Malware Analysis Report

2025-01-02 02:57

Sample ID 210929-hnnc3aeabr
Target 995e26d3c24d06f40dd6771fa55d0127639a50e59249c593cb21ee3ea9401cfa
SHA256 995e26d3c24d06f40dd6771fa55d0127639a50e59249c593cb21ee3ea9401cfa
Tags
persistence
score
8/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
8/10

SHA256

995e26d3c24d06f40dd6771fa55d0127639a50e59249c593cb21ee3ea9401cfa

Threat Level: Likely malicious

The file 995e26d3c24d06f40dd6771fa55d0127639a50e59249c593cb21ee3ea9401cfa was found to be: Likely malicious.

Malicious Activity Summary

persistence

Executes dropped EXE

Deletes itself

Loads dropped DLL

Adds Run key to start application

Enumerates physical storage devices

Runs ping.exe

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2021-09-29 06:53

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2021-09-29 06:53

Reported

2021-09-29 06:56

Platform

win7v20210408

Max time kernel

136s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\995e26d3c24d06f40dd6771fa55d0127639a50e59249c593cb21ee3ea9401cfa.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe N/A

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" C:\Users\Admin\AppData\Local\Temp\995e26d3c24d06f40dd6771fa55d0127639a50e59249c593cb21ee3ea9401cfa.exe N/A

Enumerates physical storage devices

Runs ping.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\995e26d3c24d06f40dd6771fa55d0127639a50e59249c593cb21ee3ea9401cfa.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1976 wrote to memory of 1988 N/A C:\Users\Admin\AppData\Local\Temp\995e26d3c24d06f40dd6771fa55d0127639a50e59249c593cb21ee3ea9401cfa.exe C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
PID 1976 wrote to memory of 1988 N/A C:\Users\Admin\AppData\Local\Temp\995e26d3c24d06f40dd6771fa55d0127639a50e59249c593cb21ee3ea9401cfa.exe C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
PID 1976 wrote to memory of 1988 N/A C:\Users\Admin\AppData\Local\Temp\995e26d3c24d06f40dd6771fa55d0127639a50e59249c593cb21ee3ea9401cfa.exe C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
PID 1976 wrote to memory of 1988 N/A C:\Users\Admin\AppData\Local\Temp\995e26d3c24d06f40dd6771fa55d0127639a50e59249c593cb21ee3ea9401cfa.exe C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
PID 1976 wrote to memory of 1420 N/A C:\Users\Admin\AppData\Local\Temp\995e26d3c24d06f40dd6771fa55d0127639a50e59249c593cb21ee3ea9401cfa.exe C:\Windows\SysWOW64\cmd.exe
PID 1976 wrote to memory of 1420 N/A C:\Users\Admin\AppData\Local\Temp\995e26d3c24d06f40dd6771fa55d0127639a50e59249c593cb21ee3ea9401cfa.exe C:\Windows\SysWOW64\cmd.exe
PID 1976 wrote to memory of 1420 N/A C:\Users\Admin\AppData\Local\Temp\995e26d3c24d06f40dd6771fa55d0127639a50e59249c593cb21ee3ea9401cfa.exe C:\Windows\SysWOW64\cmd.exe
PID 1976 wrote to memory of 1420 N/A C:\Users\Admin\AppData\Local\Temp\995e26d3c24d06f40dd6771fa55d0127639a50e59249c593cb21ee3ea9401cfa.exe C:\Windows\SysWOW64\cmd.exe
PID 1420 wrote to memory of 1632 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 1420 wrote to memory of 1632 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 1420 wrote to memory of 1632 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 1420 wrote to memory of 1632 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE

Processes

C:\Users\Admin\AppData\Local\Temp\995e26d3c24d06f40dd6771fa55d0127639a50e59249c593cb21ee3ea9401cfa.exe

"C:\Users\Admin\AppData\Local\Temp\995e26d3c24d06f40dd6771fa55d0127639a50e59249c593cb21ee3ea9401cfa.exe"

C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe

C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\995e26d3c24d06f40dd6771fa55d0127639a50e59249c593cb21ee3ea9401cfa.exe"

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1

Network

Country Destination Domain Proto
US 8.8.8.8:53 citrix.vipreclod.com udp
TH 184.22.175.13:80 tcp
TH 184.22.175.13:80 tcp

