Analysis

  • max time kernel
    171s
  • max time network
    138s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220414-en
  • submitted
    10-05-2022 23:33

General

  • Target

    abdbc215ab1979c6aac2de4e36c31d95112250f64f2f56543aad0858a9600674.exe

  • Size

    27KB

  • MD5

    24299db7c4fdd874faad29826e8381a3

  • SHA1

    bbde4c94ac31937c790f4fce5618524996b48f3c

  • SHA256

    abdbc215ab1979c6aac2de4e36c31d95112250f64f2f56543aad0858a9600674

  • SHA512

    d96272e4d4b6d9961c34167cde8a7fbe60f633c278deebc74f44152a982f494638f0dcd1e202d3d012749d3a428d9bf5172b1cc014d32f2d4f19e393ba885dec

Malware Config

Signatures

  • Sakula

    Sakula is a remote access trojan with various capabilities.

  • suricata: ET MALWARE Possible DEEP PANDA C2 Activity

    suricata: ET MALWARE Possible DEEP PANDA C2 Activity

  • suricata: ET MALWARE Sakula/Mivast RAT CnC Beacon 6

    suricata: ET MALWARE Sakula/Mivast RAT CnC Beacon 6

  • suricata: ET MALWARE Sakula/Mivast RAT CnC Beacon 7

    suricata: ET MALWARE Sakula/Mivast RAT CnC Beacon 7

  • Executes dropped EXE 1 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
  • Modifies registry key 1 TTPs 1 IoCs
  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious use of WriteProcessMemory 15 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\abdbc215ab1979c6aac2de4e36c31d95112250f64f2f56543aad0858a9600674.exe
    "C:\Users\Admin\AppData\Local\Temp\abdbc215ab1979c6aac2de4e36c31d95112250f64f2f56543aad0858a9600674.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2144
    • C:\Windows\SysWOW64\cmd.exe
      cmd.exe /c reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v "MicroMedia" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1028
      • C:\Windows\SysWOW64\reg.exe
        reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v "MicroMedia" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe"
        3⤵
        • Adds Run key to start application
        • Modifies registry key
        PID:3992
    • C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
      C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
      2⤵
      • Executes dropped EXE
      PID:1500
    • C:\Windows\SysWOW64\cmd.exe
      cmd.exe /c ping 127.0.0.1 & del "C:\Users\Admin\AppData\Local\Temp\abdbc215ab1979c6aac2de4e36c31d95112250f64f2f56543aad0858a9600674.exe"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:3204
      • C:\Windows\SysWOW64\PING.EXE
        ping 127.0.0.1
        3⤵
        • Runs ping.exe
        PID:3056

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe

    Filesize

    27KB

    MD5

    aebf2c0183374b7aab6dc1cd90a892e2

    SHA1

    3e6a1f83c880a9bd813bcaf0b4cfbc09fcc4c816

    SHA256

    ff6540143ee56866349925f932e2c26184d727af7e570f0ecc607c405015db66

    SHA512

    fe7891f9014c7486434785009baccdd06d2ed66977c4ce467b53db53404513091e706076344f0b61335e9e6805dfd121c1744490981e4fdbaf0b7dc315dd3da6

  • C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe

    Filesize

    27KB

    MD5

    aebf2c0183374b7aab6dc1cd90a892e2

    SHA1

    3e6a1f83c880a9bd813bcaf0b4cfbc09fcc4c816

    SHA256

    ff6540143ee56866349925f932e2c26184d727af7e570f0ecc607c405015db66

    SHA512

    fe7891f9014c7486434785009baccdd06d2ed66977c4ce467b53db53404513091e706076344f0b61335e9e6805dfd121c1744490981e4fdbaf0b7dc315dd3da6

  • memory/1028-131-0x0000000000000000-mapping.dmp

  • memory/1500-132-0x0000000000000000-mapping.dmp

  • memory/1500-136-0x0000000000400000-0x0000000000408000-memory.dmp

    Filesize

    32KB

  • memory/2144-130-0x0000000000400000-0x0000000000408000-memory.dmp

    Filesize

    32KB

  • memory/3056-138-0x0000000000000000-mapping.dmp

  • memory/3204-137-0x0000000000000000-mapping.dmp

  • memory/3992-135-0x0000000000000000-mapping.dmp