Analysis Overview
SHA256
abdbc215ab1979c6aac2de4e36c31d95112250f64f2f56543aad0858a9600674
Threat Level: Known bad
The file abdbc215ab1979c6aac2de4e36c31d95112250f64f2f56543aad0858a9600674 was found to be: Known bad.
Malicious Activity Summary
Sakula
suricata: ET MALWARE Possible DEEP PANDA C2 Activity
suricata: ET MALWARE Sakula/Mivast RAT CnC Beacon 6
suricata: ET MALWARE Sakula/Mivast RAT CnC Beacon 7
Executes dropped EXE
Loads dropped DLL
Deletes itself
Adds Run key to start application
Modifies registry key
Runs ping.exe
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2022-05-10 23:33
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2022-05-10 23:33
Reported
2022-05-10 23:46
Platform
win7-20220414-en
Max time kernel
120s
Max time network
180s
Command Line
Signatures
Sakula
suricata: ET MALWARE Possible DEEP PANDA C2 Activity
suricata: ET MALWARE Sakula/Mivast RAT CnC Beacon 6
suricata: ET MALWARE Sakula/Mivast RAT CnC Beacon 7
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe | N/A |
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\abdbc215ab1979c6aac2de4e36c31d95112250f64f2f56543aad0858a9600674.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\abdbc215ab1979c6aac2de4e36c31d95112250f64f2f56543aad0858a9600674.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
Modifies registry key
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\reg.exe | N/A |
Runs ping.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\abdbc215ab1979c6aac2de4e36c31d95112250f64f2f56543aad0858a9600674.exe
"C:\Users\Admin\AppData\Local\Temp\abdbc215ab1979c6aac2de4e36c31d95112250f64f2f56543aad0858a9600674.exe"
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v "MicroMedia" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe"
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
C:\Windows\SysWOW64\reg.exe
reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v "MicroMedia" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe"
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c ping 127.0.0.1 & del "C:\Users\Admin\AppData\Local\Temp\abdbc215ab1979c6aac2de4e36c31d95112250f64f2f56543aad0858a9600674.exe"
C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | www.we11point.com | udp |
| US | 204.11.56.48:443 | www.we11point.com | tcp |
| US | 204.11.56.48:443 | www.we11point.com | tcp |
| US | 204.11.56.48:443 | www.we11point.com | tcp |
Files
memory/808-54-0x0000000075D21000-0x0000000075D23000-memory.dmp
memory/808-55-0x0000000000400000-0x0000000000408000-memory.dmp
memory/1408-56-0x0000000000000000-mapping.dmp
\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
| MD5 | 64f49b3dad49f11e53c8b11403fa63a3 |
| SHA1 | e1bf9e7cd1d787e8309ba63de8f628832800bdc4 |
| SHA256 | ef2be901f25f2c306bcd9dea2f71f10f00b8f20ef900376f64cf234e6b3806c5 |
| SHA512 | cd3848645ce8e63793e4a18687ffcaf34022e67882a001a0bf7f8350d6da42b99893779f6d82cdb1589b08de01bac2e2504b6dadade45ce75a3d5c249b06ec9a |
memory/940-59-0x0000000000000000-mapping.dmp
\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
| MD5 | 64f49b3dad49f11e53c8b11403fa63a3 |
| SHA1 | e1bf9e7cd1d787e8309ba63de8f628832800bdc4 |
| SHA256 | ef2be901f25f2c306bcd9dea2f71f10f00b8f20ef900376f64cf234e6b3806c5 |
| SHA512 | cd3848645ce8e63793e4a18687ffcaf34022e67882a001a0bf7f8350d6da42b99893779f6d82cdb1589b08de01bac2e2504b6dadade45ce75a3d5c249b06ec9a |
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
| MD5 | 64f49b3dad49f11e53c8b11403fa63a3 |
| SHA1 | e1bf9e7cd1d787e8309ba63de8f628832800bdc4 |
| SHA256 | ef2be901f25f2c306bcd9dea2f71f10f00b8f20ef900376f64cf234e6b3806c5 |
