Analysis Overview
SHA256
130d67c50bd649897b9198b090f6137b792a8415a03abf04b13063eaa93ac678
Threat Level: Known bad
The file 130d67c50bd649897b9198b090f6137b792a8415a03abf04b13063eaa93ac678 was found to be: Known bad.
Malicious Activity Summary
Sakula
suricata: ET MALWARE Possible DEEP PANDA C2 Activity
suricata: ET MALWARE Sakula/Mivast C2 Activity
suricata: ET MALWARE Possible Deep Panda - Sakula/Mivast RAT CnC Beacon 5
Executes dropped EXE
Deletes itself
Loads dropped DLL
Adds Run key to start application
Suspicious use of WriteProcessMemory
Modifies registry key
Runs ping.exe
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2022-06-03 13:34
Signatures
Analysis: behavioral2
Detonation Overview
Submitted
2022-06-03 13:34
Reported
2022-06-03 13:44
Platform
win10v2004-20220414-en
Max time kernel
147s
Max time network
155s
Command Line
Signatures
Sakula
suricata: ET MALWARE Possible DEEP PANDA C2 Activity
suricata: ET MALWARE Possible Deep Panda - Sakula/Mivast RAT CnC Beacon 5
suricata: ET MALWARE Sakula/Mivast C2 Activity
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
Modifies registry key
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\reg.exe | N/A |
Runs ping.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\130d67c50bd649897b9198b090f6137b792a8415a03abf04b13063eaa93ac678.exe
"C:\Users\Admin\AppData\Local\Temp\130d67c50bd649897b9198b090f6137b792a8415a03abf04b13063eaa93ac678.exe"
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v "MicroMedia" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe"
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe"
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c ping 127.0.0.1 & del "C:\Users\Admin\AppData\Local\Temp\130d67c50bd649897b9198b090f6137b792a8415a03abf04b13063eaa93ac678.exe"
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
C:\Windows\SysWOW64\reg.exe
reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v "MicroMedia" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe"
C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1
Network
| Country | Destination | Domain | Proto |
| US | 93.184.220.29:80 | tcp | |
| NL | 52.109.88.34:443 | tcp | |
| US | 8.8.8.8:53 | vpn.premrera.com | udp |
| US | 208.91.197.27:443 | vpn.premrera.com | tcp |
| US | 208.91.197.27:443 | vpn.premrera.com | tcp |
| US | 208.91.197.27:443 | vpn.premrera.com | tcp |
| NL | 104.97.14.81:80 | tcp | |
| US | 208.91.197.27:443 | vpn.premrera.com | tcp |
| IE | 20.54.110.249:443 | tcp | |
| NL | 178.79.208.1:80 | tcp | |
| US | 208.91.197.27:443 | vpn.premrera.com | tcp |
| NL | 104.97.14.81:80 | tcp | |
| US | 208.91.197.27:443 | vpn.premrera.com | tcp |
| US | 208.91.197.27:443 | vpn.premrera.com | tcp |
| NL | 104.97.14.80:80 | tcp | |
| US | 208.91.197.27:443 | vpn.premrera.com | tcp |
| US | 208.91.197.27:443 | vpn.premrera.com | tcp |
| US | 208.91.197.27:443 | vpn.premrera.com | tcp |
Files
memory/796-130-0x0000000000400000-0x000000000040B000-memory.dmp
memory/796-131-0x0000000000030000-0x0000000000034000-memory.dmp
memory/4540-134-0x0000000000000000-mapping.dmp
memory/4548-133-0x0000000000000000-mapping.dmp
memory/2216-132-0x0000000000000000-mapping.dmp
memory/796-135-0x0000000000400000-0x000000000040B000-memory.dmp
memory/1924-136-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
| MD5 | 40f379e5183102009bfe19e35bed7f79 |
| SHA1 | 5b1e9abfc37e9df431ceb057a2561bd2d67d724d |
| SHA256 | 0666f8aba38789da1e80ec5c231e1587d6c33188978b5fd5ffa223f569b1f3bd |
| SHA512 | 4faf3bbbe52b915482d163de4d0863ac918e86b7f6d60fcd4964be0d4101ad8efe26b401309caf147209d634d5748a642509bacc68993dbc2de51144f924af84 |
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
| MD5 | 40f379e5183102009bfe19e35bed7f79 |
| SHA1 | 5b1e9abfc37e9df431ceb057a2561bd2d67d724d |
| SHA256 | 0666f8aba38789da1e80ec5c231e1587d6c33188978b5fd5ffa223f569b1f3bd |
| SHA512 | 4faf3bbbe52b915482d163de4d0863ac918e86b7f6d60fcd4964be0d4101ad8efe26b401309caf147209d634d5748a642509bacc68993dbc2de51144f924af84 |
memory/1936-139-0x0000000000000000-mapping.dmp
memory/2880-140-0x0000000000000000-mapping.dmp
memory/1924-141-0x0000000000400000-0x000000000040B000-memory.dmp
memory/1924-142-0x0000000000030000-0x0000000000034000-memory.dmp
memory/1924-143-0x0000000000400000-0x000000000040B000-memory.dmp
memory/1924-144-0x0000000000400000-0x000000000040B000-memory.dmp
Analysis: behavioral1
Detonation Overview
Submitted
2022-06-03 13:34
