Analysis
-
max time kernel
194s -
max time network
198s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
10-05-2022 23:47
Static task
static1
Behavioral task
behavioral1
Sample
99452760ef7c1d5bfd94c8db2cbd2fe2202cb13fe8e764bfd58a52933a9ea876.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
99452760ef7c1d5bfd94c8db2cbd2fe2202cb13fe8e764bfd58a52933a9ea876.exe
Resource
win10v2004-20220414-en
General
-
Target
99452760ef7c1d5bfd94c8db2cbd2fe2202cb13fe8e764bfd58a52933a9ea876.exe
-
Size
19KB
-
MD5
3746191d38bf729e9db2e1ac9f1aca80
-
SHA1
0b372ebf284da5929c2fdffdff0b3c3406ad541b
-
SHA256
99452760ef7c1d5bfd94c8db2cbd2fe2202cb13fe8e764bfd58a52933a9ea876
-
SHA512
d55b7972eabf651be0ef0be68bc589739331e9833959e9ad18e96304582be8e3616d89b88abf81eba7b35593fc321db2a08bedb4d4c1888d869c56a85b80cafa
Malware Config
Signatures
-
suricata: ET MALWARE Possible DEEP PANDA C2 Activity
suricata: ET MALWARE Possible DEEP PANDA C2 Activity
-
suricata: ET MALWARE Possible Deep Panda - Sakula/Mivast RAT CnC Beacon 5
suricata: ET MALWARE Possible Deep Panda - Sakula/Mivast RAT CnC Beacon 5
-
suricata: ET MALWARE Sakula/Mivast C2 Activity
suricata: ET MALWARE Sakula/Mivast C2 Activity
-
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid Process 2668 MediaCenter.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
reg.exedescription ioc Process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run reg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" reg.exe -
Modifies registry key 1 TTPs 1 IoCs
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of WriteProcessMemory 18 IoCs
Processes:
99452760ef7c1d5bfd94c8db2cbd2fe2202cb13fe8e764bfd58a52933a9ea876.execmd.execmd.execmd.exedescription pid Process procid_target PID 2396 wrote to memory of 4348 2396 99452760ef7c1d5bfd94c8db2cbd2fe2202cb13fe8e764bfd58a52933a9ea876.exe 79 PID 2396 wrote to memory of 4348 2396 99452760ef7c1d5bfd94c8db2cbd2fe2202cb13fe8e764bfd58a52933a9ea876.exe 79 PID 2396 wrote to memory of 4348 2396 99452760ef7c1d5bfd94c8db2cbd2fe2202cb13fe8e764bfd58a52933a9ea876.exe 79 PID 2396 wrote to memory of 2028 2396 99452760ef7c1d5bfd94c8db2cbd2fe2202cb13fe8e764bfd58a52933a9ea876.exe 80 PID 2396 wrote to memory of 2028 2396 99452760ef7c1d5bfd94c8db2cbd2fe2202cb13fe8e764bfd58a52933a9ea876.exe 80 PID 2396 wrote to memory of 2028 2396 99452760ef7c1d5bfd94c8db2cbd2fe2202cb13fe8e764bfd58a52933a9ea876.exe 80 PID 2396 wrote to memory of 4868 2396 99452760ef7c1d5bfd94c8db2cbd2fe2202cb13fe8e764bfd58a52933a9ea876.exe 83 PID 2396 wrote to memory of 4868 2396 99452760ef7c1d5bfd94c8db2cbd2fe2202cb13fe8e764bfd58a52933a9ea876.exe 83 PID 2396 wrote to memory of 4868 2396 99452760ef7c1d5bfd94c8db2cbd2fe2202cb13fe8e764bfd58a52933a9ea876.exe 83 PID 4348 wrote to memory of 4976 4348 cmd.exe 85 PID 4348 wrote to memory of 4976 4348 cmd.exe 85 PID 4348 wrote to memory of 4976 4348 cmd.exe 85 PID 2028 wrote to memory of 2668 2028 cmd.exe 87 PID 2028 wrote to memory of 2668 2028 cmd.exe 87 PID 2028 wrote to memory of 2668 2028 cmd.exe 87 PID 4868 wrote to memory of 3572 4868 cmd.exe 86 PID 4868 wrote to memory of 3572 4868 cmd.exe 86 PID 4868 wrote to memory of 3572 4868 cmd.exe 86
Processes
-
C:\Users\Admin\AppData\Local\Temp\99452760ef7c1d5bfd94c8db2cbd2fe2202cb13fe8e764bfd58a52933a9ea876.exe"C:\Users\Admin\AppData\Local\Temp\99452760ef7c1d5bfd94c8db2cbd2fe2202cb13fe8e764bfd58a52933a9ea876.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2396 -
C:\Windows\SysWOW64\cmd.execmd.exe /c reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v "MicroMedia" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:4348 -
C:\Windows\SysWOW64\reg.exereg add HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v "MicroMedia" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe"3⤵
- Adds Run key to start application
- Modifies registry key
PID:4976
-
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c "C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:2028 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe3⤵
- Executes dropped EXE
PID:2668
-
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c ping 127.0.0.1 & del "C:\Users\Admin\AppData\Local\Temp\99452760ef7c1d5bfd94c8db2cbd2fe2202cb13fe8e764bfd58a52933a9ea876.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:4868 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:3572
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
19KB
MD5dbd958987f5f147847d7c54f5dc38127
SHA1670cd05eeeb452dea85a12abe5067a8c75b5f0c2
SHA256659539a37309fab24963b8e274e968846d73ce702152f0d73add9c563f967096
SHA512d955839e6950bea3fcd34c3f3360207895dbbf7faf9fdc9ece1dc1e64c62487049de16adc9d2d74d50d1073db3e37c461c8210d8c5c52049db5f8836d8bddc42
-
Filesize
19KB
MD5dbd958987f5f147847d7c54f5dc38127
SHA1670cd05eeeb452dea85a12abe5067a8c75b5f0c2
SHA256659539a37309fab24963b8e274e968846d73ce702152f0d73add9c563f967096
SHA512d955839e6950bea3fcd34c3f3360207895dbbf7faf9fdc9ece1dc1e64c62487049de16adc9d2d74d50d1073db3e37c461c8210d8c5c52049db5f8836d8bddc42