Analysis Overview
SHA256
367d0147ad21a3d5596aebe5bc8607e84d2af8c55373d2e9d376dcd3343804e1
Threat Level: Known bad
The file 367d0147ad21a3d5596aebe5bc8607e84d2af8c55373d2e9d376dcd3343804e1 was found to be: Known bad.
Malicious Activity Summary
suricata: ET MALWARE Sakula/Mivast C2 Activity
Sakula
suricata: ET MALWARE Possible DEEP PANDA C2 Activity
suricata: ET MALWARE Possible Deep Panda - Sakula/Mivast RAT CnC Beacon 5
Executes dropped EXE
Deletes itself
Loads dropped DLL
Adds Run key to start application
Runs ping.exe
Suspicious use of WriteProcessMemory
Modifies registry key
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2022-06-26 02:23
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2022-06-26 02:23
Reported
2022-06-26 05:13
Platform
win7-20220414-en
Max time kernel
138s
Max time network
146s
Command Line
Signatures
Sakula
suricata: ET MALWARE Possible DEEP PANDA C2 Activity
suricata: ET MALWARE Possible Deep Panda - Sakula/Mivast RAT CnC Beacon 5
suricata: ET MALWARE Sakula/Mivast C2 Activity
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe | N/A |
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run | C:\Windows\SysWOW64\reg.exe | N/A |
Modifies registry key
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\reg.exe | N/A |
Runs ping.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\367d0147ad21a3d5596aebe5bc8607e84d2af8c55373d2e9d376dcd3343804e1.exe
"C:\Users\Admin\AppData\Local\Temp\367d0147ad21a3d5596aebe5bc8607e84d2af8c55373d2e9d376dcd3343804e1.exe"
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v "MicroMedia" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe"
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe"
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c ping 127.0.0.1 & del "C:\Users\Admin\AppData\Local\Temp\367d0147ad21a3d5596aebe5bc8607e84d2af8c55373d2e9d376dcd3343804e1.exe"
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
C:\Windows\SysWOW64\reg.exe
reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v "MicroMedia" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe"
C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | vpn.premrera.com | udp |
| US | 208.91.197.27:443 | vpn.premrera.com | tcp |
| US | 208.91.197.27:443 | vpn.premrera.com | tcp |
| US | 208.91.197.27:443 | vpn.premrera.com | tcp |
| US | 208.91.197.27:443 | vpn.premrera.com | tcp |
| US | 208.91.197.27:443 | vpn.premrera.com | tcp |
| US | 208.91.197.27:443 | vpn.premrera.com | tcp |
| US | 208.91.197.27:443 | vpn.premrera.com | tcp |
| US | 208.91.197.27:443 | vpn.premrera.com | tcp |
| US | 208.91.197.27:443 | vpn.premrera.com | tcp |
| US | 208.91.197.27:443 | vpn.premrera.com | tcp |
Files
memory/1660-54-0x00000000765F1000-0x00000000765F3000-memory.dmp
memory/1660-55-0x0000000000400000-0x000000000040B000-memory.dmp
memory/1660-56-0x0000000000020000-0x0000000000024000-memory.dmp
memory/2024-57-0x0000000000000000-mapping.dmp
memory/652-58-0x0000000000000000-mapping.dmp
memory/836-59-0x0000000000000000-mapping.dmp
memory/1660-60-0x0000000000400000-0x000000000040B000-memory.dmp
memory/1284-65-0x0000000000000000-mapping.dmp
memory/1288-64-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
| MD5 | f6db9df000bf0e44059b0b30e9c831eb |
| SHA1 | 74325e35d805ca7b2614eb3a1b322961b404c92d |
| SHA256 | 6d5b20d692769764b174696e0109ed17ca72c6db5166fbc1c840c1348e0defb1 |
| SHA512 | 9b111c5438e11fe7cec222cf96ebdfe322773a5db5f6394eaaba7674791e4a14da3c0b7766c50c5a93e83c88c677ef6b8cedcc685e49c91afda846c1d641d1d8 |
\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
| MD5 | f6db9df000bf0e44059b0b30e9c831eb |
| SHA1 | 74325e35d805ca7b2614eb3a1b322961b404c92d |
| SHA256 | 6d5b20d692769764b174696e0109ed17ca72c6db5166fbc1c840c1348e0defb1 |
| SHA512 | 9b111c5438e11fe7cec222cf96ebdfe322773a5db5f6394eaaba7674791e4a14da3c0b7766c50c5a93e83c88c677ef6b8cedcc685e49c91afda846c1d641d1d8 |
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
| MD5 | f6db9df000bf0e44059b0b30e9c831eb |
| SHA1 | 74325e35d805ca7b2614eb3a1b322961b404c92d |
| SHA256 | 6d5b20d692769764b174696e0109ed17ca72c6db5166fbc1c840c1348e0defb1 |
