Malware Analysis Report

2025-01-02 02:56

Sample ID 210929-h5hh5sebbj
Target 932249c923c8f7977c12785238e68d4b2030471fc9edbda0ec326ced3bab755f
SHA256 932249c923c8f7977c12785238e68d4b2030471fc9edbda0ec326ced3bab755f
Tags
persistence suricata
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

932249c923c8f7977c12785238e68d4b2030471fc9edbda0ec326ced3bab755f

Threat Level: Known bad

The file 932249c923c8f7977c12785238e68d4b2030471fc9edbda0ec326ced3bab755f was found to be: Known bad.

Malicious Activity Summary

persistence suricata

suricata: ET MALWARE SUSPICIOUS UA (iexplore)

suricata: ET MALWARE Sakula/Mivast RAT CnC Beacon 1

Executes dropped EXE

Deletes itself

Loads dropped DLL

Adds Run key to start application

Enumerates physical storage devices

Runs ping.exe

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2021-09-29 07:19

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2021-09-29 07:19

Reported

2021-09-29 07:21

Platform

win7v20210408

Max time kernel

127s

Max time network

131s

Command Line

"C:\Users\Admin\AppData\Local\Temp\932249c923c8f7977c12785238e68d4b2030471fc9edbda0ec326ced3bab755f.exe"

Signatures

suricata: ET MALWARE SUSPICIOUS UA (iexplore)

suricata

suricata: ET MALWARE Sakula/Mivast RAT CnC Beacon 1

suricata

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe N/A

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" C:\Users\Admin\AppData\Local\Temp\932249c923c8f7977c12785238e68d4b2030471fc9edbda0ec326ced3bab755f.exe N/A

Enumerates physical storage devices

Runs ping.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\932249c923c8f7977c12785238e68d4b2030471fc9edbda0ec326ced3bab755f.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1304 wrote to memory of 1820 N/A C:\Users\Admin\AppData\Local\Temp\932249c923c8f7977c12785238e68d4b2030471fc9edbda0ec326ced3bab755f.exe C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
PID 1304 wrote to memory of 1820 N/A C:\Users\Admin\AppData\Local\Temp\932249c923c8f7977c12785238e68d4b2030471fc9edbda0ec326ced3bab755f.exe C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
PID 1304 wrote to memory of 1820 N/A C:\Users\Admin\AppData\Local\Temp\932249c923c8f7977c12785238e68d4b2030471fc9edbda0ec326ced3bab755f.exe C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
PID 1304 wrote to memory of 1820 N/A C:\Users\Admin\AppData\Local\Temp\932249c923c8f7977c12785238e68d4b2030471fc9edbda0ec326ced3bab755f.exe C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
PID 1304 wrote to memory of 1976 N/A C:\Users\Admin\AppData\Local\Temp\932249c923c8f7977c12785238e68d4b2030471fc9edbda0ec326ced3bab755f.exe C:\Windows\SysWOW64\cmd.exe
PID 1304 wrote to memory of 1976 N/A C:\Users\Admin\AppData\Local\Temp\932249c923c8f7977c12785238e68d4b2030471fc9edbda0ec326ced3bab755f.exe C:\Windows\SysWOW64\cmd.exe
PID 1304 wrote to memory of 1976 N/A C:\Users\Admin\AppData\Local\Temp\932249c923c8f7977c12785238e68d4b2030471fc9edbda0ec326ced3bab755f.exe C:\Windows\SysWOW64\cmd.exe
PID 1304 wrote to memory of 1976 N/A C:\Users\Admin\AppData\Local\Temp\932249c923c8f7977c12785238e68d4b2030471fc9edbda0ec326ced3bab755f.exe C:\Windows\SysWOW64\cmd.exe
PID 1976 wrote to memory of 1788 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 1976 wrote to memory of 1788 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 1976 wrote to memory of 1788 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 1976 wrote to memory of 1788 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE

Processes

C:\Users\Admin\AppData\Local\Temp\932249c923c8f7977c12785238e68d4b2030471fc9edbda0ec326ced3bab755f.exe

"C:\Users\Admin\AppData\Local\Temp\932249c923c8f7977c12785238e68d4b2030471fc9edbda0ec326ced3bab755f.exe"

C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe

C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\932249c923c8f7977c12785238e68d4b2030471fc9edbda0ec326ced3bab755f.exe"