| SHA512 | cd3848645ce8e63793e4a18687ffcaf34022e67882a001a0bf7f8350d6da42b99893779f6d82cdb1589b08de01bac2e2504b6dadade45ce75a3d5c249b06ec9a |
memory/1172-62-0x0000000000000000-mapping.dmp
memory/940-63-0x0000000000400000-0x0000000000408000-memory.dmp
memory/1216-64-0x0000000000000000-mapping.dmp
memory/1940-65-0x0000000000000000-mapping.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2022-05-10 23:33
Reported
2022-05-10 23:46
Platform
win10v2004-20220414-en
Max time kernel
171s
Max time network
138s
Command Line
Signatures
Sakula
suricata: ET MALWARE Possible DEEP PANDA C2 Activity
suricata: ET MALWARE Sakula/Mivast RAT CnC Beacon 6
suricata: ET MALWARE Sakula/Mivast RAT CnC Beacon 7
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
Modifies registry key
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\reg.exe | N/A |
Runs ping.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\abdbc215ab1979c6aac2de4e36c31d95112250f64f2f56543aad0858a9600674.exe
"C:\Users\Admin\AppData\Local\Temp\abdbc215ab1979c6aac2de4e36c31d95112250f64f2f56543aad0858a9600674.exe"
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v "MicroMedia" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe"
C:\Windows\SysWOW64\reg.exe
reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v "MicroMedia" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe"
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c ping 127.0.0.1 & del "C:\Users\Admin\AppData\Local\Temp\abdbc215ab1979c6aac2de4e36c31d95112250f64f2f56543aad0858a9600674.exe"
C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1
Network
| Country | Destination | Domain | Proto |
| NL | 20.190.160.75:443 | tcp | |
| NL | 20.190.160.8:443 | tcp | |
| NL | 8.238.24.126:80 | tcp | |
| NL | 8.238.24.126:80 | tcp | |
| NL | 20.190.160.67:443 | tcp | |
| IE | 52.109.76.31:443 | tcp | |
| NL | 20.190.160.4:443 | tcp | |
| US | 8.8.8.8:53 | www.we11point.com | udp |
| US | 204.11.56.48:443 | www.we11point.com | tcp |
| US | 204.11.56.48:443 | www.we11point.com | tcp |
| NL | 20.190.160.71:443 | tcp | |
| US | 204.11.56.48:443 | www.we11point.com | tcp |
| NL | 20.190.160.132:443 | tcp | |
| US | 204.11.56.48:443 | www.we11point.com | tcp |
| US | 204.11.56.48:443 | www.we11point.com | tcp |
| US | 204.11.56.48:443 | www.we11point.com | tcp |
| US | 8.8.8.8:53 | udp | |
| N/A | 52.109.8.19:443 | tcp | |
| US | 204.11.56.48:443 | tcp | |
| US | 8.8.8.8:53 | udp | |
| US | 204.11.56.48:443 | tcp |
Files
memory/2144-130-0x0000000000400000-0x0000000000408000-memory.dmp
memory/1028-131-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
| MD5 | aebf2c0183374b7aab6dc1cd90a892e2 |
| SHA1 | 3e6a1f83c880a9bd813bcaf0b4cfbc09fcc4c816 |
| SHA256 | ff6540143ee56866349925f932e2c26184d727af7e570f0ecc607c405015db66 |
| SHA512 | fe7891f9014c7486434785009baccdd06d2ed66977c4ce467b53db53404513091e706076344f0b61335e9e6805dfd121c1744490981e4fdbaf0b7dc315dd3da6 |
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
| MD5 | aebf2c0183374b7aab6dc1cd90a892e2 |
| SHA1 | 3e6a1f83c880a9bd813bcaf0b4cfbc09fcc4c816 |
| SHA256 | ff6540143ee56866349925f932e2c26184d727af7e570f0ecc607c405015db66 |
| SHA512 | fe7891f9014c7486434785009baccdd06d2ed66977c4ce467b53db53404513091e706076344f0b61335e9e6805dfd121c1744490981e4fdbaf0b7dc315dd3da6 |
memory/3992-135-0x0000000000000000-mapping.dmp
memory/1500-132-0x0000000000000000-mapping.dmp
memory/1500-136-0x0000000000400000-0x0000000000408000-memory.dmp
memory/3204-137-0x0000000000000000-mapping.dmp
memory/3056-138-0x0000000000000000-mapping.dmp