| SHA512 | 9b111c5438e11fe7cec222cf96ebdfe322773a5db5f6394eaaba7674791e4a14da3c0b7766c50c5a93e83c88c677ef6b8cedcc685e49c91afda846c1d641d1d8 |
\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
| MD5 | f6db9df000bf0e44059b0b30e9c831eb |
| SHA1 | 74325e35d805ca7b2614eb3a1b322961b404c92d |
| SHA256 | 6d5b20d692769764b174696e0109ed17ca72c6db5166fbc1c840c1348e0defb1 |
| SHA512 | 9b111c5438e11fe7cec222cf96ebdfe322773a5db5f6394eaaba7674791e4a14da3c0b7766c50c5a93e83c88c677ef6b8cedcc685e49c91afda846c1d641d1d8 |
memory/1260-68-0x0000000000000000-mapping.dmp
memory/652-69-0x00000000000B0000-0x00000000000BB000-memory.dmp
memory/652-70-0x00000000000B0000-0x00000000000BB000-memory.dmp
memory/652-71-0x00000000000B0000-0x00000000000BB000-memory.dmp
memory/652-72-0x00000000000B0000-0x00000000000BB000-memory.dmp
memory/1288-73-0x0000000000400000-0x000000000040B000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2022-06-26 02:23
Reported
2022-06-26 05:13
Platform
win10v2004-20220414-en
Max time kernel
148s
Max time network
155s
Command Line
Signatures
Sakula
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run | C:\Windows\SysWOW64\reg.exe | N/A |
Modifies registry key
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\reg.exe | N/A |
Runs ping.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\367d0147ad21a3d5596aebe5bc8607e84d2af8c55373d2e9d376dcd3343804e1.exe
"C:\Users\Admin\AppData\Local\Temp\367d0147ad21a3d5596aebe5bc8607e84d2af8c55373d2e9d376dcd3343804e1.exe"
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v "MicroMedia" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe"
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe"
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c ping 127.0.0.1 & del "C:\Users\Admin\AppData\Local\Temp\367d0147ad21a3d5596aebe5bc8607e84d2af8c55373d2e9d376dcd3343804e1.exe"
C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
C:\Windows\SysWOW64\reg.exe
reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v "MicroMedia" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe"
Network
| Country | Destination | Domain | Proto |
| NL | 20.190.160.9:443 | tcp | |
| US | 8.8.8.8:53 | vpn.premrera.com | udp |
| US | 208.91.197.27:443 | vpn.premrera.com | tcp |
| US | 93.184.220.29:80 | tcp | |
| US | 8.247.211.126:80 | tcp | |
| US | 8.247.211.126:80 | tcp | |
| GB | 51.104.15.253:443 | tcp | |
| US | 8.247.211.126:80 | tcp | |
| US | 8.247.211.126:80 | tcp | |
| US | 8.247.211.126:80 | tcp | |
| US | 93.184.220.29:80 | tcp | |
| US | 173.254.226.212:443 | tcp | |
| US | 8.8.8.8:53 | 15.89.54.20.in-addr.arpa | udp |
| NL | 20.190.160.135:443 | tcp | |
| US | 8.8.8.8:53 | 106.89.54.20.in-addr.arpa | udp |
| NL | 40.126.32.67:443 | tcp |
Files
memory/2840-130-0x0000000000400000-0x000000000040B000-memory.dmp
memory/2840-131-0x0000000000030000-0x0000000000034000-memory.dmp
memory/2008-132-0x0000000000000000-mapping.dmp
memory/2372-134-0x0000000000000000-mapping.dmp
memory/1668-133-0x0000000000000000-mapping.dmp
memory/2840-135-0x0000000000400000-0x000000000040B000-memory.dmp
memory/2840-136-0x0000000000030000-0x0000000000034000-memory.dmp
memory/3428-137-0x0000000000000000-mapping.dmp
memory/4224-138-0x0000000000000000-mapping.dmp
memory/4228-139-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
| MD5 | e43ddc6bc5d900c8c5c6591212a799ee |
| SHA1 | 0eaea373b142d557e4bcc669b0d5c765eafdecc5 |
| SHA256 | ae81d141c26ed9eafa9058457f82abee32440b037b361da76f881ad6adcd0f3d |
| SHA512 | 6fea5012cc93bd6eb1f8dc26a5292f7675b053a29eeb0edf6190f0b18e2b5edb2db40f1e8dd145893aba89da89389c7df6c595af3a3619fa721b88a6c55eccba |
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
| MD5 | e43ddc6bc5d900c8c5c6591212a799ee |
| SHA1 | 0eaea373b142d557e4bcc669b0d5c765eafdecc5 |
| SHA256 | ae81d141c26ed9eafa9058457f82abee32440b037b361da76f881ad6adcd0f3d |
| SHA512 | 6fea5012cc93bd6eb1f8dc26a5292f7675b053a29eeb0edf6190f0b18e2b5edb2db40f1e8dd145893aba89da89389c7df6c595af3a3619fa721b88a6c55eccba |
memory/4228-142-0x0000000000400000-0x000000000040B000-memory.dmp
memory/4228-143-0x0000000000030000-0x0000000000034000-memory.dmp
memory/4228-144-0x0000000000400000-0x000000000040B000-memory.dmp