Xezc/T6Zp14hyYtoVxYIY370YjVt
Malware Config
Extracted
sakula
http://www.we11point.com:443/view.asp?cookie=%s&type=%d&vid=%d
http://www.we11point.com:443/photo/%s.jpg?vid=%d
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 4452 MediaCenter.exe -
Processes:
resource yara_rule behavioral2/memory/3560-0-0x0000000000400000-0x000000000040C000-memory.dmp upx behavioral2/memory/3560-2-0x0000000000400000-0x000000000040C000-memory.dmp upx C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe upx C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe upx behavioral2/memory/4452-6-0x0000000000400000-0x000000000040C000-memory.dmp upx -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
reg.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" reg.exe -
Modifies registry key 1 TTPs 1 IoCs
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of WriteProcessMemory 15 IoCs
Processes:
NEAS.76742b2efc5720b65781c32e1d46c2b0.execmd.execmd.exedescription pid process target process PID 3560 wrote to memory of 3404 3560 NEAS.76742b2efc5720b65781c32e1d46c2b0.exe cmd.exe PID 3560 wrote to memory of 3404 3560 NEAS.76742b2efc5720b65781c32e1d46c2b0.exe cmd.exe PID 3560 wrote to memory of 3404 3560 NEAS.76742b2efc5720b65781c32e1d46c2b0.exe cmd.exe PID 3560 wrote to memory of 4452 3560 NEAS.76742b2efc5720b65781c32e1d46c2b0.exe MediaCenter.exe PID 3560 wrote to memory of 4452 3560 NEAS.76742b2efc5720b65781c32e1d46c2b0.exe MediaCenter.exe PID 3560 wrote to memory of 4452 3560 NEAS.76742b2efc5720b65781c32e1d46c2b0.exe MediaCenter.exe PID 3404 wrote to memory of 3236 3404 cmd.exe reg.exe PID 3404 wrote to memory of 3236 3404 cmd.exe reg.exe PID 3404 wrote to memory of 3236 3404 cmd.exe reg.exe PID 3560 wrote to memory of 548 3560 NEAS.76742b2efc5720b65781c32e1d46c2b0.exe cmd.exe PID 3560 wrote to memory of 548 3560 NEAS.76742b2efc5720b65781c32e1d46c2b0.exe cmd.exe PID 3560 wrote to memory of 548 3560 NEAS.76742b2efc5720b65781c32e1d46c2b0.exe cmd.exe PID 548 wrote to memory of 4000 548 cmd.exe PING.EXE PID 548 wrote to memory of 4000 548 cmd.exe PING.EXE PID 548 wrote to memory of 4000 548 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\NEAS.76742b2efc5720b65781c32e1d46c2b0.exe"C:\Users\Admin\AppData\Local\Temp\NEAS.76742b2efc5720b65781c32e1d46c2b0.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:3560 -
C:\Windows\SysWOW64\cmd.execmd.exe /c reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v "MicroMedia" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:3404 -
C:\Windows\SysWOW64\reg.exereg add HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v "MicroMedia" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe"3⤵
- Adds Run key to start application
- Modifies registry key
PID:3236 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:4452 -
C:\Windows\SysWOW64\cmd.execmd.exe /c ping 127.0.0.1 & del "C:\Users\Admin\AppData\Local\Temp\NEAS.76742b2efc5720b65781c32e1d46c2b0.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:548 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:4000
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeFilesize
39KB
MD57bf7e9e9f9c48641e5fd5991ea48e1a4
SHA1de41ff03059aeb5ce5f578b658028627595cec66
SHA256a0651e33f6eb99103efc3794e2d92f225d617c4cab43c5978480d9c5bc874500
SHA512744004526801aec05e6ff6d9a8b0f3fcf1b5360fc3cd0d2c2abea1918bdb24847095948ab85f3d1166cc01ef24b1e96782f4773b8eefc47fce6682345c788d59
-
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeFilesize
39KB
MD57bf7e9e9f9c48641e5fd5991ea48e1a4
SHA1de41ff03059aeb5ce5f578b658028627595cec66
SHA256a0651e33f6eb99103efc3794e2d92f225d617c4cab43c5978480d9c5bc874500
SHA512744004526801aec05e6ff6d9a8b0f3fcf1b5360fc3cd0d2c2abea1918bdb24847095948ab85f3d1166cc01ef24b1e96782f4773b8eefc47fce6682345c788d59
-
memory/3560-0-0x0000000000400000-0x000000000040C000-memory.dmpFilesize
48KB
-
memory/3560-2-0x0000000000400000-0x000000000040C000-memory.dmpFilesize
48KB
-
memory/4452-6-0x0000000000400000-0x000000000040C000-memory.dmpFilesize
48KB