Analysis
-
max time kernel
120s -
max time network
180s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
10-05-2022 23:33
Static task
static1
Behavioral task
behavioral1
Sample
abdbc215ab1979c6aac2de4e36c31d95112250f64f2f56543aad0858a9600674.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
abdbc215ab1979c6aac2de4e36c31d95112250f64f2f56543aad0858a9600674.exe
Resource
win10v2004-20220414-en
General
-
Target
abdbc215ab1979c6aac2de4e36c31d95112250f64f2f56543aad0858a9600674.exe
-
Size
27KB
-
MD5
24299db7c4fdd874faad29826e8381a3
-
SHA1
bbde4c94ac31937c790f4fce5618524996b48f3c
-
SHA256
abdbc215ab1979c6aac2de4e36c31d95112250f64f2f56543aad0858a9600674
-
SHA512
d96272e4d4b6d9961c34167cde8a7fbe60f633c278deebc74f44152a982f494638f0dcd1e202d3d012749d3a428d9bf5172b1cc014d32f2d4f19e393ba885dec
Malware Config
Signatures
-
suricata: ET MALWARE Possible DEEP PANDA C2 Activity
suricata: ET MALWARE Possible DEEP PANDA C2 Activity
-
suricata: ET MALWARE Sakula/Mivast RAT CnC Beacon 6
suricata: ET MALWARE Sakula/Mivast RAT CnC Beacon 6
-
suricata: ET MALWARE Sakula/Mivast RAT CnC Beacon 7
suricata: ET MALWARE Sakula/Mivast RAT CnC Beacon 7
-
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid Process 940 MediaCenter.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid Process 1216 cmd.exe -
Loads dropped DLL 2 IoCs
Processes:
abdbc215ab1979c6aac2de4e36c31d95112250f64f2f56543aad0858a9600674.exepid Process 808 abdbc215ab1979c6aac2de4e36c31d95112250f64f2f56543aad0858a9600674.exe 808 abdbc215ab1979c6aac2de4e36c31d95112250f64f2f56543aad0858a9600674.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
reg.exedescription ioc Process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run reg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" reg.exe -
Modifies registry key 1 TTPs 1 IoCs
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of WriteProcessMemory 20 IoCs
Processes:
abdbc215ab1979c6aac2de4e36c31d95112250f64f2f56543aad0858a9600674.execmd.execmd.exedescription pid Process procid_target PID 808 wrote to memory of 1408 808 abdbc215ab1979c6aac2de4e36c31d95112250f64f2f56543aad0858a9600674.exe 27 PID 808 wrote to memory of 1408 808 abdbc215ab1979c6aac2de4e36c31d95112250f64f2f56543aad0858a9600674.exe 27 PID 808 wrote to memory of 1408 808 abdbc215ab1979c6aac2de4e36c31d95112250f64f2f56543aad0858a9600674.exe 27 PID 808 wrote to memory of 1408 808 abdbc215ab1979c6aac2de4e36c31d95112250f64f2f56543aad0858a9600674.exe 27 PID 808 wrote to memory of 940 808 abdbc215ab1979c6aac2de4e36c31d95112250f64f2f56543aad0858a9600674.exe 28 PID 808 wrote to memory of 940 808 abdbc215ab1979c6aac2de4e36c31d95112250f64f2f56543aad0858a9600674.exe 28 PID 808 wrote to memory of 940 808 abdbc215ab1979c6aac2de4e36c31d95112250f64f2f56543aad0858a9600674.exe 28 PID 808 wrote to memory of 940 808 abdbc215ab1979c6aac2de4e36c31d95112250f64f2f56543aad0858a9600674.exe 28 PID 1408 wrote to memory of 1172 1408 cmd.exe 30 PID 1408 wrote to memory of 1172 1408 cmd.exe 30 PID 1408 wrote to memory of 1172 1408 cmd.exe 30 PID 1408 wrote to memory of 1172 1408 cmd.exe 30 PID 808 wrote to memory of 1216 808 abdbc215ab1979c6aac2de4e36c31d95112250f64f2f56543aad0858a9600674.exe 31 PID 808 wrote to memory of 1216 808 abdbc215ab1979c6aac2de4e36c31d95112250f64f2f56543aad0858a9600674.exe 31 PID 808 wrote to memory of 1216 808 abdbc215ab1979c6aac2de4e36c31d95112250f64f2f56543aad0858a9600674.exe 31 PID 808 wrote to memory of 1216 808 abdbc215ab1979c6aac2de4e36c31d95112250f64f2f56543aad0858a9600674.exe 31 PID 1216 wrote to memory of 1940 1216 cmd.exe 33 PID 1216 wrote to memory of 1940 1216 cmd.exe 33 PID 1216 wrote to memory of 1940 1216 cmd.exe 33 PID 1216 wrote to memory of 1940 1216 cmd.exe 33
Processes
-
C:\Users\Admin\AppData\Local\Temp\abdbc215ab1979c6aac2de4e36c31d95112250f64f2f56543aad0858a9600674.exe"C:\Users\Admin\AppData\Local\Temp\abdbc215ab1979c6aac2de4e36c31d95112250f64f2f56543aad0858a9600674.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:808 -
C:\Windows\SysWOW64\cmd.execmd.exe /c reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v "MicroMedia" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:1408 -
C:\Windows\SysWOW64\reg.exereg add HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v "MicroMedia" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe"3⤵
- Adds Run key to start application
- Modifies registry key
PID:1172
-
-
-
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:940
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c ping 127.0.0.1 & del "C:\Users\Admin\AppData\Local\Temp\abdbc215ab1979c6aac2de4e36c31d95112250f64f2f56543aad0858a9600674.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:1216 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:1940
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
27KB
MD564f49b3dad49f11e53c8b11403fa63a3
SHA1e1bf9e7cd1d787e8309ba63de8f628832800bdc4
SHA256ef2be901f25f2c306bcd9dea2f71f10f00b8f20ef900376f64cf234e6b3806c5
SHA512cd3848645ce8e63793e4a18687ffcaf34022e67882a001a0bf7f8350d6da42b99893779f6d82cdb1589b08de01bac2e2504b6dadade45ce75a3d5c249b06ec9a
-
Filesize
27KB
MD564f49b3dad49f11e53c8b11403fa63a3
SHA1e1bf9e7cd1d787e8309ba63de8f628832800bdc4
SHA256ef2be901f25f2c306bcd9dea2f71f10f00b8f20ef900376f64cf234e6b3806c5
SHA512cd3848645ce8e63793e4a18687ffcaf34022e67882a001a0bf7f8350d6da42b99893779f6d82cdb1589b08de01bac2e2504b6dadade45ce75a3d5c249b06ec9a
-
Filesize
27KB
MD564f49b3dad49f11e53c8b11403fa63a3
SHA1e1bf9e7cd1d787e8309ba63de8f628832800bdc4
SHA256ef2be901f25f2c306bcd9dea2f71f10f00b8f20ef900376f64cf234e6b3806c5
SHA512cd3848645ce8e63793e4a18687ffcaf34022e67882a001a0bf7f8350d6da42b99893779f6d82cdb1589b08de01bac2e2504b6dadade45ce75a3d5c249b06ec9a