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1

Network

Country Destination Domain Proto
US 8.8.8.8:53 www.polarroute.com udp
US 204.11.56.48:80 www.polarroute.com tcp
US 204.11.56.48:80 www.polarroute.com tcp
US 204.11.56.48:80 www.polarroute.com tcp
US 204.11.56.48:80 www.polarroute.com tcp
US 8.8.8.8:53 www.northpoleroute.com udp
US 204.11.56.48:80 www.northpoleroute.com tcp
US 204.11.56.48:80 www.northpoleroute.com tcp
US 204.11.56.48:80 www.northpoleroute.com tcp

Files

memory/1304-60-0x0000000075AD1000-0x0000000075AD3000-memory.dmp

\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe

MD5 88731eaa25d08253b899ac8223cec964
SHA1 414032e16e4e8180a1b77b9fae7ced83203e79ee
SHA256 2fc6ee69b9c19f05adcbe59e6965e24db3e68ac4d4ceeccc2bffbc68e2f54402
SHA512 1bbb630b879b7d20e8c4e5956b50f5a33271db4a833e263452243ad96c8d1fbe2d082dee34a5ecbe2a67952d660ae0c283cc5f8324946ad8fd379f71e539264f

memory/1820-62-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe

MD5 88731eaa25d08253b899ac8223cec964
SHA1 414032e16e4e8180a1b77b9fae7ced83203e79ee
SHA256 2fc6ee69b9c19f05adcbe59e6965e24db3e68ac4d4ceeccc2bffbc68e2f54402
SHA512 1bbb630b879b7d20e8c4e5956b50f5a33271db4a833e263452243ad96c8d1fbe2d082dee34a5ecbe2a67952d660ae0c283cc5f8324946ad8fd379f71e539264f

memory/1976-65-0x0000000000000000-mapping.dmp

memory/1788-66-0x0000000000000000-mapping.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2021-09-29 07:19

Reported

2021-09-29 07:21

Platform

win10-en-20210920

Max time kernel

139s

Max time network

141s

Command Line

"C:\Users\Admin\AppData\Local\Temp\932249c923c8f7977c12785238e68d4b2030471fc9edbda0ec326ced3bab755f.exe"

Signatures

suricata: ET MALWARE SUSPICIOUS UA (iexplore)

suricata

suricata: ET MALWARE Sakula/Mivast RAT CnC Beacon 1

suricata

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" C:\Users\Admin\AppData\Local\Temp\932249c923c8f7977c12785238e68d4b2030471fc9edbda0ec326ced3bab755f.exe N/A

Enumerates physical storage devices

Runs ping.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\932249c923c8f7977c12785238e68d4b2030471fc9edbda0ec326ced3bab755f.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\932249c923c8f7977c12785238e68d4b2030471fc9edbda0ec326ced3bab755f.exe

"C:\Users\Admin\AppData\Local\Temp\932249c923c8f7977c12785238e68d4b2030471fc9edbda0ec326ced3bab755f.exe"

C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe

C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\932249c923c8f7977c12785238e68d4b2030471fc9edbda0ec326ced3bab755f.exe"

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1

Network

Country Destination Domain Proto
FR 2.16.119.157:443 tcp
US 8.8.8.8:53 www.polarroute.com udp
US 204.11.56.48:80 www.polarroute.com tcp
US 204.11.56.48:80 www.polarroute.com tcp
US 204.11.56.48:80 www.polarroute.com tcp
US 52.109.12.19:443 tcp
US 204.11.56.48:80 www.polarroute.com tcp
US 204.11.56.48:80 www.polarroute.com tcp
US 8.8.8.8:53 www.northpoleroute.com udp
US 204.11.56.48:80 www.northpoleroute.com tcp

Files

memory/2208-115-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe

MD5 6e1ab8fd503bed6f1aa3d954d1552939
SHA1 a6201230360ed18f4f914c9961f5ff4394cb3bc8
SHA256 d6e2d1d2e896723831a184496ab53e6c6738713310a4b461d6aacc46da77ffd7
SHA512 cab4aa19008bd1f6123f88cf0d9ab0f2806cc3ce584ec33ca82ec30e175db9394b0a1d2c374e225b2b1417a9c7d455020b35ad9aa9f008aeae5486f7253496e4

C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe

MD5 6e1ab8fd503bed6f1aa3d954d1552939
SHA1 a6201230360ed18f4f914c9961f5ff4394cb3bc8
SHA256 d6e2d1d2e896723831a184496ab53e6c6738713310a4b461d6aacc46da77ffd7
SHA512 cab4aa19008bd1f6123f88cf0d9ab0f2806cc3ce584ec33ca82ec30e175db9394b0a1d2c374e225b2b1417a9c7d455020b35ad9aa9f008aeae5486f7253496e4

memory/2860-118-0x0000000000000000-mapping.dmp

memory/296-119-0x0000000000000000-mapping.dmp