Analysis
-
max time kernel
166s -
max time network
158s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
16-05-2022 12:14
Static task
static1
Behavioral task
behavioral1
Sample
538157b8755ad0e7bf88c19246ba836d008c7736ec10f79d28268acbf81f1936.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
538157b8755ad0e7bf88c19246ba836d008c7736ec10f79d28268acbf81f1936.exe
Resource
win10v2004-20220414-en
General
-
Target
538157b8755ad0e7bf88c19246ba836d008c7736ec10f79d28268acbf81f1936.exe
-
Size
29KB
-
MD5
f4df5e903d1b9ca375f23500dfa68a76
-
SHA1
cb8e9ff5aa669751303fe6986dd9eb53a99675b8
-
SHA256
538157b8755ad0e7bf88c19246ba836d008c7736ec10f79d28268acbf81f1936
-
SHA512
8bd05f5cd39d667277174c3db2e767c4202a15b036d2d464aa130f9751ba74dc69f24188c205f03a7b54bcb0fad1bdddfa1e347795bc350b5992bda88668442c
Malware Config
Signatures
-
suricata: ET MALWARE Possible DEEP PANDA C2 Activity
suricata: ET MALWARE Possible DEEP PANDA C2 Activity
-
suricata: ET MALWARE Possible Deep Panda - Sakula/Mivast RAT CnC Beacon 5
suricata: ET MALWARE Possible Deep Panda - Sakula/Mivast RAT CnC Beacon 5
-
suricata: ET MALWARE Sakula/Mivast C2 Activity
suricata: ET MALWARE Sakula/Mivast C2 Activity
-
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid Process 4652 MediaCenter.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
reg.exedescription ioc Process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run reg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" reg.exe -
Modifies registry key 1 TTPs 1 IoCs
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of WriteProcessMemory 18 IoCs
Processes:
538157b8755ad0e7bf88c19246ba836d008c7736ec10f79d28268acbf81f1936.execmd.execmd.execmd.exedescription pid Process procid_target PID 2096 wrote to memory of 220 2096 538157b8755ad0e7bf88c19246ba836d008c7736ec10f79d28268acbf81f1936.exe 86 PID 2096 wrote to memory of 220 2096 538157b8755ad0e7bf88c19246ba836d008c7736ec10f79d28268acbf81f1936.exe 86 PID 2096 wrote to memory of 220 2096 538157b8755ad0e7bf88c19246ba836d008c7736ec10f79d28268acbf81f1936.exe 86 PID 2096 wrote to memory of 324 2096 538157b8755ad0e7bf88c19246ba836d008c7736ec10f79d28268acbf81f1936.exe 87 PID 2096 wrote to memory of 324 2096 538157b8755ad0e7bf88c19246ba836d008c7736ec10f79d28268acbf81f1936.exe 87 PID 2096 wrote to memory of 324 2096 538157b8755ad0e7bf88c19246ba836d008c7736ec10f79d28268acbf81f1936.exe 87 PID 2096 wrote to memory of 532 2096 538157b8755ad0e7bf88c19246ba836d008c7736ec10f79d28268acbf81f1936.exe 88 PID 2096 wrote to memory of 532 2096 538157b8755ad0e7bf88c19246ba836d008c7736ec10f79d28268acbf81f1936.exe 88 PID 2096 wrote to memory of 532 2096 538157b8755ad0e7bf88c19246ba836d008c7736ec10f79d28268acbf81f1936.exe 88 PID 324 wrote to memory of 4652 324 cmd.exe 93 PID 324 wrote to memory of 4652 324 cmd.exe 93 PID 324 wrote to memory of 4652 324 cmd.exe 93 PID 220 wrote to memory of 3172 220 cmd.exe 94 PID 220 wrote to memory of 3172 220 cmd.exe 94 PID 220 wrote to memory of 3172 220 cmd.exe 94 PID 532 wrote to memory of 4088 532 cmd.exe 95 PID 532 wrote to memory of 4088 532 cmd.exe 95 PID 532 wrote to memory of 4088 532 cmd.exe 95
Processes
-
C:\Users\Admin\AppData\Local\Temp\538157b8755ad0e7bf88c19246ba836d008c7736ec10f79d28268acbf81f1936.exe"C:\Users\Admin\AppData\Local\Temp\538157b8755ad0e7bf88c19246ba836d008c7736ec10f79d28268acbf81f1936.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2096 -
C:\Windows\SysWOW64\cmd.execmd.exe /c reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v "MicroMedia" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:220 -
C:\Windows\SysWOW64\reg.exereg add HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v "MicroMedia" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe"3⤵
- Adds Run key to start application
- Modifies registry key
PID:3172
-
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c "C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:324 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe3⤵
- Executes dropped EXE
PID:4652
-
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c ping 127.0.0.1 & del "C:\Users\Admin\AppData\Local\Temp\538157b8755ad0e7bf88c19246ba836d008c7736ec10f79d28268acbf81f1936.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:532 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:4088
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
29KB
MD5930d8e98ad9e197254bc3b1dc4e667fa
SHA1f56dfc9bffadead8f27135ddf72df6b7d4bc2270
SHA256e235283197eb8fcbcd5fdc8e9dfa20f124dfe844fa3a81a09f77c297aa759b12
SHA51248b2187082db10161c03982fe526935907625f860e94644747528c3a224accbbfb7aa101d8f5bdacc4866c2301d816b4dd5bf3927607026fe4540e5cf5c036d3
-
Filesize
29KB
MD5930d8e98ad9e197254bc3b1dc4e667fa
SHA1f56dfc9bffadead8f27135ddf72df6b7d4bc2270
SHA256e235283197eb8fcbcd5fdc8e9dfa20f124dfe844fa3a81a09f77c297aa759b12
SHA51248b2187082db10161c03982fe526935907625f860e94644747528c3a224accbbfb7aa101d8f5bdacc4866c2301d816b4dd5bf3927607026fe4540e5cf5c036d3