Analysis
-
max time kernel
142s -
max time network
145s -
platform
windows10_x64 -
resource
win10-20220223-en -
submitted
28-02-2022 15:52
Static task
static1
Behavioral task
behavioral1
Sample
99ec328bcbd54812cedd440448412187f1237e6b8f087e3a6dec0ec5421ed2b8.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
99ec328bcbd54812cedd440448412187f1237e6b8f087e3a6dec0ec5421ed2b8.exe
Resource
win10-20220223-en
Behavioral task
behavioral3
Sample
99ec328bcbd54812cedd440448412187f1237e6b8f087e3a6dec0ec5421ed2b8.exe
Resource
win10v2004-en-20220113
General
-
Target
99ec328bcbd54812cedd440448412187f1237e6b8f087e3a6dec0ec5421ed2b8.exe
-
Size
80KB
-
MD5
adb692a6723aecf736f9314a6bf64b8f
-
SHA1
6b059d15b577fca1c0815e1051378e9955b7c7fd
-
SHA256
99ec328bcbd54812cedd440448412187f1237e6b8f087e3a6dec0ec5421ed2b8
-
SHA512
114b03b4a8a0feb6a18acf8ec3077754549756f0327f7684cc716ec6b49601c5f9fb4a6c06147c94809c79768adbe24211a34ef7fb1d1e7e6e74660478e0186c
Malware Config
Signatures
-
suricata: ET MALWARE Possible DEEP PANDA C2 Activity
suricata: ET MALWARE Possible DEEP PANDA C2 Activity
-
suricata: ET MALWARE Possible Deep Panda - Sakula/Mivast RAT CnC Beacon 5
suricata: ET MALWARE Possible Deep Panda - Sakula/Mivast RAT CnC Beacon 5
-
suricata: ET MALWARE Sakula/Mivast C2 Activity
suricata: ET MALWARE Sakula/Mivast C2 Activity
-
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 4064 MediaCenter.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
reg.exedescription ioc process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run reg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" reg.exe -
Modifies registry key 1 TTPs 1 IoCs
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of WriteProcessMemory 18 IoCs
Processes:
99ec328bcbd54812cedd440448412187f1237e6b8f087e3a6dec0ec5421ed2b8.execmd.execmd.execmd.exedescription pid process target process PID 4012 wrote to memory of 3904 4012 99ec328bcbd54812cedd440448412187f1237e6b8f087e3a6dec0ec5421ed2b8.exe cmd.exe PID 4012 wrote to memory of 3904 4012 99ec328bcbd54812cedd440448412187f1237e6b8f087e3a6dec0ec5421ed2b8.exe cmd.exe PID 4012 wrote to memory of 3904 4012 99ec328bcbd54812cedd440448412187f1237e6b8f087e3a6dec0ec5421ed2b8.exe cmd.exe PID 4012 wrote to memory of 3944 4012 99ec328bcbd54812cedd440448412187f1237e6b8f087e3a6dec0ec5421ed2b8.exe cmd.exe PID 4012 wrote to memory of 3944 4012 99ec328bcbd54812cedd440448412187f1237e6b8f087e3a6dec0ec5421ed2b8.exe cmd.exe PID 4012 wrote to memory of 3944 4012 99ec328bcbd54812cedd440448412187f1237e6b8f087e3a6dec0ec5421ed2b8.exe cmd.exe PID 4012 wrote to memory of 3924 4012 99ec328bcbd54812cedd440448412187f1237e6b8f087e3a6dec0ec5421ed2b8.exe cmd.exe PID 4012 wrote to memory of 3924 4012 99ec328bcbd54812cedd440448412187f1237e6b8f087e3a6dec0ec5421ed2b8.exe cmd.exe PID 4012 wrote to memory of 3924 4012 99ec328bcbd54812cedd440448412187f1237e6b8f087e3a6dec0ec5421ed2b8.exe cmd.exe PID 3904 wrote to memory of 2460 3904 cmd.exe reg.exe PID 3904 wrote to memory of 2460 3904 cmd.exe reg.exe PID 3904 wrote to memory of 2460 3904 cmd.exe reg.exe PID 3924 wrote to memory of 3816 3924 cmd.exe PING.EXE PID 3924 wrote to memory of 3816 3924 cmd.exe PING.EXE PID 3924 wrote to memory of 3816 3924 cmd.exe PING.EXE PID 3944 wrote to memory of 4064 3944 cmd.exe MediaCenter.exe PID 3944 wrote to memory of 4064 3944 cmd.exe MediaCenter.exe PID 3944 wrote to memory of 4064 3944 cmd.exe MediaCenter.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\99ec328bcbd54812cedd440448412187f1237e6b8f087e3a6dec0ec5421ed2b8.exe"C:\Users\Admin\AppData\Local\Temp\99ec328bcbd54812cedd440448412187f1237e6b8f087e3a6dec0ec5421ed2b8.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd.exe /c reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v "MicroMedia" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\reg.exereg add HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v "MicroMedia" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe"3⤵
- Adds Run key to start application
- Modifies registry key
-
C:\Windows\SysWOW64\cmd.execmd.exe /c ping 127.0.0.1 & del "C:\Users\Admin\AppData\Local\Temp\99ec328bcbd54812cedd440448412187f1237e6b8f087e3a6dec0ec5421ed2b8.exe"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\cmd.execmd.exe /c "C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe3⤵
- Executes dropped EXE
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
e768d019255c65f24a7ed0fe8b7e85b4
SHA1643fcb2ca3d881424277cf82b8b5ac23dd93219c
SHA2565fe09e35e1cf958a0f3df0b2029d75689d9d8637e857428b5645f7a5bb66fc1c
SHA5125eae9ae6d6502fe4b8c3abda064fa92586701e14814f6a991555c42e8c2fff0e4ae6dda77e43fd01c2df838b2ee2b25a0fdee34e3cc4395c676bff11d27cc20a
-
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
e768d019255c65f24a7ed0fe8b7e85b4
SHA1643fcb2ca3d881424277cf82b8b5ac23dd93219c
SHA2565fe09e35e1cf958a0f3df0b2029d75689d9d8637e857428b5645f7a5bb66fc1c
SHA5125eae9ae6d6502fe4b8c3abda064fa92586701e14814f6a991555c42e8c2fff0e4ae6dda77e43fd01c2df838b2ee2b25a0fdee34e3cc4395c676bff11d27cc20a
-
memory/4012-114-0x0000000000401000-0x0000000000404000-memory.dmpFilesize
12KB