Analysis
-
max time kernel
186s -
max time network
197s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
11-05-2022 00:40
Static task
static1
Behavioral task
behavioral1
Sample
5378189c64d82fdcc1ab31d23f82594d6c0805fa26621d944cd3d7767861064c.exe
Resource
win7-20220414-en
General
-
Target
5378189c64d82fdcc1ab31d23f82594d6c0805fa26621d944cd3d7767861064c.exe
-
Size
40KB
-
MD5
1cc8846038d84ed445d3a71fd4fc88eb
-
SHA1
85c988e1827cf3aa75926be7c002c71585013b04
-
SHA256
5378189c64d82fdcc1ab31d23f82594d6c0805fa26621d944cd3d7767861064c
-
SHA512
890d2cca605adfabb6c4104b2a6aad1503abc513f037d9f98b2f6ad113ed1edc3b287e3f4211c31f577c9b7ca181d0c0cbc701f2066e4e22439f9fea6918383c
Malware Config
Signatures
-
suricata: ET MALWARE Possible DEEP PANDA C2 Activity
suricata: ET MALWARE Possible DEEP PANDA C2 Activity
-
suricata: ET MALWARE Possible Deep Panda - Sakula/Mivast RAT CnC Beacon 5
suricata: ET MALWARE Possible Deep Panda - Sakula/Mivast RAT CnC Beacon 5
-
suricata: ET MALWARE Sakula/Mivast C2 Activity
suricata: ET MALWARE Sakula/Mivast C2 Activity
-
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid Process 4604 MediaCenter.exe -
Processes:
resource yara_rule behavioral2/memory/2324-133-0x0000000000400000-0x000000000040D000-memory.dmp upx behavioral2/files/0x00060000000231ea-138.dat upx behavioral2/files/0x00060000000231ea-137.dat upx behavioral2/memory/4604-139-0x0000000000400000-0x000000000040D000-memory.dmp upx -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
reg.exedescription ioc Process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run reg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" reg.exe -
Modifies registry key 1 TTPs 1 IoCs
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of WriteProcessMemory 18 IoCs
Processes:
5378189c64d82fdcc1ab31d23f82594d6c0805fa26621d944cd3d7767861064c.execmd.execmd.execmd.exedescription pid Process procid_target PID 2324 wrote to memory of 4820 2324 5378189c64d82fdcc1ab31d23f82594d6c0805fa26621d944cd3d7767861064c.exe 93 PID 2324 wrote to memory of 4820 2324 5378189c64d82fdcc1ab31d23f82594d6c0805fa26621d944cd3d7767861064c.exe 93 PID 2324 wrote to memory of 4820 2324 5378189c64d82fdcc1ab31d23f82594d6c0805fa26621d944cd3d7767861064c.exe 93 PID 2324 wrote to memory of 372 2324 5378189c64d82fdcc1ab31d23f82594d6c0805fa26621d944cd3d7767861064c.exe 92 PID 2324 wrote to memory of 372 2324 5378189c64d82fdcc1ab31d23f82594d6c0805fa26621d944cd3d7767861064c.exe 92 PID 2324 wrote to memory of 372 2324 5378189c64d82fdcc1ab31d23f82594d6c0805fa26621d944cd3d7767861064c.exe 92 PID 2324 wrote to memory of 2604 2324 5378189c64d82fdcc1ab31d23f82594d6c0805fa26621d944cd3d7767861064c.exe 91 PID 2324 wrote to memory of 2604 2324 5378189c64d82fdcc1ab31d23f82594d6c0805fa26621d944cd3d7767861064c.exe 91 PID 2324 wrote to memory of 2604 2324 5378189c64d82fdcc1ab31d23f82594d6c0805fa26621d944cd3d7767861064c.exe 91 PID 2604 wrote to memory of 2104 2604 cmd.exe 87 PID 2604 wrote to memory of 2104 2604 cmd.exe 87 PID 2604 wrote to memory of 2104 2604 cmd.exe 87 PID 4820 wrote to memory of 4620 4820 cmd.exe 86 PID 4820 wrote to memory of 4620 4820 cmd.exe 86 PID 4820 wrote to memory of 4620 4820 cmd.exe 86 PID 372 wrote to memory of 4604 372 cmd.exe 85 PID 372 wrote to memory of 4604 372 cmd.exe 85 PID 372 wrote to memory of 4604 372 cmd.exe 85
Processes
-
C:\Users\Admin\AppData\Local\Temp\5378189c64d82fdcc1ab31d23f82594d6c0805fa26621d944cd3d7767861064c.exe"C:\Users\Admin\AppData\Local\Temp\5378189c64d82fdcc1ab31d23f82594d6c0805fa26621d944cd3d7767861064c.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2324 -
C:\Windows\SysWOW64\cmd.execmd.exe /c ping 127.0.0.1 & del "C:\Users\Admin\AppData\Local\Temp\5378189c64d82fdcc1ab31d23f82594d6c0805fa26621d944cd3d7767861064c.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:2604
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c "C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:372
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v "MicroMedia" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:4820
-
-
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe1⤵
- Executes dropped EXE
PID:4604
-
C:\Windows\SysWOW64\reg.exereg add HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v "MicroMedia" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe"1⤵
- Adds Run key to start application
- Modifies registry key
PID:4620
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.11⤵
- Runs ping.exe
PID:2104
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
40KB
MD577cc13e7775c7f2f551342d0bf80d4af
SHA132d4134db40de9ccfff369f06c428cc81908ba65
SHA25624832259bdc017e1ed5e1d23b362a1efaa42255f45e521f940c6b85ae1588148
SHA51224741c90cc11cee638d15fad1d9fbe97e6a2f58efb678ee405c955a4d8b0b99666e1d1eb76032a41508c2e35490904b3863fc0ed3d40e91589c409d0d08f714e
-
Filesize
40KB
MD577cc13e7775c7f2f551342d0bf80d4af
SHA132d4134db40de9ccfff369f06c428cc81908ba65
SHA25624832259bdc017e1ed5e1d23b362a1efaa42255f45e521f940c6b85ae1588148
SHA51224741c90cc11cee638d15fad1d9fbe97e6a2f58efb678ee405c955a4d8b0b99666e1d1eb76032a41508c2e35490904b3863fc0ed3d40e91589c409d0d08f714e