Analysis Overview
SHA256
99ec328bcbd54812cedd440448412187f1237e6b8f087e3a6dec0ec5421ed2b8
Threat Level: Known bad
The file 99ec328bcbd54812cedd440448412187f1237e6b8f087e3a6dec0ec5421ed2b8 was found to be: Known bad.
Malicious Activity Summary
suricata: ET MALWARE Possible DEEP PANDA C2 Activity
suricata: ET MALWARE Possible Deep Panda - Sakula/Mivast RAT CnC Beacon 5
suricata: ET MALWARE Sakula/Mivast C2 Activity
Sakula
Executes dropped EXE
Deletes itself
Loads dropped DLL
Adds Run key to start application
Runs ping.exe
Suspicious use of WriteProcessMemory
Modifies registry key
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2022-02-28 15:52
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2022-02-28 15:52
Reported
2022-02-28 15:55
Platform
win7-en-20211208
Max time kernel
124s
Max time network
127s
Command Line
Signatures
Sakula
suricata: ET MALWARE Possible DEEP PANDA C2 Activity
suricata: ET MALWARE Possible Deep Panda - Sakula/Mivast RAT CnC Beacon 5
suricata: ET MALWARE Sakula/Mivast C2 Activity
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe | N/A |
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
Modifies registry key
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\reg.exe | N/A |
Runs ping.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\99ec328bcbd54812cedd440448412187f1237e6b8f087e3a6dec0ec5421ed2b8.exe
"C:\Users\Admin\AppData\Local\Temp\99ec328bcbd54812cedd440448412187f1237e6b8f087e3a6dec0ec5421ed2b8.exe"
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v "MicroMedia" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe"
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe"
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c ping 127.0.0.1 & del "C:\Users\Admin\AppData\Local\Temp\99ec328bcbd54812cedd440448412187f1237e6b8f087e3a6dec0ec5421ed2b8.exe"
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
C:\Windows\SysWOW64\reg.exe
reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v "MicroMedia" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe"
C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | vpn.premrera.com | udp |
| US | 208.91.197.27:443 | vpn.premrera.com | tcp |
| US | 208.91.197.27:443 | vpn.premrera.com | tcp |
| US | 208.91.197.27:443 | vpn.premrera.com | tcp |
| US | 208.91.197.27:443 | vpn.premrera.com | tcp |
| US | 208.91.197.27:443 | vpn.premrera.com | tcp |
| US | 208.91.197.27:443 | vpn.premrera.com | tcp |
| US | 208.91.197.27:443 | vpn.premrera.com | tcp |
| US | 208.91.197.27:443 | vpn.premrera.com | tcp |
| US | 208.91.197.27:443 | vpn.premrera.com | tcp |
| US | 208.91.197.27:443 | vpn.premrera.com | tcp |
Files
memory/1700-55-0x0000000075F91000-0x0000000075F93000-memory.dmp
memory/1700-56-0x0000000000401000-0x0000000000404000-memory.dmp
\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
| MD5 | 536781df94e54eedbf916ff6d4aec653 |
| SHA1 | 1323d286a3c0c6bbd051394503169d95892b5792 |
| SHA256 | 79ab85a3ad963ac1175b6408d6667c46f73e6a587f9f074891555dd9c06f772a |
| SHA512 | 9dff6093f7e0b0a0bca2dac0e05c9bab6f74dd42371ac4bcde5cee2f2c3a80a2fd497db1ab64f06d050b04d417a095673964357edfd091dbeb2a7e31b6d65da6 |
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
| MD5 | 536781df94e54eedbf916ff6d4aec653 |