Reported
2022-06-03 13:44
Platform
win7-20220414-en
Max time kernel
135s
Max time network
148s
Command Line
Signatures
Sakula
suricata: ET MALWARE Possible DEEP PANDA C2 Activity
suricata: ET MALWARE Possible Deep Panda - Sakula/Mivast RAT CnC Beacon 5
suricata: ET MALWARE Sakula/Mivast C2 Activity
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe | N/A |
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
Modifies registry key
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\reg.exe | N/A |
Runs ping.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\130d67c50bd649897b9198b090f6137b792a8415a03abf04b13063eaa93ac678.exe
"C:\Users\Admin\AppData\Local\Temp\130d67c50bd649897b9198b090f6137b792a8415a03abf04b13063eaa93ac678.exe"
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v "MicroMedia" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe"
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe"
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c ping 127.0.0.1 & del "C:\Users\Admin\AppData\Local\Temp\130d67c50bd649897b9198b090f6137b792a8415a03abf04b13063eaa93ac678.exe"
C:\Windows\SysWOW64\reg.exe
reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v "MicroMedia" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe"
C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | vpn.premrera.com | udp |
| US | 208.91.197.27:443 | vpn.premrera.com | tcp |
| US | 208.91.197.27:443 | vpn.premrera.com | tcp |
| US | 208.91.197.27:443 | vpn.premrera.com | tcp |
| US | 208.91.197.27:443 | vpn.premrera.com | tcp |
| US | 208.91.197.27:443 | vpn.premrera.com | tcp |
| US | 208.91.197.27:443 | vpn.premrera.com | tcp |
| US | 208.91.197.27:443 | vpn.premrera.com | tcp |
| US | 208.91.197.27:443 | vpn.premrera.com | tcp |
| US | 208.91.197.27:443 | vpn.premrera.com | tcp |
| US | 208.91.197.27:443 | vpn.premrera.com | tcp |
| US | 208.91.197.27:443 | vpn.premrera.com | tcp |
| US | 208.91.197.27:443 | vpn.premrera.com | tcp |
Files
memory/1156-54-0x00000000755C1000-0x00000000755C3000-memory.dmp
memory/1156-55-0x0000000000400000-0x000000000040B000-memory.dmp
memory/1156-56-0x0000000000020000-0x0000000000024000-memory.dmp
memory/1656-57-0x0000000000000000-mapping.dmp
memory/1836-58-0x0000000000000000-mapping.dmp
memory/900-59-0x0000000000000000-mapping.dmp
memory/1156-60-0x0000000000400000-0x000000000040B000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
| MD5 | e233a6fa76ec1bf0534d1a8cf22319a8 |
| SHA1 | 1bc539d08e3f7c926e7ccfbd4ed5c51ec8d6a72b |
| SHA256 | 061abbcf69694f86543b572c9e0930c1c349e7c7406a58d34cec2ede2e86886c |
| SHA512 | 2ee2b7d909a193e560667be69c020bbb3b5100f90f1854f96b7dc2f9e0c8df2d0b9e302416ada7a18c81bfa0b31b477b5934855d2ad19b7f33604d90b4dfb00d |
\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
| MD5 | e233a6fa76ec1bf0534d1a8cf22319a8 |
| SHA1 | 1bc539d08e3f7c926e7ccfbd4ed5c51ec8d6a72b |
| SHA256 | 061abbcf69694f86543b572c9e0930c1c349e7c7406a58d34cec2ede2e86886c |
| SHA512 | 2ee2b7d909a193e560667be69c020bbb3b5100f90f1854f96b7dc2f9e0c8df2d0b9e302416ada7a18c81bfa0b31b477b5934855d2ad19b7f33604d90b4dfb00d |
memory/1660-65-0x0000000000000000-mapping.dmp
memory/1640-64-0x0000000000000000-mapping.dmp
\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
| MD5 | e233a6fa76ec1bf0534d1a8cf22319a8 |
| SHA1 | 1bc539d08e3f7c926e7ccfbd4ed5c51ec8d6a72b |
| SHA256 | 061abbcf69694f86543b572c9e0930c1c349e7c7406a58d34cec2ede2e86886c |
| SHA512 | 2ee2b7d909a193e560667be69c020bbb3b5100f90f1854f96b7dc2f9e0c8df2d0b9e302416ada7a18c81bfa0b31b477b5934855d2ad19b7f33604d90b4dfb00d |
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
| MD5 | e233a6fa76ec1bf0534d1a8cf22319a8 |
| SHA1 | 1bc539d08e3f7c926e7ccfbd4ed5c51ec8d6a72b |
| SHA256 | 061abbcf69694f86543b572c9e0930c1c349e7c7406a58d34cec2ede2e86886c |
| SHA512 | 2ee2b7d909a193e560667be69c020bbb3b5100f90f1854f96b7dc2f9e0c8df2d0b9e302416ada7a18c81bfa0b31b477b5934855d2ad19b7f33604d90b4dfb00d |
memory/624-66-0x0000000000000000-mapping.dmp
memory/1836-69-0x0000000000400000-0x000000000040B000-memory.dmp
memory/1640-70-0x0000000000400000-0x000000000040B000-memory.dmp
memory/1640-71-0x0000000000020000-0x0000000000024000-memory.dmp
memory/1640-72-0x0000000000400000-0x000000000040B000-memory.dmp
memory/1836-73-0x0000000000400000-0x000000000040B000-memory.dmp
memory/1836-74-0x0000000000400000-0x000000000040B000-memory.dmp
memory/1640-75-0x0000000000400000-0x000000000040B000-memory.dmp