Analysis

  • max time kernel
    181s
  • max time network
    190s
  • platform
    windows10_x64
  • resource
    win10-en-20211208
  • submitted
    30-01-2022 21:45

General

  • Target

    d4be6c9117db9de21138ae26d1d0c3cfb38fd7a19fa07c828731fa2ac756ef8d.exe

  • Size

    438KB

  • MD5

    230d8a7a60a07df28a291b13ddf3351f

  • SHA1

    de71fd21781ae1eed0dbba6bf915a65cc4c0f984

  • SHA256

    d4be6c9117db9de21138ae26d1d0c3cfb38fd7a19fa07c828731fa2ac756ef8d

  • SHA512

    b3305950a8d24b247a16b35d49f53dfbc367332879ddafcb7d95a1c44ec02f7ed66d26acbf9992bf39193094c7bbefcbbe59ae514619491e148bb59cb32ddf01

Malware Config

Signatures

  • Sakula

    Sakula is a remote access trojan with various capabilities.

  • suricata: ET MALWARE Possible Deep Panda - Sakula/Mivast RAT CnC Beacon 5

    suricata: ET MALWARE Possible Deep Panda - Sakula/Mivast RAT CnC Beacon 5

  • suricata: ET MALWARE Possible Deep Panda User-Agent

    suricata: ET MALWARE Possible Deep Panda User-Agent

  • suricata: ET MALWARE Sakula/Mivast C2 Activity

    suricata: ET MALWARE Sakula/Mivast C2 Activity

  • Executes dropped EXE 3 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Loads dropped DLL 2 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Drops file in Windows directory 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies Internet Explorer settings 1 TTPs 3 IoCs
  • Modifies registry class 64 IoCs
  • Modifies registry key 1 TTPs 1 IoCs
  • Runs ping.exe 1 TTPs 2 IoCs
  • Suspicious behavior: MapViewOfSection 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 10 IoCs
  • Suspicious use of SetWindowsHookEx 5 IoCs
  • Suspicious use of WriteProcessMemory 40 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\d4be6c9117db9de21138ae26d1d0c3cfb38fd7a19fa07c828731fa2ac756ef8d.exe
    "C:\Users\Admin\AppData\Local\Temp\d4be6c9117db9de21138ae26d1d0c3cfb38fd7a19fa07c828731fa2ac756ef8d.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1324
    • C:\Users\Admin\AppData\Local\Temp\Center259406000.dat
      "C:\Users\Admin\AppData\Local\Temp\Center259406000.dat"
      2⤵
      • Executes dropped EXE
      • Suspicious use of WriteProcessMemory
      PID:896
      • C:\Users\Admin\AppData\Local\Temp\s.exe
        "C:\Users\Admin\AppData\Local\Temp\s.exe"
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Suspicious use of WriteProcessMemory
        PID:780
        • C:\Windows\SysWOW64\cmd.exe
          cmd.exe /c ping 127.0.0.1 & del "C:\Users\Admin\AppData\Local\Temp\s.exe" & del "C:\Users\Admin\AppData\Local\Temp\msi.dll" & del "C:\Users\Admin\AppData\Local\Temp\setup.msi"
          4⤵
          • Suspicious use of WriteProcessMemory
          PID:340
          • C:\Windows\SysWOW64\PING.EXE
            ping 127.0.0.1
            5⤵
            • Runs ping.exe
            PID:4092
        • C:\Windows\SysWOW64\cmd.exe
          cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe"
          4⤵
          • Suspicious use of WriteProcessMemory
          PID:3992
          • C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
            C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
            5⤵
            • Executes dropped EXE
            • Loads dropped DLL
            • Suspicious use of SetThreadContext
            • Suspicious use of WriteProcessMemory
            PID:1912
            • C:\Windows\SysWOW64\svchost.exe
              "C:\Windows\system32\svchost.exe"
              6⤵
                PID:2448
          • C:\Windows\SysWOW64\cmd.exe
            cmd.exe /c reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v "MicroMedia" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe"
            4⤵
            • Suspicious use of WriteProcessMemory
            PID:3880
            • C:\Windows\SysWOW64\reg.exe
              reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v "MicroMedia" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe"
              5⤵
              • Adds Run key to start application
              • Modifies registry key
              PID:1408
        • C:\Windows\SysWOW64\cmd.exe
          "C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\Center259406000.dat"
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:1804
          • C:\Windows\SysWOW64\PING.EXE
            ping 127.0.0.1
            4⤵
            • Runs ping.exe
            PID:1052
    • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe
      "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca
      1⤵
      • Drops file in Windows directory
      • Modifies Internet Explorer settings
      • Modifies registry class
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      PID:2316
    • C:\Windows\system32\browser_broker.exe
      C:\Windows\system32\browser_broker.exe -Embedding
      1⤵
      • Modifies Internet Explorer settings
      PID:2848
    • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
      "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
      1⤵
      • Modifies registry class
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:3812
    • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
      "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
      1⤵
      • Drops file in Windows directory
      • Modifies Internet Explorer settings
      • Modifies registry class
      • Suspicious use of AdjustPrivilegeToken
      PID:1820
    • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
      "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
      1⤵
      • Modifies registry class
      • Suspicious use of AdjustPrivilegeToken
      PID:1504

