Analysis Overview
SHA256
6c001fd70ea1c71ff5074f615214944ebb666c591f7166673c5b038f41c83c64
Threat Level: Known bad
The file 6c001fd70ea1c71ff5074f615214944ebb666c591f7166673c5b038f41c83c64 was found to be: Known bad.
Malicious Activity Summary
Sakula
suricata: ET MALWARE Possible DEEP PANDA C2 Activity
suricata: ET MALWARE Possible Deep Panda - Sakula/Mivast RAT CnC Beacon 5
suricata: ET MALWARE Sakula/Mivast C2 Activity
Executes dropped EXE
Deletes itself
Loads dropped DLL
Adds Run key to start application
Modifies registry key
Suspicious use of WriteProcessMemory
Runs ping.exe
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2022-05-12 15:55
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2022-05-12 15:55
Reported
2022-05-12 18:15
Platform
win7-20220414-en
Max time kernel
134s
Max time network
193s
Command Line
Signatures
Sakula
suricata: ET MALWARE Possible DEEP PANDA C2 Activity
suricata: ET MALWARE Possible Deep Panda - Sakula/Mivast RAT CnC Beacon 5
suricata: ET MALWARE Sakula/Mivast C2 Activity
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe | N/A |
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
Modifies registry key
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\reg.exe | N/A |
Runs ping.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\6c001fd70ea1c71ff5074f615214944ebb666c591f7166673c5b038f41c83c64.exe
"C:\Users\Admin\AppData\Local\Temp\6c001fd70ea1c71ff5074f615214944ebb666c591f7166673c5b038f41c83c64.exe"
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v "MicroMedia" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe"
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe"
C:\Windows\SysWOW64\reg.exe
reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v "MicroMedia" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe"
C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c ping 127.0.0.1 & del "C:\Users\Admin\AppData\Local\Temp\6c001fd70ea1c71ff5074f615214944ebb666c591f7166673c5b038f41c83c64.exe"
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | vpn.premrera.com | udp |
| US | 208.91.197.27:443 | vpn.premrera.com | tcp |
| US | 208.91.197.27:443 | vpn.premrera.com | tcp |
| US | 208.91.197.27:443 | vpn.premrera.com | tcp |
| US | 208.91.197.27:443 | vpn.premrera.com | tcp |
| US | 208.91.197.27:443 | vpn.premrera.com | tcp |
| US | 208.91.197.27:443 | vpn.premrera.com | tcp |
| US | 208.91.197.27:443 | vpn.premrera.com | tcp |
| US | 208.91.197.27:443 | vpn.premrera.com | tcp |
| US | 208.91.197.27:443 | vpn.premrera.com | tcp |
Files
memory/1944-54-0x0000000075EF1000-0x0000000075EF3000-memory.dmp
memory/1944-55-0x0000000000400000-0x000000000040B000-memory.dmp
memory/1352-56-0x0000000000000000-mapping.dmp
memory/1036-57-0x0000000000000000-mapping.dmp
memory/1804-60-0x0000000000000000-mapping.dmp
memory/1008-59-0x0000000000000000-mapping.dmp
memory/1004-58-0x0000000000000000-mapping.dmp
\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
| MD5 | d730fe31136ea434339d46d850984087 |
| SHA1 | d9028794ae430b192859be4e977f7243ad97c22e |
| SHA256 | b9951c9a9c79049f9bc816b7373d77649e8e2bce37243eee94888cc940c98980 |
| SHA512 | 908a7b5f8fe05e214198b01474d9e3ec497df8a601cd43389467795635ae88d0c5cee571b181039fd0c90c67f3c26571eec44f5e0380dd142f7850dce936c47a |
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
| MD5 | d730fe31136ea434339d46d850984087 |
| SHA1 | d9028794ae430b192859be4e977f7243ad97c22e |
| SHA256 | b9951c9a9c79049f9bc816b7373d77649e8e2bce37243eee94888cc940c98980 |
| SHA512 | 908a7b5f8fe05e214198b01474d9e3ec497df8a601cd43389467795635ae88d0c5cee571b181039fd0c90c67f3c26571eec44f5e0380dd142f7850dce936c47a |
memory/1496-64-0x0000000000000000-mapping.dmp
\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
| MD5 | d730fe31136ea434339d46d850984087 |
| SHA1 | d9028794ae430b192859be4e977f7243ad97c22e |
| SHA256 | b9951c9a9c79049f9bc816b7373d77649e8e2bce37243eee94888cc940c98980 |
| SHA512 | 908a7b5f8fe05e214198b01474d9e3ec497df8a601cd43389467795635ae88d0c5cee571b181039fd0c90c67f3c26571eec44f5e0380dd142f7850dce936c47a |
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
| MD5 | d730fe31136ea434339d46d850984087 |
| SHA1 | d9028794ae430b192859be4e977f7243ad97c22e |
