Analysis
-
max time kernel
171s -
max time network
138s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
10-05-2022 23:33
Static task
static1
Behavioral task
behavioral1
Sample
abdbc215ab1979c6aac2de4e36c31d95112250f64f2f56543aad0858a9600674.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
abdbc215ab1979c6aac2de4e36c31d95112250f64f2f56543aad0858a9600674.exe
Resource
win10v2004-20220414-en
General
-
Target
abdbc215ab1979c6aac2de4e36c31d95112250f64f2f56543aad0858a9600674.exe
-
Size
27KB
-
MD5
24299db7c4fdd874faad29826e8381a3
-
SHA1
bbde4c94ac31937c790f4fce5618524996b48f3c
-
SHA256
abdbc215ab1979c6aac2de4e36c31d95112250f64f2f56543aad0858a9600674
-
SHA512
d96272e4d4b6d9961c34167cde8a7fbe60f633c278deebc74f44152a982f494638f0dcd1e202d3d012749d3a428d9bf5172b1cc014d32f2d4f19e393ba885dec
Malware Config
Signatures
-
suricata: ET MALWARE Possible DEEP PANDA C2 Activity
suricata: ET MALWARE Possible DEEP PANDA C2 Activity
-
suricata: ET MALWARE Sakula/Mivast RAT CnC Beacon 6
suricata: ET MALWARE Sakula/Mivast RAT CnC Beacon 6
-
suricata: ET MALWARE Sakula/Mivast RAT CnC Beacon 7
suricata: ET MALWARE Sakula/Mivast RAT CnC Beacon 7
-
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid Process 1500 MediaCenter.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
reg.exedescription ioc Process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run reg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" reg.exe -
Modifies registry key 1 TTPs 1 IoCs
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of WriteProcessMemory 15 IoCs
Processes:
abdbc215ab1979c6aac2de4e36c31d95112250f64f2f56543aad0858a9600674.execmd.execmd.exedescription pid Process procid_target PID 2144 wrote to memory of 1028 2144 abdbc215ab1979c6aac2de4e36c31d95112250f64f2f56543aad0858a9600674.exe 80 PID 2144 wrote to memory of 1028 2144 abdbc215ab1979c6aac2de4e36c31d95112250f64f2f56543aad0858a9600674.exe 80 PID 2144 wrote to memory of 1028 2144 abdbc215ab1979c6aac2de4e36c31d95112250f64f2f56543aad0858a9600674.exe 80 PID 2144 wrote to memory of 1500 2144 abdbc215ab1979c6aac2de4e36c31d95112250f64f2f56543aad0858a9600674.exe 83 PID 2144 wrote to memory of 1500 2144 abdbc215ab1979c6aac2de4e36c31d95112250f64f2f56543aad0858a9600674.exe 83 PID 2144 wrote to memory of 1500 2144 abdbc215ab1979c6aac2de4e36c31d95112250f64f2f56543aad0858a9600674.exe 83 PID 1028 wrote to memory of 3992 1028 cmd.exe 82 PID 1028 wrote to memory of 3992 1028 cmd.exe 82 PID 1028 wrote to memory of 3992 1028 cmd.exe 82 PID 2144 wrote to memory of 3204 2144 abdbc215ab1979c6aac2de4e36c31d95112250f64f2f56543aad0858a9600674.exe 86 PID 2144 wrote to memory of 3204 2144 abdbc215ab1979c6aac2de4e36c31d95112250f64f2f56543aad0858a9600674.exe 86 PID 2144 wrote to memory of 3204 2144 abdbc215ab1979c6aac2de4e36c31d95112250f64f2f56543aad0858a9600674.exe 86 PID 3204 wrote to memory of 3056 3204 cmd.exe 87 PID 3204 wrote to memory of 3056 3204 cmd.exe 87 PID 3204 wrote to memory of 3056 3204 cmd.exe 87
Processes
-
C:\Users\Admin\AppData\Local\Temp\abdbc215ab1979c6aac2de4e36c31d95112250f64f2f56543aad0858a9600674.exe"C:\Users\Admin\AppData\Local\Temp\abdbc215ab1979c6aac2de4e36c31d95112250f64f2f56543aad0858a9600674.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2144 -
C:\Windows\SysWOW64\cmd.execmd.exe /c reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v "MicroMedia" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:1028 -
C:\Windows\SysWOW64\reg.exereg add HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v "MicroMedia" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe"3⤵
- Adds Run key to start application
- Modifies registry key
PID:3992
-
-
-
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:1500
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c ping 127.0.0.1 & del "C:\Users\Admin\AppData\Local\Temp\abdbc215ab1979c6aac2de4e36c31d95112250f64f2f56543aad0858a9600674.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:3204 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:3056
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
27KB
MD5aebf2c0183374b7aab6dc1cd90a892e2
SHA13e6a1f83c880a9bd813bcaf0b4cfbc09fcc4c816
SHA256ff6540143ee56866349925f932e2c26184d727af7e570f0ecc607c405015db66
SHA512fe7891f9014c7486434785009baccdd06d2ed66977c4ce467b53db53404513091e706076344f0b61335e9e6805dfd121c1744490981e4fdbaf0b7dc315dd3da6
-
Filesize
27KB
MD5aebf2c0183374b7aab6dc1cd90a892e2
SHA13e6a1f83c880a9bd813bcaf0b4cfbc09fcc4c816
SHA256ff6540143ee56866349925f932e2c26184d727af7e570f0ecc607c405015db66
SHA512fe7891f9014c7486434785009baccdd06d2ed66977c4ce467b53db53404513091e706076344f0b61335e9e6805dfd121c1744490981e4fdbaf0b7dc315dd3da6