Analysis Overview
SHA256
538157b8755ad0e7bf88c19246ba836d008c7736ec10f79d28268acbf81f1936
Threat Level: Known bad
The file 538157b8755ad0e7bf88c19246ba836d008c7736ec10f79d28268acbf81f1936 was found to be: Known bad.
Malicious Activity Summary
suricata: ET MALWARE Sakula/Mivast C2 Activity
Sakula
suricata: ET MALWARE Possible DEEP PANDA C2 Activity
suricata: ET MALWARE Possible Deep Panda - Sakula/Mivast RAT CnC Beacon 5
Executes dropped EXE
Loads dropped DLL
Deletes itself
Adds Run key to start application
Runs ping.exe
Suspicious use of WriteProcessMemory
Modifies registry key
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2022-05-16 12:14
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2022-05-16 12:14
Reported
2022-05-16 13:14
Platform
win7-20220414-en
Max time kernel
196s
Max time network
225s
Command Line
Signatures
Sakula
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe | N/A |
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
Modifies registry key
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\reg.exe | N/A |
Runs ping.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\538157b8755ad0e7bf88c19246ba836d008c7736ec10f79d28268acbf81f1936.exe
"C:\Users\Admin\AppData\Local\Temp\538157b8755ad0e7bf88c19246ba836d008c7736ec10f79d28268acbf81f1936.exe"
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v "MicroMedia" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe"
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe"
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c ping 127.0.0.1 & del "C:\Users\Admin\AppData\Local\Temp\538157b8755ad0e7bf88c19246ba836d008c7736ec10f79d28268acbf81f1936.exe"
C:\Windows\SysWOW64\reg.exe
reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v "MicroMedia" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe"
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | vpn.premrera.com | udp |
| US | 208.91.197.27:443 | vpn.premrera.com | tcp |
| US | 173.254.226.212:443 | tcp |
Files
memory/1680-54-0x0000000075761000-0x0000000075763000-memory.dmp
memory/1680-55-0x0000000000400000-0x0000000000409000-memory.dmp
memory/1224-56-0x0000000000000000-mapping.dmp
memory/1656-57-0x0000000000000000-mapping.dmp
memory/1220-58-0x0000000000000000-mapping.dmp
memory/1420-59-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
| MD5 | da772e0b6f0e03aa3c54893c33449dd1 |
| SHA1 | bd9470a9e548490bf178a29ea0fba80eb4228a68 |
| SHA256 | 44f71065b95cabfaf7e0dc0ef3dc4b6f5a618b3cef83dd23c6cfc072cc9aeb73 |
| SHA512 | 7b0a4af409e8348aa53226b5ebf544cf4804a5332c6ae822324e4b7836e06b650e1912f245c0be81592e4f4779c1a7a44cbde1a5e4e35de11491a6f3203ffa35 |
\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
| MD5 | da772e0b6f0e03aa3c54893c33449dd1 |
| SHA1 | bd9470a9e548490bf178a29ea0fba80eb4228a68 |
| SHA256 | 44f71065b95cabfaf7e0dc0ef3dc4b6f5a618b3cef83dd23c6cfc072cc9aeb73 |
| SHA512 | 7b0a4af409e8348aa53226b5ebf544cf4804a5332c6ae822324e4b7836e06b650e1912f245c0be81592e4f4779c1a7a44cbde1a5e4e35de11491a6f3203ffa35 |
memory/2004-63-0x0000000000000000-mapping.dmp
\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
| MD5 | da772e0b6f0e03aa3c54893c33449dd1 |
| SHA1 | bd9470a9e548490bf178a29ea0fba80eb4228a68 |
| SHA256 | 44f71065b95cabfaf7e0dc0ef3dc4b6f5a618b3cef83dd23c6cfc072cc9aeb73 |
| SHA512 | 7b0a4af409e8348aa53226b5ebf544cf4804a5332c6ae822324e4b7836e06b650e1912f245c0be81592e4f4779c1a7a44cbde1a5e4e35de11491a6f3203ffa35 |
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
| MD5 | da772e0b6f0e03aa3c54893c33449dd1 |
