Analysis
-
max time kernel
148s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-en-20220113 -
submitted
28-02-2022 15:52
Static task
static1
Behavioral task
behavioral1
Sample
99ec328bcbd54812cedd440448412187f1237e6b8f087e3a6dec0ec5421ed2b8.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
99ec328bcbd54812cedd440448412187f1237e6b8f087e3a6dec0ec5421ed2b8.exe
Resource
win10-20220223-en
Behavioral task
behavioral3
Sample
99ec328bcbd54812cedd440448412187f1237e6b8f087e3a6dec0ec5421ed2b8.exe
Resource
win10v2004-en-20220113
General
-
Target
99ec328bcbd54812cedd440448412187f1237e6b8f087e3a6dec0ec5421ed2b8.exe
-
Size
80KB
-
MD5
adb692a6723aecf736f9314a6bf64b8f
-
SHA1
6b059d15b577fca1c0815e1051378e9955b7c7fd
-
SHA256
99ec328bcbd54812cedd440448412187f1237e6b8f087e3a6dec0ec5421ed2b8
-
SHA512
114b03b4a8a0feb6a18acf8ec3077754549756f0327f7684cc716ec6b49601c5f9fb4a6c06147c94809c79768adbe24211a34ef7fb1d1e7e6e74660478e0186c
Malware Config
Signatures
-
suricata: ET MALWARE Possible DEEP PANDA C2 Activity
suricata: ET MALWARE Possible DEEP PANDA C2 Activity
-
suricata: ET MALWARE Possible Deep Panda - Sakula/Mivast RAT CnC Beacon 5
suricata: ET MALWARE Possible Deep Panda - Sakula/Mivast RAT CnC Beacon 5
-
suricata: ET MALWARE Sakula/Mivast C2 Activity
suricata: ET MALWARE Sakula/Mivast C2 Activity
-
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 3628 MediaCenter.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
reg.exedescription ioc process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run reg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" reg.exe -
Modifies registry key 1 TTPs 1 IoCs
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of WriteProcessMemory 18 IoCs
Processes:
99ec328bcbd54812cedd440448412187f1237e6b8f087e3a6dec0ec5421ed2b8.execmd.execmd.execmd.exedescription pid process target process PID 668 wrote to memory of 4420 668 99ec328bcbd54812cedd440448412187f1237e6b8f087e3a6dec0ec5421ed2b8.exe cmd.exe PID 668 wrote to memory of 4420 668 99ec328bcbd54812cedd440448412187f1237e6b8f087e3a6dec0ec5421ed2b8.exe cmd.exe PID 668 wrote to memory of 4420 668 99ec328bcbd54812cedd440448412187f1237e6b8f087e3a6dec0ec5421ed2b8.exe cmd.exe PID 668 wrote to memory of 3704 668 99ec328bcbd54812cedd440448412187f1237e6b8f087e3a6dec0ec5421ed2b8.exe cmd.exe PID 668 wrote to memory of 3704 668 99ec328bcbd54812cedd440448412187f1237e6b8f087e3a6dec0ec5421ed2b8.exe cmd.exe PID 668 wrote to memory of 3704 668 99ec328bcbd54812cedd440448412187f1237e6b8f087e3a6dec0ec5421ed2b8.exe cmd.exe PID 668 wrote to memory of 660 668 99ec328bcbd54812cedd440448412187f1237e6b8f087e3a6dec0ec5421ed2b8.exe cmd.exe PID 668 wrote to memory of 660 668 99ec328bcbd54812cedd440448412187f1237e6b8f087e3a6dec0ec5421ed2b8.exe cmd.exe PID 668 wrote to memory of 660 668 99ec328bcbd54812cedd440448412187f1237e6b8f087e3a6dec0ec5421ed2b8.exe cmd.exe PID 4420 wrote to memory of 3644 4420 cmd.exe reg.exe PID 4420 wrote to memory of 3644 4420 cmd.exe reg.exe PID 4420 wrote to memory of 3644 4420 cmd.exe reg.exe PID 660 wrote to memory of 3540 660 cmd.exe PING.EXE PID 660 wrote to memory of 3540 660 cmd.exe PING.EXE PID 660 wrote to memory of 3540 660 cmd.exe PING.EXE PID 3704 wrote to memory of 3628 3704 cmd.exe MediaCenter.exe PID 3704 wrote to memory of 3628 3704 cmd.exe MediaCenter.exe PID 3704 wrote to memory of 3628 3704 cmd.exe MediaCenter.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\99ec328bcbd54812cedd440448412187f1237e6b8f087e3a6dec0ec5421ed2b8.exe"C:\Users\Admin\AppData\Local\Temp\99ec328bcbd54812cedd440448412187f1237e6b8f087e3a6dec0ec5421ed2b8.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd.exe /c reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v "MicroMedia" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\reg.exereg add HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v "MicroMedia" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe"3⤵
- Adds Run key to start application
- Modifies registry key
-
C:\Windows\SysWOW64\cmd.execmd.exe /c "C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe3⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\cmd.execmd.exe /c ping 127.0.0.1 & del "C:\Users\Admin\AppData\Local\Temp\99ec328bcbd54812cedd440448412187f1237e6b8f087e3a6dec0ec5421ed2b8.exe"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
90784536cd46fc79840544814ff967bd
SHA15bb1aa9de9b21227e7f390732f04b21f709793fb
SHA256991e0ba3e574d5bc7842d0b4c32fe905bdf8391df2b87101b0585ee64d8530cc
SHA51262988b396fc2859f17bd786c2acd08c8b1bbd760c1b456bcf1ae75b3296f3d9280f1ecae53c73c9566d6a2ea0a8576d4a0a7bfe10a64dc4c13030217f83c8006
-
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
90784536cd46fc79840544814ff967bd
SHA15bb1aa9de9b21227e7f390732f04b21f709793fb
SHA256991e0ba3e574d5bc7842d0b4c32fe905bdf8391df2b87101b0585ee64d8530cc
SHA51262988b396fc2859f17bd786c2acd08c8b1bbd760c1b456bcf1ae75b3296f3d9280f1ecae53c73c9566d6a2ea0a8576d4a0a7bfe10a64dc4c13030217f83c8006
-
memory/668-130-0x0000000000401000-0x0000000000404000-memory.dmpFilesize
12KB