Analysis Overview
SHA256
2772c05ccb98243d81ffda3e7355aa4542b536267897bfcbc05fe74aea1efd69
Threat Level: Known bad
The file 2772c05ccb98243d81ffda3e7355aa4542b536267897bfcbc05fe74aea1efd69 was found to be: Known bad.
Malicious Activity Summary
suricata: ET MALWARE Sakula/Mivast C2 Activity
Sakula
suricata: ET MALWARE Possible DEEP PANDA C2 Activity
suricata: ET MALWARE Possible Deep Panda - Sakula/Mivast RAT CnC Beacon 5
Executes dropped EXE
Deletes itself
Loads dropped DLL
Adds Run key to start application
Runs ping.exe
Modifies registry key
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2022-05-12 18:37
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2022-05-12 18:37
Reported
2022-05-12 22:28
Platform
win7-20220414-en
Max time kernel
187s
Max time network
195s
Command Line
Signatures
Sakula
suricata: ET MALWARE Possible DEEP PANDA C2 Activity
suricata: ET MALWARE Possible Deep Panda - Sakula/Mivast RAT CnC Beacon 5
suricata: ET MALWARE Sakula/Mivast C2 Activity
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe | N/A |
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
Modifies registry key
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\reg.exe | N/A |
Runs ping.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2772c05ccb98243d81ffda3e7355aa4542b536267897bfcbc05fe74aea1efd69.exe
"C:\Users\Admin\AppData\Local\Temp\2772c05ccb98243d81ffda3e7355aa4542b536267897bfcbc05fe74aea1efd69.exe"
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v "MicroMedia" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe"
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe"
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c ping 127.0.0.1 & del "C:\Users\Admin\AppData\Local\Temp\2772c05ccb98243d81ffda3e7355aa4542b536267897bfcbc05fe74aea1efd69.exe"
C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
C:\Windows\SysWOW64\reg.exe
reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v "MicroMedia" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | vpn.premrera.com | udp |
| US | 208.91.197.27:443 | vpn.premrera.com | tcp |
| US | 208.91.197.27:443 | vpn.premrera.com | tcp |
| US | 208.91.197.27:443 | vpn.premrera.com | tcp |
| US | 208.91.197.27:443 | vpn.premrera.com | tcp |
| US | 208.91.197.27:443 | vpn.premrera.com | tcp |
| US | 208.91.197.27:443 | vpn.premrera.com | tcp |
Files
memory/2008-54-0x00000000754A1000-0x00000000754A3000-memory.dmp
memory/2008-55-0x0000000000400000-0x0000000000409000-memory.dmp
memory/1204-56-0x0000000000000000-mapping.dmp
memory/1276-57-0x0000000000000000-mapping.dmp
memory/888-58-0x0000000000000000-mapping.dmp
\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
| MD5 | 9b4092909dcf9216308002ee9a9a4b6e |
| SHA1 | 2f7b9fa34a4f8064ec8de8b8887121cb521f0fcf |
| SHA256 | f210208fd46166c9bdec04809e86dd9204970df8c4d9e3127fa55052cc1b4951 |
| SHA512 | 612fdb53e652fba0229f6e0a0b6d9d1b481dbc37003b35b03ad3226d99def41b2f1e85613b7a9c73f73dbbbb513582407529173029df89cf3637a55dd48a24a5 |
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
| MD5 | 9b4092909dcf9216308002ee9a9a4b6e |
| SHA1 | 2f7b9fa34a4f8064ec8de8b8887121cb521f0fcf |
| SHA256 | f210208fd46166c9bdec04809e86dd9204970df8c4d9e3127fa55052cc1b4951 |
| SHA512 | 612fdb53e652fba0229f6e0a0b6d9d1b481dbc37003b35b03ad3226d99def41b2f1e85613b7a9c73f73dbbbb513582407529173029df89cf3637a55dd48a24a5 |
memory/892-63-0x0000000000000000-mapping.dmp
memory/1536-62-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
| MD5 | 9b4092909dcf9216308002ee9a9a4b6e |
| SHA1 | 2f7b9fa34a4f8064ec8de8b8887121cb521f0fcf |
| SHA256 | f210208fd46166c9bdec04809e86dd9204970df8c4d9e3127fa55052cc1b4951 |
| SHA512 | 612fdb53e652fba0229f6e0a0b6d9d1b481dbc37003b35b03ad3226d99def41b2f1e85613b7a9c73f73dbbbb513582407529173029df89cf3637a55dd48a24a5 |
\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
| MD5 | 9b4092909dcf9216308002ee9a9a4b6e |
| SHA1 | 2f7b9fa34a4f8064ec8de8b8887121cb521f0fcf |