Files

memory/1976-60-0x0000000075DA1000-0x0000000075DA3000-memory.dmp

\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe

MD5 6c6ff81a400ab926281d3924081e32dd
SHA1 736823f2c76d4308df16df0e06036a8483bb5b49
SHA256 26538a970078897bed0ff6b5c4124204b11d862d675f46285c9dfb6d880346fd
SHA512 5bf5a3c140fe95fe96b036d6c77e02763d40aa729ec39f8ce1f3aceaf7fb962a81237b98a36cb56439db3f6f7c052f18442a529e30aa2bcdaec0fc9f34370cac

memory/1988-63-0x0000000000000000-mapping.dmp

\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe

MD5 6c6ff81a400ab926281d3924081e32dd
SHA1 736823f2c76d4308df16df0e06036a8483bb5b49
SHA256 26538a970078897bed0ff6b5c4124204b11d862d675f46285c9dfb6d880346fd
SHA512 5bf5a3c140fe95fe96b036d6c77e02763d40aa729ec39f8ce1f3aceaf7fb962a81237b98a36cb56439db3f6f7c052f18442a529e30aa2bcdaec0fc9f34370cac

C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe

MD5 6c6ff81a400ab926281d3924081e32dd
SHA1 736823f2c76d4308df16df0e06036a8483bb5b49
SHA256 26538a970078897bed0ff6b5c4124204b11d862d675f46285c9dfb6d880346fd
SHA512 5bf5a3c140fe95fe96b036d6c77e02763d40aa729ec39f8ce1f3aceaf7fb962a81237b98a36cb56439db3f6f7c052f18442a529e30aa2bcdaec0fc9f34370cac

memory/1420-66-0x0000000000000000-mapping.dmp

memory/1632-67-0x0000000000000000-mapping.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2021-09-29 06:53

Reported

2021-09-29 06:55

Platform

win10-en-20210920

Max time kernel

154s

Max time network

161s

Command Line

"C:\Users\Admin\AppData\Local\Temp\995e26d3c24d06f40dd6771fa55d0127639a50e59249c593cb21ee3ea9401cfa.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" C:\Users\Admin\AppData\Local\Temp\995e26d3c24d06f40dd6771fa55d0127639a50e59249c593cb21ee3ea9401cfa.exe N/A

Enumerates physical storage devices

Runs ping.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\995e26d3c24d06f40dd6771fa55d0127639a50e59249c593cb21ee3ea9401cfa.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\995e26d3c24d06f40dd6771fa55d0127639a50e59249c593cb21ee3ea9401cfa.exe

"C:\Users\Admin\AppData\Local\Temp\995e26d3c24d06f40dd6771fa55d0127639a50e59249c593cb21ee3ea9401cfa.exe"

C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe

C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\995e26d3c24d06f40dd6771fa55d0127639a50e59249c593cb21ee3ea9401cfa.exe"

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1

Network

Country Destination Domain Proto
US 8.8.8.8:53 citrix.vipreclod.com udp
US 8.8.8.8:53 citrix.vipreclod.com udp
US 8.8.8.8:53 citrix.vipreclod.com udp
US 8.8.8.8:53 citrix.vipreclod.com udp
TH 184.22.175.13:80 tcp
TH 184.22.175.13:80 tcp

Files

C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe

MD5 6db3c56abb56596f5f2fd4ebdf03ed5c
SHA1 77820d73a2456e99f38f0afb4fe576701825213b
SHA256 46b6269c32149bee552b0a913e7f02ec69e3e6eb35fe627ab5c28f1d901f7a8b
SHA512 fff36a5776f10e06ee898ded3effd29e0edf9327299ebab12af0721352da7c7ca85fbcc1e951b12dd323f5b25c3f416cd1974fc93b765fe8c8451aaaae3b312d

memory/2680-115-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe

MD5 6db3c56abb56596f5f2fd4ebdf03ed5c
SHA1 77820d73a2456e99f38f0afb4fe576701825213b
SHA256 46b6269c32149bee552b0a913e7f02ec69e3e6eb35fe627ab5c28f1d901f7a8b
SHA512 fff36a5776f10e06ee898ded3effd29e0edf9327299ebab12af0721352da7c7ca85fbcc1e951b12dd323f5b25c3f416cd1974fc93b765fe8c8451aaaae3b312d

memory/2596-118-0x0000000000000000-mapping.dmp

memory/3244-119-0x0000000000000000-mapping.dmp