Analysis Overview
SHA256
932249c923c8f7977c12785238e68d4b2030471fc9edbda0ec326ced3bab755f
Threat Level: Known bad
The file 932249c923c8f7977c12785238e68d4b2030471fc9edbda0ec326ced3bab755f was found to be: Known bad.
Malicious Activity Summary
suricata: ET MALWARE SUSPICIOUS UA (iexplore)
suricata: ET MALWARE Sakula/Mivast RAT CnC Beacon 1
Executes dropped EXE
Deletes itself
Loads dropped DLL
Adds Run key to start application
Enumerates physical storage devices
Runs ping.exe
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2021-09-29 07:19
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2021-09-29 07:19
Reported
2021-09-29 07:21
Platform
win7v20210408
Max time kernel
127s
Max time network
131s
Command Line
Signatures
suricata: ET MALWARE SUSPICIOUS UA (iexplore)
suricata: ET MALWARE Sakula/Mivast RAT CnC Beacon 1
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe | N/A |
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\932249c923c8f7977c12785238e68d4b2030471fc9edbda0ec326ced3bab755f.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" | C:\Users\Admin\AppData\Local\Temp\932249c923c8f7977c12785238e68d4b2030471fc9edbda0ec326ced3bab755f.exe | N/A |
Enumerates physical storage devices
Runs ping.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\932249c923c8f7977c12785238e68d4b2030471fc9edbda0ec326ced3bab755f.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\932249c923c8f7977c12785238e68d4b2030471fc9edbda0ec326ced3bab755f.exe
"C:\Users\Admin\AppData\Local\Temp\932249c923c8f7977c12785238e68d4b2030471fc9edbda0ec326ced3bab755f.exe"
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\932249c923c8f7977c12785238e68d4b2030471fc9edbda0ec326ced3bab755f.exe"
C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | www.polarroute.com | udp |
| US | 204.11.56.48:80 | www.polarroute.com | tcp |
| US | 204.11.56.48:80 | www.polarroute.com | tcp |
| US | 204.11.56.48:80 | www.polarroute.com | tcp |
| US | 204.11.56.48:80 | www.polarroute.com | tcp |
| US | 8.8.8.8:53 | www.northpoleroute.com | udp |
| US | 204.11.56.48:80 | www.northpoleroute.com | tcp |
| US | 204.11.56.48:80 | www.northpoleroute.com | tcp |
| US | 204.11.56.48:80 | www.northpoleroute.com | tcp |
Files
memory/1304-60-0x0000000075AD1000-0x0000000075AD3000-memory.dmp
\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
| MD5 | 88731eaa25d08253b899ac8223cec964 |
| SHA1 | 414032e16e4e8180a1b77b9fae7ced83203e79ee |
| SHA256 | 2fc6ee69b9c19f05adcbe59e6965e24db3e68ac4d4ceeccc2bffbc68e2f54402 |
| SHA512 | 1bbb630b879b7d20e8c4e5956b50f5a33271db4a833e263452243ad96c8d1fbe2d082dee34a5ecbe2a67952d660ae0c283cc5f8324946ad8fd379f71e539264f |
memory/1820-62-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
| MD5 | 88731eaa25d08253b899ac8223cec964 |
| SHA1 | 414032e16e4e8180a1b77b9fae7ced83203e79ee |
| SHA256 | 2fc6ee69b9c19f05adcbe59e6965e24db3e68ac4d4ceeccc2bffbc68e2f54402 |
| SHA512 | 1bbb630b879b7d20e8c4e5956b50f5a33271db4a833e263452243ad96c8d1fbe2d082dee34a5ecbe2a67952d660ae0c283cc5f8324946ad8fd379f71e539264f |
memory/1976-65-0x0000000000000000-mapping.dmp
memory/1788-66-0x0000000000000000-mapping.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2021-09-29 07:19
Reported
2021-09-29 07:21
Platform
win10-en-20210920
Max time kernel
139s
Max time network
141s
Command Line
Signatures
suricata: ET MALWARE SUSPICIOUS UA (iexplore)
suricata: ET MALWARE Sakula/Mivast RAT CnC Beacon 1
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" | C:\Users\Admin\AppData\Local\Temp\932249c923c8f7977c12785238e68d4b2030471fc9edbda0ec326ced3bab755f.exe | N/A |
Enumerates physical storage devices
Runs ping.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\932249c923c8f7977c12785238e68d4b2030471fc9edbda0ec326ced3bab755f.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\932249c923c8f7977c12785238e68d4b2030471fc9edbda0ec326ced3bab755f.exe
"C:\Users\Admin\AppData\Local\Temp\932249c923c8f7977c12785238e68d4b2030471fc9edbda0ec326ced3bab755f.exe"
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\932249c923c8f7977c12785238e68d4b2030471fc9edbda0ec326ced3bab755f.exe"
C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1
Network
| Country | Destination | Domain | Proto |
| FR | 2.16.119.157:443 | tcp | |
| US | 8.8.8.8:53 | www.polarroute.com | udp |
| US | 204.11.56.48:80 | www.polarroute.com | tcp |
| US | 204.11.56.48:80 | www.polarroute.com | tcp |
| US | 204.11.56.48:80 | www.polarroute.com | tcp |
| US | 52.109.12.19:443 | tcp | |
| US | 204.11.56.48:80 | www.polarroute.com | tcp |
| US | 204.11.56.48:80 | www.polarroute.com | tcp |
| US | 8.8.8.8:53 | www.northpoleroute.com | udp |
| US | 204.11.56.48:80 | www.northpoleroute.com | tcp |
Files
memory/2208-115-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
| MD5 | 6e1ab8fd503bed6f1aa3d954d1552939 |
| SHA1 | a6201230360ed18f4f914c9961f5ff4394cb3bc8 |
| SHA256 | d6e2d1d2e896723831a184496ab53e6c6738713310a4b461d6aacc46da77ffd7 |
| SHA512 | cab4aa19008bd1f6123f88cf0d9ab0f2806cc3ce584ec33ca82ec30e175db9394b0a1d2c374e225b2b1417a9c7d455020b35ad9aa9f008aeae5486f7253496e4 |
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
| MD5 | 6e1ab8fd503bed6f1aa3d954d1552939 |
| SHA1 | a6201230360ed18f4f914c9961f5ff4394cb3bc8 |
| SHA256 | d6e2d1d2e896723831a184496ab53e6c6738713310a4b461d6aacc46da77ffd7 |
| SHA512 | cab4aa19008bd1f6123f88cf0d9ab0f2806cc3ce584ec33ca82ec30e175db9394b0a1d2c374e225b2b1417a9c7d455020b35ad9aa9f008aeae5486f7253496e4 |
memory/2860-118-0x0000000000000000-mapping.dmp
memory/296-119-0x0000000000000000-mapping.dmp