Analysis Overview
SHA256
27f40937f824375088dd1b64a7b8d091bb1ce321cae2236495a00d842f278142
Threat Level: Known bad
The file 27f40937f824375088dd1b64a7b8d091bb1ce321cae2236495a00d842f278142 was found to be: Known bad.
Malicious Activity Summary
suricata: ET MALWARE Possible DEEP PANDA C2 Activity
suricata: ET MALWARE Sakula/Mivast C2 Activity
Sakula
Executes dropped EXE
Loads dropped DLL
Deletes itself
Adds Run key to start application
Runs ping.exe
Suspicious use of WriteProcessMemory
Modifies registry key
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2022-06-16 02:47
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2022-06-16 02:47
Reported
2022-06-16 03:10
Platform
win7-20220414-en
Max time kernel
121s
Max time network
137s
Command Line
Signatures
Sakula
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe | N/A |
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
Modifies registry key
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\reg.exe | N/A |
Runs ping.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\27f40937f824375088dd1b64a7b8d091bb1ce321cae2236495a00d842f278142.exe
"C:\Users\Admin\AppData\Local\Temp\27f40937f824375088dd1b64a7b8d091bb1ce321cae2236495a00d842f278142.exe"
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v "MicroMedia" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe"
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe"
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c ping 127.0.0.1 & del "C:\Users\Admin\AppData\Local\Temp\27f40937f824375088dd1b64a7b8d091bb1ce321cae2236495a00d842f278142.exe"
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
C:\Windows\SysWOW64\reg.exe
reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v "MicroMedia" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe"
C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | vpn.premrera.com | udp |
| US | 208.91.197.27:443 | vpn.premrera.com | tcp |
| US | 173.254.226.212:443 | tcp | |
| US | 173.254.226.212:443 | tcp |
Files
memory/1280-54-0x00000000756E1000-0x00000000756E3000-memory.dmp
memory/1280-55-0x0000000000400000-0x000000000040B000-memory.dmp
memory/1280-56-0x0000000000400000-0x000000000040B000-memory.dmp
memory/1896-57-0x0000000000000000-mapping.dmp
memory/996-58-0x0000000000000000-mapping.dmp
memory/1484-59-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
| MD5 | 0c0d25410f84efd5f2744f99d6668cf9 |
| SHA1 | 63ef25b26042a707619d90b5f839a957149d7967 |
| SHA256 | af68f618354513cd454346a09f2559442194d2c28c62262357d521039b257c1a |
| SHA512 | b142c116055320ffb5e36d9a8c3a0f4a33a9d872cc53d2757016b74985aab51df1c3052dfa15a4689b79ab825c9d7332f49eb148fadfc1b675613d037ae15f9d |
\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
| MD5 | 0c0d25410f84efd5f2744f99d6668cf9 |
| SHA1 | 63ef25b26042a707619d90b5f839a957149d7967 |
| SHA256 | af68f618354513cd454346a09f2559442194d2c28c62262357d521039b257c1a |
| SHA512 | b142c116055320ffb5e36d9a8c3a0f4a33a9d872cc53d2757016b74985aab51df1c3052dfa15a4689b79ab825c9d7332f49eb148fadfc1b675613d037ae15f9d |
memory/1468-63-0x0000000000000000-mapping.dmp
\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
| MD5 | 0c0d25410f84efd5f2744f99d6668cf9 |
| SHA1 | 63ef25b26042a707619d90b5f839a957149d7967 |
| SHA256 | af68f618354513cd454346a09f2559442194d2c28c62262357d521039b257c1a |
| SHA512 | b142c116055320ffb5e36d9a8c3a0f4a33a9d872cc53d2757016b74985aab51df1c3052dfa15a4689b79ab825c9d7332f49eb148fadfc1b675613d037ae15f9d |
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