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\Center259406000.dat

      MD5

      a0de79c3b449175aa97725e16c7e74b4

      SHA1

      1c57f8cb0fb4eb944634ae1e784bbf51c181a97a

      SHA256

      2102dd512f557bcd74d243c0354b9f58ced6036fc6a9be2620377890eec2348c

      SHA512

      d1a72cd238becabd9d0ab99cedddf22fbcdb6f410573995cd9f9c79efb68527d269e5f1331eee7905ee68af87be1dc1bd5b96769ac5b7ea30561cc84478a6e01

    • C:\Users\Admin\AppData\Local\Temp\Center259406000.dat

      MD5

      a0de79c3b449175aa97725e16c7e74b4

      SHA1

      1c57f8cb0fb4eb944634ae1e784bbf51c181a97a

      SHA256

      2102dd512f557bcd74d243c0354b9f58ced6036fc6a9be2620377890eec2348c

      SHA512

      d1a72cd238becabd9d0ab99cedddf22fbcdb6f410573995cd9f9c79efb68527d269e5f1331eee7905ee68af87be1dc1bd5b96769ac5b7ea30561cc84478a6e01

    • C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe

      MD5

      d00b3169f45e74bb22a1cd684341b14a

      SHA1

      2d8e43f9f8ef6cdf0cafb170a65cb27d37fb166d

      SHA256

      83f40e70ea3ba0e614d08f1070dafe75092660003b8a1f8b563d4f5b012f4bae

      SHA512

      329438b4e6d13f9a420152e5c4ed410ae474d47cad858f218bfc8130a73d8d684d89c032cf87f74b9dc3e027bcb9fbe74fe2d4f15f4a59942c4da59b7099997e

    • C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe

      MD5

      d00b3169f45e74bb22a1cd684341b14a

      SHA1

      2d8e43f9f8ef6cdf0cafb170a65cb27d37fb166d

      SHA256

      83f40e70ea3ba0e614d08f1070dafe75092660003b8a1f8b563d4f5b012f4bae

      SHA512

      329438b4e6d13f9a420152e5c4ed410ae474d47cad858f218bfc8130a73d8d684d89c032cf87f74b9dc3e027bcb9fbe74fe2d4f15f4a59942c4da59b7099997e

    • C:\Users\Admin\AppData\Local\Temp\MicroMedia\msi.dll

      MD5

      ca9e06c0679586d2ff3ff7e3416c8b87

      SHA1

      23d450989ce21cb94c0f9e552edd5eeb50b20fb3

      SHA256

      f414bcb7159a22279f893a257b52e387e4b14250dd9d0ecd871d9fa686cd26cd

      SHA512

      98a2c588a1b408f78e286540752121ac34e81963d559a8e00faa44b9a65ca2cb7265c0598aea57947d799604717cc2004fc6261e8e377a6ba6416421b44dda6e

    • C:\Users\Admin\AppData\Local\Temp\MicroMedia\setup.msi

      MD5

      2c531fe9c05c5644f09fdbcbf993a737

      SHA1

      3c1185e2411549cc976cecc350f357a77de249eb

      SHA256

      680903d29590607a1ac4b77bb4cc900b382949800a1f49ebfa04b2492319118f

      SHA512

      859fa0f8efe37c196fe7bb43627c16129657dcf5ff96d23cd72c7770f564525c9b0c95ae68f0e7dad99ccf6bc97dbd5cdc4b3fb38c5fd3129a6308e3b01d7094