| SHA256 | b9951c9a9c79049f9bc816b7373d77649e8e2bce37243eee94888cc940c98980 |
| SHA512 | 908a7b5f8fe05e214198b01474d9e3ec497df8a601cd43389467795635ae88d0c5cee571b181039fd0c90c67f3c26571eec44f5e0380dd142f7850dce936c47a |
memory/1496-67-0x0000000000400000-0x000000000040B000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2022-05-12 15:55
Reported
2022-05-12 18:11
Platform
win10v2004-20220414-en
Max time kernel
160s
Max time network
173s
Command Line
Signatures
Sakula
suricata: ET MALWARE Possible DEEP PANDA C2 Activity
suricata: ET MALWARE Possible Deep Panda - Sakula/Mivast RAT CnC Beacon 5
suricata: ET MALWARE Sakula/Mivast C2 Activity
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run | C:\Windows\SysWOW64\reg.exe | N/A |
Modifies registry key
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\reg.exe | N/A |
Runs ping.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\6c001fd70ea1c71ff5074f615214944ebb666c591f7166673c5b038f41c83c64.exe
"C:\Users\Admin\AppData\Local\Temp\6c001fd70ea1c71ff5074f615214944ebb666c591f7166673c5b038f41c83c64.exe"
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v "MicroMedia" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe"
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe"
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c ping 127.0.0.1 & del "C:\Users\Admin\AppData\Local\Temp\6c001fd70ea1c71ff5074f615214944ebb666c591f7166673c5b038f41c83c64.exe"
C:\Windows\SysWOW64\reg.exe
reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v "MicroMedia" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe"
C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
Network
| Country | Destination | Domain | Proto |
| NL | 20.190.160.134:443 | tcp | |
| NL | 20.190.160.134:443 | tcp | |
| NL | 20.190.160.134:443 | tcp | |
| FR | 2.18.109.224:443 | tcp | |
| NL | 20.190.160.73:443 | tcp | |
| NL | 20.190.160.73:443 | tcp | |
| NL | 20.190.160.73:443 | tcp | |
| IE | 13.69.239.73:443 | tcp | |
| US | 104.18.25.243:80 | tcp | |
| NL | 104.110.191.140:80 | tcp | |
| NL | 104.110.191.140:80 | tcp | |
| US | 209.197.3.8:80 | tcp | |
| NL | 20.190.160.132:443 | tcp | |
| NL | 20.190.160.132:443 | tcp | |
| NL | 20.190.160.132:443 | tcp | |
| NL | 20.190.160.69:443 | tcp | |
| NL | 20.190.160.69:443 | tcp | |
| NL | 20.190.160.69:443 | tcp | |
| US | 93.184.220.29:80 | tcp | |
| US | 8.8.8.8:53 | vpn.premrera.com | udp |
| US | 208.91.197.27:443 | vpn.premrera.com | tcp |
| US | 208.91.197.27:443 | vpn.premrera.com | tcp |
| NL | 20.190.160.71:443 | tcp | |
| NL | 20.190.160.71:443 | tcp | |
| NL | 20.190.160.71:443 | tcp | |
| US | 208.91.197.27:443 | vpn.premrera.com | tcp |
| NL | 20.190.160.67:443 | tcp | |
| NL | 20.190.160.67:443 | tcp | |
| NL | 20.190.160.67:443 | tcp | |
| US | 208.91.197.27:443 | vpn.premrera.com | tcp |
| US | 208.91.197.27:443 | vpn.premrera.com | tcp |
| US | 208.91.197.27:443 | vpn.premrera.com | tcp |
| US | 208.91.197.27:443 | vpn.premrera.com | tcp |
| US | 208.91.197.27:443 | vpn.premrera.com | tcp |
Files
memory/4500-130-0x0000000000400000-0x000000000040B000-memory.dmp
memory/4512-131-0x0000000000000000-mapping.dmp
memory/2020-133-0x0000000000000000-mapping.dmp
memory/4784-132-0x0000000000000000-mapping.dmp
memory/4484-134-0x0000000000000000-mapping.dmp
memory/768-135-0x0000000000000000-mapping.dmp
memory/3124-136-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
| MD5 | b54e94ece7586d41bf13ed5179b7869d |
| SHA1 | 97804050ac3e79c08c3384eae6f63df6ae6eebd1 |
| SHA256 | d690b197ac555bff1ddcb58373cb3f5849952cc879ca1052304015337e253ab4 |
| SHA512 | 8ff4fa779b6f642a74b7e8ec37a0f0224eb94fd77d19dd98939f40a84a4d099bf56576ec068bfc4a5e59a5a4a0ca246d0148a5c572d8c66a299c33a79b90def2 |
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
| MD5 | b54e94ece7586d41bf13ed5179b7869d |
| SHA1 | 97804050ac3e79c08c3384eae6f63df6ae6eebd1 |
| SHA256 | d690b197ac555bff1ddcb58373cb3f5849952cc879ca1052304015337e253ab4 |
| SHA512 | 8ff4fa779b6f642a74b7e8ec37a0f0224eb94fd77d19dd98939f40a84a4d099bf56576ec068bfc4a5e59a5a4a0ca246d0148a5c572d8c66a299c33a79b90def2 |
memory/3124-139-0x0000000000400000-0x000000000040B000-memory.dmp