| SHA1 | bd9470a9e548490bf178a29ea0fba80eb4228a68 |
| SHA256 | 44f71065b95cabfaf7e0dc0ef3dc4b6f5a618b3cef83dd23c6cfc072cc9aeb73 |
| SHA512 | 7b0a4af409e8348aa53226b5ebf544cf4804a5332c6ae822324e4b7836e06b650e1912f245c0be81592e4f4779c1a7a44cbde1a5e4e35de11491a6f3203ffa35 |
memory/1424-66-0x0000000000000000-mapping.dmp
memory/2004-67-0x0000000000400000-0x0000000000409000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2022-05-16 12:14
Reported
2022-05-16 13:13
Platform
win10v2004-20220414-en
Max time kernel
166s
Max time network
158s
Command Line
Signatures
Sakula
suricata: ET MALWARE Possible DEEP PANDA C2 Activity
suricata: ET MALWARE Possible Deep Panda - Sakula/Mivast RAT CnC Beacon 5
suricata: ET MALWARE Sakula/Mivast C2 Activity
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
Modifies registry key
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\reg.exe | N/A |
Runs ping.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\538157b8755ad0e7bf88c19246ba836d008c7736ec10f79d28268acbf81f1936.exe
"C:\Users\Admin\AppData\Local\Temp\538157b8755ad0e7bf88c19246ba836d008c7736ec10f79d28268acbf81f1936.exe"
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v "MicroMedia" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe"
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe"
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c ping 127.0.0.1 & del "C:\Users\Admin\AppData\Local\Temp\538157b8755ad0e7bf88c19246ba836d008c7736ec10f79d28268acbf81f1936.exe"
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
C:\Windows\SysWOW64\reg.exe
reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v "MicroMedia" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe"
C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1
Network
| Country | Destination | Domain | Proto |
| US | 20.42.65.85:443 | tcp | |
| FR | 2.18.109.224:443 | tcp | |
| NL | 104.110.191.140:80 | tcp | |
| NL | 104.110.191.140:80 | tcp | |
| NL | 87.248.202.1:80 | tcp | |
| US | 104.18.24.243:80 | tcp | |
| US | 8.8.8.8:53 | vpn.premrera.com | udp |
| US | 208.91.197.27:443 | vpn.premrera.com | tcp |
| US | 208.91.197.27:443 | vpn.premrera.com | tcp |
| US | 208.91.197.27:443 | vpn.premrera.com | tcp |
| US | 208.91.197.27:443 | vpn.premrera.com | tcp |
| US | 208.91.197.27:443 | vpn.premrera.com | tcp |
| US | 208.91.197.27:443 | vpn.premrera.com | tcp |
| US | 208.91.197.27:443 | vpn.premrera.com | tcp |
Files
memory/2096-130-0x0000000000400000-0x0000000000409000-memory.dmp
memory/220-131-0x0000000000000000-mapping.dmp
memory/324-132-0x0000000000000000-mapping.dmp
memory/532-133-0x0000000000000000-mapping.dmp
memory/4652-134-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
| MD5 | 930d8e98ad9e197254bc3b1dc4e667fa |
| SHA1 | f56dfc9bffadead8f27135ddf72df6b7d4bc2270 |
| SHA256 | e235283197eb8fcbcd5fdc8e9dfa20f124dfe844fa3a81a09f77c297aa759b12 |
| SHA512 | 48b2187082db10161c03982fe526935907625f860e94644747528c3a224accbbfb7aa101d8f5bdacc4866c2301d816b4dd5bf3927607026fe4540e5cf5c036d3 |
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
| MD5 | 930d8e98ad9e197254bc3b1dc4e667fa |
| SHA1 | f56dfc9bffadead8f27135ddf72df6b7d4bc2270 |
| SHA256 | e235283197eb8fcbcd5fdc8e9dfa20f124dfe844fa3a81a09f77c297aa759b12 |
| SHA512 | 48b2187082db10161c03982fe526935907625f860e94644747528c3a224accbbfb7aa101d8f5bdacc4866c2301d816b4dd5bf3927607026fe4540e5cf5c036d3 |
memory/3172-137-0x0000000000000000-mapping.dmp
memory/4088-138-0x0000000000000000-mapping.dmp
memory/4652-139-0x0000000000400000-0x0000000000409000-memory.dmp