| SHA256 | f210208fd46166c9bdec04809e86dd9204970df8c4d9e3127fa55052cc1b4951 |
| SHA512 | 612fdb53e652fba0229f6e0a0b6d9d1b481dbc37003b35b03ad3226d99def41b2f1e85613b7a9c73f73dbbbb513582407529173029df89cf3637a55dd48a24a5 |
memory/1764-66-0x0000000000000000-mapping.dmp
memory/1536-67-0x0000000000400000-0x0000000000409000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2022-05-12 18:37
Reported
2022-05-12 22:26
Platform
win10v2004-20220414-en
Max time kernel
168s
Max time network
201s
Command Line
Signatures
Sakula
suricata: ET MALWARE Possible DEEP PANDA C2 Activity
suricata: ET MALWARE Possible Deep Panda - Sakula/Mivast RAT CnC Beacon 5
suricata: ET MALWARE Sakula/Mivast C2 Activity
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
Modifies registry key
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\reg.exe | N/A |
Runs ping.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2772c05ccb98243d81ffda3e7355aa4542b536267897bfcbc05fe74aea1efd69.exe
"C:\Users\Admin\AppData\Local\Temp\2772c05ccb98243d81ffda3e7355aa4542b536267897bfcbc05fe74aea1efd69.exe"
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v "MicroMedia" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe"
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe"
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c ping 127.0.0.1 & del "C:\Users\Admin\AppData\Local\Temp\2772c05ccb98243d81ffda3e7355aa4542b536267897bfcbc05fe74aea1efd69.exe"
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
C:\Windows\SysWOW64\reg.exe
reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v "MicroMedia" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe"
C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1
Network
| Country | Destination | Domain | Proto |
| NL | 20.190.160.8:443 | tcp | |
| NL | 20.190.160.8:443 | tcp | |
| NL | 20.190.160.8:443 | tcp | |
| IE | 20.50.80.209:443 | tcp | |
| NL | 20.190.160.67:443 | tcp | |
| NL | 20.190.160.67:443 | tcp | |
| NL | 20.190.160.67:443 | tcp | |
| NL | 20.190.160.73:443 | tcp | |
| NL | 20.190.160.73:443 | tcp | |
| NL | 20.190.160.73:443 | tcp | |
| NL | 20.190.160.4:443 | tcp | |
| NL | 20.190.160.4:443 | tcp | |
| NL | 20.190.160.4:443 | tcp | |
| NL | 20.190.160.132:443 | tcp | |
| NL | 20.190.160.132:443 | tcp | |
| NL | 20.190.160.132:443 | tcp | |
| NL | 20.190.160.129:443 | tcp | |
| NL | 20.190.160.129:443 | tcp | |
| NL | 20.190.160.129:443 | tcp | |
| US | 8.8.8.8:53 | vpn.premrera.com | udp |
| US | 208.91.197.27:443 | vpn.premrera.com | tcp |
| US | 208.91.197.27:443 | vpn.premrera.com | tcp |
| US | 208.91.197.27:443 | vpn.premrera.com | tcp |
| US | 208.91.197.27:443 | vpn.premrera.com | tcp |
| US | 208.91.197.27:443 | vpn.premrera.com | tcp |
| US | 208.91.197.27:443 | vpn.premrera.com | tcp |
Files
memory/4812-130-0x0000000000400000-0x0000000000409000-memory.dmp
memory/3920-131-0x0000000000000000-mapping.dmp
memory/4852-132-0x0000000000000000-mapping.dmp
memory/4272-133-0x0000000000000000-mapping.dmp
memory/3108-134-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
| MD5 | 4b54ba85a78bdc0b43e627c059e33c53 |
| SHA1 | e687898847b5fbb7675ab11296e4189e329787e3 |
| SHA256 | 05857b7cc6c719f0a148642d2de5b3541594e0d71c733c9482874cd59cfea0ae |
| SHA512 | 9ca4363abcdc22c9b6bfd5dff750ead3781e425a6c719d3181c4a69833b872be63bc9fdb8b2a8bcf44157649cccb11771ac323ec367982cd5fd29d5f416a3dc2 |
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
| MD5 | 4b54ba85a78bdc0b43e627c059e33c53 |
| SHA1 | e687898847b5fbb7675ab11296e4189e329787e3 |
| SHA256 | 05857b7cc6c719f0a148642d2de5b3541594e0d71c733c9482874cd59cfea0ae |
| SHA512 | 9ca4363abcdc22c9b6bfd5dff750ead3781e425a6c719d3181c4a69833b872be63bc9fdb8b2a8bcf44157649cccb11771ac323ec367982cd5fd29d5f416a3dc2 |
memory/3800-137-0x0000000000000000-mapping.dmp
memory/2788-138-0x0000000000000000-mapping.dmp
memory/3108-139-0x0000000000400000-0x0000000000409000-memory.dmp