| MD5 | 0c0d25410f84efd5f2744f99d6668cf9 |
| SHA1 | 63ef25b26042a707619d90b5f839a957149d7967 |
| SHA256 | af68f618354513cd454346a09f2559442194d2c28c62262357d521039b257c1a |
| SHA512 | b142c116055320ffb5e36d9a8c3a0f4a33a9d872cc53d2757016b74985aab51df1c3052dfa15a4689b79ab825c9d7332f49eb148fadfc1b675613d037ae15f9d |
memory/1108-67-0x0000000000000000-mapping.dmp
memory/884-66-0x0000000000000000-mapping.dmp
memory/996-68-0x00000000000B0000-0x00000000000BB000-memory.dmp
memory/996-69-0x00000000000B0000-0x00000000000BB000-memory.dmp
memory/996-70-0x00000000000B0000-0x00000000000BB000-memory.dmp
memory/996-71-0x00000000000B0000-0x00000000000BB000-memory.dmp
memory/1468-72-0x0000000000400000-0x000000000040B000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2022-06-16 02:47
Reported
2022-06-16 03:10
Platform
win10v2004-20220414-en
Max time kernel
91s
Max time network
155s
Command Line
Signatures
Sakula
suricata: ET MALWARE Possible DEEP PANDA C2 Activity
suricata: ET MALWARE Sakula/Mivast C2 Activity
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
Modifies registry key
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\reg.exe | N/A |
Runs ping.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\27f40937f824375088dd1b64a7b8d091bb1ce321cae2236495a00d842f278142.exe
"C:\Users\Admin\AppData\Local\Temp\27f40937f824375088dd1b64a7b8d091bb1ce321cae2236495a00d842f278142.exe"
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v "MicroMedia" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe"
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe"
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c ping 127.0.0.1 & del "C:\Users\Admin\AppData\Local\Temp\27f40937f824375088dd1b64a7b8d091bb1ce321cae2236495a00d842f278142.exe"
C:\Windows\SysWOW64\reg.exe
reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v "MicroMedia" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe"
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | vpn.premrera.com | udp |
| US | 208.91.197.27:443 | vpn.premrera.com | tcp |
| BE | 67.27.154.126:80 | tcp | |
| US | 20.42.65.89:443 | tcp | |
| BE | 67.27.154.126:80 | tcp | |
| BE | 67.27.154.126:80 | tcp | |
| BE | 67.27.154.126:80 | tcp | |
| US | 173.254.226.212:443 | tcp |
Files
memory/4116-130-0x0000000000400000-0x000000000040B000-memory.dmp
memory/4572-131-0x0000000000000000-mapping.dmp
memory/4480-132-0x0000000000000000-mapping.dmp
memory/4116-134-0x0000000000400000-0x000000000040B000-memory.dmp
memory/4644-133-0x0000000000000000-mapping.dmp
memory/3204-135-0x0000000000000000-mapping.dmp
memory/4872-136-0x0000000000000000-mapping.dmp
memory/4936-137-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
| MD5 | b2f4f7fa8f14a4b7328d57b3350c11dc |
| SHA1 | ae2b497c67fc1105449f4682fc25c1140ae5ce6a |
| SHA256 | 1cf26aa4efaa4fcd9f254a0613b16840990a829514522b7053629f6fd846f254 |
| SHA512 | 8647f2f31c18ecc8158aec2cb942d4c96a096ed8d1db94f0bc14e8479d41ae873b53d98e359db5e7fbec89a2e05105c4d2ded26948f0d107864fc2fe7573c400 |
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
| MD5 | b2f4f7fa8f14a4b7328d57b3350c11dc |
| SHA1 | ae2b497c67fc1105449f4682fc25c1140ae5ce6a |
| SHA256 | 1cf26aa4efaa4fcd9f254a0613b16840990a829514522b7053629f6fd846f254 |
| SHA512 | 8647f2f31c18ecc8158aec2cb942d4c96a096ed8d1db94f0bc14e8479d41ae873b53d98e359db5e7fbec89a2e05105c4d2ded26948f0d107864fc2fe7573c400 |
memory/4936-140-0x0000000000400000-0x000000000040B000-memory.dmp
memory/4936-141-0x0000000000400000-0x000000000040B000-memory.dmp