Analysis
-
max time kernel
160s -
max time network
173s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
12-05-2022 15:55
Static task
static1
Behavioral task
behavioral1
Sample
6c001fd70ea1c71ff5074f615214944ebb666c591f7166673c5b038f41c83c64.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
6c001fd70ea1c71ff5074f615214944ebb666c591f7166673c5b038f41c83c64.exe
Resource
win10v2004-20220414-en
General
-
Target
6c001fd70ea1c71ff5074f615214944ebb666c591f7166673c5b038f41c83c64.exe
-
Size
42KB
-
MD5
0f4df6fa818ad0312e163b2d2be1552d
-
SHA1
27f15722c4d0066dca1ac15ec1801a3cfe08f788
-
SHA256
6c001fd70ea1c71ff5074f615214944ebb666c591f7166673c5b038f41c83c64
-
SHA512
97090a3b4bb3237e32fc240f05dcd02b17818788016db505643be368a248b81ee7478b782966969fd2d774ac77a164dd8dd520bd4fc959522acb8a22acc5609d
Malware Config
Signatures
-
suricata: ET MALWARE Possible DEEP PANDA C2 Activity
suricata: ET MALWARE Possible DEEP PANDA C2 Activity
-
suricata: ET MALWARE Possible Deep Panda - Sakula/Mivast RAT CnC Beacon 5
suricata: ET MALWARE Possible Deep Panda - Sakula/Mivast RAT CnC Beacon 5
-
suricata: ET MALWARE Sakula/Mivast C2 Activity
suricata: ET MALWARE Sakula/Mivast C2 Activity
-
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 3124 MediaCenter.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
reg.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" reg.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run reg.exe -
Modifies registry key 1 TTPs 1 IoCs
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of WriteProcessMemory 18 IoCs
Processes:
6c001fd70ea1c71ff5074f615214944ebb666c591f7166673c5b038f41c83c64.execmd.execmd.execmd.exedescription pid process target process PID 4500 wrote to memory of 4512 4500 6c001fd70ea1c71ff5074f615214944ebb666c591f7166673c5b038f41c83c64.exe cmd.exe PID 4500 wrote to memory of 4512 4500 6c001fd70ea1c71ff5074f615214944ebb666c591f7166673c5b038f41c83c64.exe cmd.exe PID 4500 wrote to memory of 4512 4500 6c001fd70ea1c71ff5074f615214944ebb666c591f7166673c5b038f41c83c64.exe cmd.exe PID 4500 wrote to memory of 4784 4500 6c001fd70ea1c71ff5074f615214944ebb666c591f7166673c5b038f41c83c64.exe cmd.exe PID 4500 wrote to memory of 4784 4500 6c001fd70ea1c71ff5074f615214944ebb666c591f7166673c5b038f41c83c64.exe cmd.exe PID 4500 wrote to memory of 4784 4500 6c001fd70ea1c71ff5074f615214944ebb666c591f7166673c5b038f41c83c64.exe cmd.exe PID 4500 wrote to memory of 2020 4500 6c001fd70ea1c71ff5074f615214944ebb666c591f7166673c5b038f41c83c64.exe cmd.exe PID 4500 wrote to memory of 2020 4500 6c001fd70ea1c71ff5074f615214944ebb666c591f7166673c5b038f41c83c64.exe cmd.exe PID 4500 wrote to memory of 2020 4500 6c001fd70ea1c71ff5074f615214944ebb666c591f7166673c5b038f41c83c64.exe cmd.exe PID 4512 wrote to memory of 4484 4512 cmd.exe reg.exe PID 4512 wrote to memory of 4484 4512 cmd.exe reg.exe PID 4512 wrote to memory of 4484 4512 cmd.exe reg.exe PID 2020 wrote to memory of 768 2020 cmd.exe PING.EXE PID 2020 wrote to memory of 768 2020 cmd.exe PING.EXE PID 2020 wrote to memory of 768 2020 cmd.exe PING.EXE PID 4784 wrote to memory of 3124 4784 cmd.exe MediaCenter.exe PID 4784 wrote to memory of 3124 4784 cmd.exe MediaCenter.exe PID 4784 wrote to memory of 3124 4784 cmd.exe MediaCenter.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\6c001fd70ea1c71ff5074f615214944ebb666c591f7166673c5b038f41c83c64.exe"C:\Users\Admin\AppData\Local\Temp\6c001fd70ea1c71ff5074f615214944ebb666c591f7166673c5b038f41c83c64.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd.exe /c reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v "MicroMedia" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\reg.exereg add HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v "MicroMedia" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe"3⤵
- Adds Run key to start application
- Modifies registry key
-
C:\Windows\SysWOW64\cmd.execmd.exe /c "C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe3⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\cmd.execmd.exe /c ping 127.0.0.1 & del "C:\Users\Admin\AppData\Local\Temp\6c001fd70ea1c71ff5074f615214944ebb666c591f7166673c5b038f41c83c64.exe"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeFilesize
42KB
MD5b54e94ece7586d41bf13ed5179b7869d
SHA197804050ac3e79c08c3384eae6f63df6ae6eebd1
SHA256d690b197ac555bff1ddcb58373cb3f5849952cc879ca1052304015337e253ab4
SHA5128ff4fa779b6f642a74b7e8ec37a0f0224eb94fd77d19dd98939f40a84a4d099bf56576ec068bfc4a5e59a5a4a0ca246d0148a5c572d8c66a299c33a79b90def2
-
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeFilesize
42KB
MD5b54e94ece7586d41bf13ed5179b7869d
SHA197804050ac3e79c08c3384eae6f63df6ae6eebd1
SHA256d690b197ac555bff1ddcb58373cb3f5849952cc879ca1052304015337e253ab4
SHA5128ff4fa779b6f642a74b7e8ec37a0f0224eb94fd77d19dd98939f40a84a4d099bf56576ec068bfc4a5e59a5a4a0ca246d0148a5c572d8c66a299c33a79b90def2
-
memory/768-135-0x0000000000000000-mapping.dmp
-
memory/2020-133-0x0000000000000000-mapping.dmp
-
memory/3124-136-0x0000000000000000-mapping.dmp
-
memory/3124-139-0x0000000000400000-0x000000000040B000-memory.dmpFilesize
44KB
-
memory/4484-134-0x0000000000000000-mapping.dmp
-
memory/4500-130-0x0000000000400000-0x000000000040B000-memory.dmpFilesize
44KB
-
memory/4512-131-0x0000000000000000-mapping.dmp
-
memory/4784-132-0x0000000000000000-mapping.dmp