Analysis

  • max time kernel
    145s
  • max time network
    163s
  • platform
    windows7_x64
  • resource
    win7-20220414-en
  • submitted
    10-05-2022 23:47

General

  • Target

    99452760ef7c1d5bfd94c8db2cbd2fe2202cb13fe8e764bfd58a52933a9ea876.exe

  • Size

    19KB

  • MD5

    3746191d38bf729e9db2e1ac9f1aca80

  • SHA1

    0b372ebf284da5929c2fdffdff0b3c3406ad541b

  • SHA256

    99452760ef7c1d5bfd94c8db2cbd2fe2202cb13fe8e764bfd58a52933a9ea876

  • SHA512

    d55b7972eabf651be0ef0be68bc589739331e9833959e9ad18e96304582be8e3616d89b88abf81eba7b35593fc321db2a08bedb4d4c1888d869c56a85b80cafa

Malware Config

Signatures

  • Sakula

    Sakula is a remote access trojan with various capabilities.

  • suricata: ET MALWARE Possible DEEP PANDA C2 Activity

    suricata: ET MALWARE Possible DEEP PANDA C2 Activity

  • suricata: ET MALWARE Possible Deep Panda - Sakula/Mivast RAT CnC Beacon 5

    suricata: ET MALWARE Possible Deep Panda - Sakula/Mivast RAT CnC Beacon 5

  • suricata: ET MALWARE Sakula/Mivast C2 Activity

    suricata: ET MALWARE Sakula/Mivast C2 Activity

  • Executes dropped EXE 1 IoCs
  • Deletes itself 1 IoCs
  • Loads dropped DLL 2 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
  • Modifies registry key 1 TTPs 1 IoCs
  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious use of WriteProcessMemory 24 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\99452760ef7c1d5bfd94c8db2cbd2fe2202cb13fe8e764bfd58a52933a9ea876.exe
    "C:\Users\Admin\AppData\Local\Temp\99452760ef7c1d5bfd94c8db2cbd2fe2202cb13fe8e764bfd58a52933a9ea876.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1624
    • C:\Windows\SysWOW64\cmd.exe
      cmd.exe /c reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v "MicroMedia" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2008
      • C:\Windows\SysWOW64\reg.exe
        reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v "MicroMedia" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe"
        3⤵
        • Adds Run key to start application
        • Modifies registry key
        PID:1712
    • C:\Windows\SysWOW64\cmd.exe
      cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe"
      2⤵
      • Loads dropped DLL
      • Suspicious use of WriteProcessMemory
      PID:340
      • C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
        C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
        3⤵
        • Executes dropped EXE
        PID:1952
    • C:\Windows\SysWOW64\cmd.exe
      cmd.exe /c ping 127.0.0.1 & del "C:\Users\Admin\AppData\Local\Temp\99452760ef7c1d5bfd94c8db2cbd2fe2202cb13fe8e764bfd58a52933a9ea876.exe"
      2⤵
      • Deletes itself
      • Suspicious use of WriteProcessMemory
      PID:1992
      • C:\Windows\SysWOW64\PING.EXE
        ping 127.0.0.1
        3⤵
        • Runs ping.exe
        PID:1744

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe

    Filesize

    19KB

    MD5

    1226dd27071c09e51aaf54e2a37367c2

    SHA1

    dd2197c6b2358ecef8d0fb94d272da86c103d35e

    SHA256

    79d93362299d134450bdcdd473902ce7e339f8a7697284dbc809e4d9def1220c

    SHA512

    9ae36da3b70ff10fd2523ceec1aaab09f29297e889f65613e0e55707ba3c6f409266154a101d021679e9aade19cd722e56c7848e25e48f92ab9a04133d81e8ad

  • C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe

    Filesize

    19KB

    MD5

    1226dd27071c09e51aaf54e2a37367c2

    SHA1

    dd2197c6b2358ecef8d0fb94d272da86c103d35e

    SHA256

    79d93362299d134450bdcdd473902ce7e339f8a7697284dbc809e4d9def1220c

    SHA512

    9ae36da3b70ff10fd2523ceec1aaab09f29297e889f65613e0e55707ba3c6f409266154a101d021679e9aade19cd722e56c7848e25e48f92ab9a04133d81e8ad

  • \Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe

    Filesize

    19KB

    MD5

    1226dd27071c09e51aaf54e2a37367c2

    SHA1

    dd2197c6b2358ecef8d0fb94d272da86c103d35e

    SHA256

    79d93362299d134450bdcdd473902ce7e339f8a7697284dbc809e4d9def1220c

    SHA512

    9ae36da3b70ff10fd2523ceec1aaab09f29297e889f65613e0e55707ba3c6f409266154a101d021679e9aade19cd722e56c7848e25e48f92ab9a04133d81e8ad

  • \Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe

    Filesize

    19KB

    MD5

    1226dd27071c09e51aaf54e2a37367c2

    SHA1

    dd2197c6b2358ecef8d0fb94d272da86c103d35e

    SHA256

    79d93362299d134450bdcdd473902ce7e339f8a7697284dbc809e4d9def1220c

    SHA512

    9ae36da3b70ff10fd2523ceec1aaab09f29297e889f65613e0e55707ba3c6f409266154a101d021679e9aade19cd722e56c7848e25e48f92ab9a04133d81e8ad

  • memory/340-58-0x0000000000000000-mapping.dmp

  • memory/1624-55-0x0000000000020000-0x0000000000024000-memory.dmp

    Filesize

    16KB

  • memory/1624-56-0x0000000000400000-0x000000000040B000-memory.dmp

    Filesize

    44KB

  • memory/1624-54-0x0000000076391000-0x0000000076393000-memory.dmp

    Filesize

    8KB

  • memory/1712-66-0x0000000000000000-mapping.dmp

  • memory/1744-67-0x0000000000000000-mapping.dmp

  • memory/1952-63-0x0000000000000000-mapping.dmp

  • memory/1952-68-0x0000000000020000-0x0000000000024000-memory.dmp

    Filesize

    16KB

  • memory/1952-69-0x0000000000400000-0x000000000040B000-memory.dmp

    Filesize

    44KB

  • memory/1992-59-0x0000000000000000-mapping.dmp

  • memory/2008-57-0x0000000000000000-mapping.dmp