| SHA1 | 1323d286a3c0c6bbd051394503169d95892b5792 |
| SHA256 | 79ab85a3ad963ac1175b6408d6667c46f73e6a587f9f074891555dd9c06f772a |
| SHA512 | 9dff6093f7e0b0a0bca2dac0e05c9bab6f74dd42371ac4bcde5cee2f2c3a80a2fd497db1ab64f06d050b04d417a095673964357edfd091dbeb2a7e31b6d65da6 |
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
| MD5 | 536781df94e54eedbf916ff6d4aec653 |
| SHA1 | 1323d286a3c0c6bbd051394503169d95892b5792 |
| SHA256 | 79ab85a3ad963ac1175b6408d6667c46f73e6a587f9f074891555dd9c06f772a |
| SHA512 | 9dff6093f7e0b0a0bca2dac0e05c9bab6f74dd42371ac4bcde5cee2f2c3a80a2fd497db1ab64f06d050b04d417a095673964357edfd091dbeb2a7e31b6d65da6 |
\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
| MD5 | 536781df94e54eedbf916ff6d4aec653 |
| SHA1 | 1323d286a3c0c6bbd051394503169d95892b5792 |
| SHA256 | 79ab85a3ad963ac1175b6408d6667c46f73e6a587f9f074891555dd9c06f772a |
| SHA512 | 9dff6093f7e0b0a0bca2dac0e05c9bab6f74dd42371ac4bcde5cee2f2c3a80a2fd497db1ab64f06d050b04d417a095673964357edfd091dbeb2a7e31b6d65da6 |
Analysis: behavioral2
Detonation Overview
Submitted
2022-02-28 15:52
Reported
2022-02-28 15:55
Platform
win10-20220223-en
Max time kernel
142s
Max time network
145s
Command Line
Signatures
Sakula
suricata: ET MALWARE Possible DEEP PANDA C2 Activity
suricata: ET MALWARE Possible Deep Panda - Sakula/Mivast RAT CnC Beacon 5
suricata: ET MALWARE Sakula/Mivast C2 Activity
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
Modifies registry key
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\reg.exe | N/A |
Runs ping.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\99ec328bcbd54812cedd440448412187f1237e6b8f087e3a6dec0ec5421ed2b8.exe
"C:\Users\Admin\AppData\Local\Temp\99ec328bcbd54812cedd440448412187f1237e6b8f087e3a6dec0ec5421ed2b8.exe"
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v "MicroMedia" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe"
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c ping 127.0.0.1 & del "C:\Users\Admin\AppData\Local\Temp\99ec328bcbd54812cedd440448412187f1237e6b8f087e3a6dec0ec5421ed2b8.exe"
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe"
C:\Windows\SysWOW64\reg.exe
reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v "MicroMedia" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe"
C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | vpn.premrera.com | udp |
| US | 208.91.197.27:443 | vpn.premrera.com | tcp |
| US | 208.91.197.27:443 | vpn.premrera.com | tcp |
| US | 208.91.197.27:443 | vpn.premrera.com | tcp |
| US | 208.91.197.27:443 | vpn.premrera.com | tcp |
| US | 208.91.197.27:443 | vpn.premrera.com | tcp |
| US | 208.91.197.27:443 | vpn.premrera.com | tcp |
| US | 208.91.197.27:443 | vpn.premrera.com | tcp |
| US | 208.91.197.27:443 | vpn.premrera.com | tcp |
| US | 208.91.197.27:443 | vpn.premrera.com | tcp |
| US | 208.91.197.27:443 | vpn.premrera.com | tcp |
| US | 208.91.197.27:443 | vpn.premrera.com | tcp |
Files
memory/4012-114-0x0000000000401000-0x0000000000404000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
| MD5 | e768d019255c65f24a7ed0fe8b7e85b4 |
| SHA1 | 643fcb2ca3d881424277cf82b8b5ac23dd93219c |
| SHA256 | 5fe09e35e1cf958a0f3df0b2029d75689d9d8637e857428b5645f7a5bb66fc1c |
| SHA512 | 5eae9ae6d6502fe4b8c3abda064fa92586701e14814f6a991555c42e8c2fff0e4ae6dda77e43fd01c2df838b2ee2b25a0fdee34e3cc4395c676bff11d27cc20a |