    • C:\Users\Admin\AppData\Local\Temp\msi.dll

      MD5

      ca9e06c0679586d2ff3ff7e3416c8b87

      SHA1

      23d450989ce21cb94c0f9e552edd5eeb50b20fb3

      SHA256

      f414bcb7159a22279f893a257b52e387e4b14250dd9d0ecd871d9fa686cd26cd

      SHA512

      98a2c588a1b408f78e286540752121ac34e81963d559a8e00faa44b9a65ca2cb7265c0598aea57947d799604717cc2004fc6261e8e377a6ba6416421b44dda6e

    • C:\Users\Admin\AppData\Local\Temp\s.exe

      MD5

      d00b3169f45e74bb22a1cd684341b14a

      SHA1

      2d8e43f9f8ef6cdf0cafb170a65cb27d37fb166d

      SHA256

      83f40e70ea3ba0e614d08f1070dafe75092660003b8a1f8b563d4f5b012f4bae

      SHA512

      329438b4e6d13f9a420152e5c4ed410ae474d47cad858f218bfc8130a73d8d684d89c032cf87f74b9dc3e027bcb9fbe74fe2d4f15f4a59942c4da59b7099997e

    • C:\Users\Admin\AppData\Local\Temp\s.exe

      MD5

      d00b3169f45e74bb22a1cd684341b14a

      SHA1

      2d8e43f9f8ef6cdf0cafb170a65cb27d37fb166d

      SHA256

      83f40e70ea3ba0e614d08f1070dafe75092660003b8a1f8b563d4f5b012f4bae

      SHA512

      329438b4e6d13f9a420152e5c4ed410ae474d47cad858f218bfc8130a73d8d684d89c032cf87f74b9dc3e027bcb9fbe74fe2d4f15f4a59942c4da59b7099997e

    • C:\Users\Admin\AppData\Local\Temp\setup.msi

      MD5

      2c531fe9c05c5644f09fdbcbf993a737

      SHA1

      3c1185e2411549cc976cecc350f357a77de249eb

      SHA256

      680903d29590607a1ac4b77bb4cc900b382949800a1f49ebfa04b2492319118f

      SHA512

      859fa0f8efe37c196fe7bb43627c16129657dcf5ff96d23cd72c7770f564525c9b0c95ae68f0e7dad99ccf6bc97dbd5cdc4b3fb38c5fd3129a6308e3b01d7094

    • \Users\Admin\AppData\Local\Temp\MicroMedia\msi.dll

      MD5

      ca9e06c0679586d2ff3ff7e3416c8b87

      SHA1

      23d450989ce21cb94c0f9e552edd5eeb50b20fb3

      SHA256

      f414bcb7159a22279f893a257b52e387e4b14250dd9d0ecd871d9fa686cd26cd

      SHA512

      98a2c588a1b408f78e286540752121ac34e81963d559a8e00faa44b9a65ca2cb7265c0598aea57947d799604717cc2004fc6261e8e377a6ba6416421b44dda6e

    • \Users\Admin\AppData\Local\Temp\msi.dll

      MD5

      ca9e06c0679586d2ff3ff7e3416c8b87

      SHA1

      23d450989ce21cb94c0f9e552edd5eeb50b20fb3

      SHA256

      f414bcb7159a22279f893a257b52e387e4b14250dd9d0ecd871d9fa686cd26cd

      SHA512

      98a2c588a1b408f78e286540752121ac34e81963d559a8e00faa44b9a65ca2cb7265c0598aea57947d799604717cc2004fc6261e8e377a6ba6416421b44dda6e

    • memory/780-128-0x00000000001F0000-0x00000000001F8000-memory.dmp

      Filesize

      32KB

    • memory/780-126-0x0000000000520000-0x000000000052A000-memory.dmp

      Filesize

      40KB

    • memory/780-125-0x00000000001F0000-0x00000000001F8000-memory.dmp

      Filesize

      32KB

    • memory/1912-135-0x0000000000670000-0x000000000067A000-memory.dmp

      Filesize

      40KB

    • memory/2448-138-0x0000000010000000-0x000000001000A000-memory.dmp

      Filesize

      40KB