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
| MD5 | e768d019255c65f24a7ed0fe8b7e85b4 |
| SHA1 | 643fcb2ca3d881424277cf82b8b5ac23dd93219c |
| SHA256 | 5fe09e35e1cf958a0f3df0b2029d75689d9d8637e857428b5645f7a5bb66fc1c |
| SHA512 | 5eae9ae6d6502fe4b8c3abda064fa92586701e14814f6a991555c42e8c2fff0e4ae6dda77e43fd01c2df838b2ee2b25a0fdee34e3cc4395c676bff11d27cc20a |
Analysis: behavioral3
Detonation Overview
Submitted
2022-02-28 15:52
Reported
2022-02-28 15:55
Platform
win10v2004-en-20220113
Max time kernel
148s
Max time network
153s
Command Line
Signatures
Sakula
suricata: ET MALWARE Possible DEEP PANDA C2 Activity
suricata: ET MALWARE Possible Deep Panda - Sakula/Mivast RAT CnC Beacon 5
suricata: ET MALWARE Sakula/Mivast C2 Activity
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
Modifies registry key
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\reg.exe | N/A |
Runs ping.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\99ec328bcbd54812cedd440448412187f1237e6b8f087e3a6dec0ec5421ed2b8.exe
"C:\Users\Admin\AppData\Local\Temp\99ec328bcbd54812cedd440448412187f1237e6b8f087e3a6dec0ec5421ed2b8.exe"
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v "MicroMedia" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe"
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe"
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c ping 127.0.0.1 & del "C:\Users\Admin\AppData\Local\Temp\99ec328bcbd54812cedd440448412187f1237e6b8f087e3a6dec0ec5421ed2b8.exe"
C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1
C:\Windows\SysWOW64\reg.exe
reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v "MicroMedia" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe"
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | vpn.premrera.com | udp |
| US | 208.91.197.27:443 | vpn.premrera.com | tcp |
| US | 208.91.197.27:443 | vpn.premrera.com | tcp |
| US | 208.91.197.27:443 | vpn.premrera.com | tcp |
| US | 208.91.197.27:443 | vpn.premrera.com | tcp |
| US | 208.91.197.27:443 | vpn.premrera.com | tcp |
| US | 208.91.197.27:443 | vpn.premrera.com | tcp |
| US | 208.91.197.27:443 | vpn.premrera.com | tcp |
| US | 208.91.197.27:443 | vpn.premrera.com | tcp |
| US | 208.91.197.27:443 | vpn.premrera.com | tcp |
| US | 208.91.197.27:443 | vpn.premrera.com | tcp |
| US | 208.91.197.27:443 | vpn.premrera.com | tcp |
| US | 208.91.197.27:443 | vpn.premrera.com | tcp |
Files
memory/668-130-0x0000000000401000-0x0000000000404000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
| MD5 | 90784536cd46fc79840544814ff967bd |
| SHA1 | 5bb1aa9de9b21227e7f390732f04b21f709793fb |
| SHA256 | 991e0ba3e574d5bc7842d0b4c32fe905bdf8391df2b87101b0585ee64d8530cc |
| SHA512 | 62988b396fc2859f17bd786c2acd08c8b1bbd760c1b456bcf1ae75b3296f3d9280f1ecae53c73c9566d6a2ea0a8576d4a0a7bfe10a64dc4c13030217f83c8006 |
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
| MD5 | 90784536cd46fc79840544814ff967bd |
| SHA1 | 5bb1aa9de9b21227e7f390732f04b21f709793fb |
| SHA256 | 991e0ba3e574d5bc7842d0b4c32fe905bdf8391df2b87101b0585ee64d8530cc |
| SHA512 | 62988b396fc2859f17bd786c2acd08c8b1bbd760c1b456bcf1ae75b3296f3d9280f1ecae53c73c9566d6a2ea0a8576d4a0a7bfe10a64dc4c13030217f83c8006 |