Malware Analysis Report

2025-01-02 02:57

Sample ID 210930-jfvmvaghd4
Target 2baf5673e002a973551c5a907c431e27198a99deb868e2693c94114c88f04c8c
SHA256 2baf5673e002a973551c5a907c431e27198a99deb868e2693c94114c88f04c8c
Tags
persistence
score
8/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
8/10

SHA256

2baf5673e002a973551c5a907c431e27198a99deb868e2693c94114c88f04c8c

Threat Level: Likely malicious

The file 2baf5673e002a973551c5a907c431e27198a99deb868e2693c94114c88f04c8c was found to be: Likely malicious.

Malicious Activity Summary

persistence

Executes dropped EXE

Deletes itself

Loads dropped DLL

Adds Run key to start application

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Runs ping.exe

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2021-09-30 07:37

Signatures

N/A

Analysis: behavioral2

Detonation Overview

Submitted

2021-09-30 07:37

Reported

2021-09-30 07:39

Platform

win10-en-20210920

Max time kernel

129s

Max time network

133s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2baf5673e002a973551c5a907c431e27198a99deb868e2693c94114c88f04c8c.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" C:\Users\Admin\AppData\Local\Temp\2baf5673e002a973551c5a907c431e27198a99deb868e2693c94114c88f04c8c.exe N/A

Enumerates physical storage devices

Runs ping.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2baf5673e002a973551c5a907c431e27198a99deb868e2693c94114c88f04c8c.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\2baf5673e002a973551c5a907c431e27198a99deb868e2693c94114c88f04c8c.exe

"C:\Users\Admin\AppData\Local\Temp\2baf5673e002a973551c5a907c431e27198a99deb868e2693c94114c88f04c8c.exe"

C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe

C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\2baf5673e002a973551c5a907c431e27198a99deb868e2693c94114c88f04c8c.exe"

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1

Network

Country Destination Domain Proto
US 8.8.8.8:53 citrix.vipreclod.com udp
US 8.8.8.8:53 citrix.vipreclod.com udp
US 8.8.8.8:53 citrix.vipreclod.com udp
US 8.8.8.8:53 citrix.vipreclod.com udp
TH 184.22.175.13:80 tcp
TH 184.22.175.13:80 tcp

Files

memory/4172-115-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe

MD5 d7146f63c4d89410b7c07219a5cc7907
SHA1 8b4b487dd605017dddc7e8e0dcf26a9f6ac1d620
SHA256 61109dda9de14111aafbc4e0ce479daaeb884feea178212f14ba337f021adc3a
SHA512 f8533e810c69b14ec64daaae6273c75c0fe716c9f5d101ca55e173fc2ac784a4bb76c5647733ed5af1e6ebc875a33769444a59ecf7f066c9005ddbe138e01700

C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe

MD5 d7146f63c4d89410b7c07219a5cc7907
SHA1 8b4b487dd605017dddc7e8e0dcf26a9f6ac1d620
SHA256 61109dda9de14111aafbc4e0ce479daaeb884feea178212f14ba337f021adc3a
SHA512 f8533e810c69b14ec64daaae6273c75c0fe716c9f5d101ca55e173fc2ac784a4bb76c5647733ed5af1e6ebc875a33769444a59ecf7f066c9005ddbe138e01700

memory/2096-118-0x0000000000000000-mapping.dmp

memory/3500-119-0x0000000000000000-mapping.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2021-09-30 07:37

Reported

2021-09-30 07:39

Platform

win7v20210408

Max time kernel

149s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2baf5673e002a973551c5a907c431e27198a99deb868e2693c94114c88f04c8c.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe N/A

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" C:\Users\Admin\AppData\Local\Temp\2baf5673e002a973551c5a907c431e27198a99deb868e2693c94114c88f04c8c.exe N/A

Enumerates physical storage devices

Runs ping.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2baf5673e002a973551c5a907c431e27198a99deb868e2693c94114c88f04c8c.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1652 wrote to memory of 1640 N/A C:\Users\Admin\AppData\Local\Temp\2baf5673e002a973551c5a907c431e27198a99deb868e2693c94114c88f04c8c.exe C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
PID 1652 wrote to memory of 1640 N/A C:\Users\Admin\AppData\Local\Temp\2baf5673e002a973551c5a907c431e27198a99deb868e2693c94114c88f04c8c.exe C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
PID 1652 wrote to memory of 1640 N/A C:\Users\Admin\AppData\Local\Temp\2baf5673e002a973551c5a907c431e27198a99deb868e2693c94114c88f04c8c.exe C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
PID 1652 wrote to memory of 1640 N/A C:\Users\Admin\AppData\Local\Temp\2baf5673e002a973551c5a907c431e27198a99deb868e2693c94114c88f04c8c.exe C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
PID 1652 wrote to memory of 1308 N/A C:\Users\Admin\AppData\Local\Temp\2baf5673e002a973551c5a907c431e27198a99deb868e2693c94114c88f04c8c.exe C:\Windows\SysWOW64\cmd.exe
PID 1652 wrote to memory of 1308 N/A C:\Users\Admin\AppData\Local\Temp\2baf5673e002a973551c5a907c431e27198a99deb868e2693c94114c88f04c8c.exe C:\Windows\SysWOW64\cmd.exe
PID 1652 wrote to memory of 1308 N/A C:\Users\Admin\AppData\Local\Temp\2baf5673e002a973551c5a907c431e27198a99deb868e2693c94114c88f04c8c.exe C:\Windows\SysWOW64\cmd.exe
PID 1652 wrote to memory of 1308 N/A C:\Users\Admin\AppData\Local\Temp\2baf5673e002a973551c5a907c431e27198a99deb868e2693c94114c88f04c8c.exe C:\Windows\SysWOW64\cmd.exe
PID 1308 wrote to memory of 1724 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 1308 wrote to memory of 1724 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 1308 wrote to memory of 1724 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 1308 wrote to memory of 1724 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE

Processes

C:\Users\Admin\AppData\Local\Temp\2baf5673e002a973551c5a907c431e27198a99deb868e2693c94114c88f04c8c.exe

"C:\Users\Admin\AppData\Local\Temp\2baf5673e002a973551c5a907c431e27198a99deb868e2693c94114c88f04c8c.exe"

C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe

C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\2baf5673e002a973551c5a907c431e27198a99deb868e2693c94114c88f04c8c.exe"

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1

Network

Country Destination Domain Proto
US 8.8.8.8:53 citrix.vipreclod.com udp
TH 184.22.175.13:80 tcp
TH 184.22.175.13:80 tcp

Files

memory/1652-60-0x0000000076641000-0x0000000076643000-memory.dmp

\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe

MD5 9add0cb0aeb3349fbd3c6b127026dde8
SHA1 0b2b7629661eeadf324544e81b2b0ff59877de91
SHA256 345e370cc9095c4087fba2346e4da93bd5daa32c0ee25a625183f2d2bf937a74
SHA512 d6053960c26602ba82abc1eaf86e0b348dc9f2327f4616eb3c65dd3ab8e92f1295b4686c494cd3b6f74a8812834ebbe50629f60efe5149ca817f40e5f8cae9f4

memory/1640-63-0x0000000000000000-mapping.dmp

\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe

MD5 9add0cb0aeb3349fbd3c6b127026dde8
SHA1 0b2b7629661eeadf324544e81b2b0ff59877de91
SHA256 345e370cc9095c4087fba2346e4da93bd5daa32c0ee25a625183f2d2bf937a74
SHA512 d6053960c26602ba82abc1eaf86e0b348dc9f2327f4616eb3c65dd3ab8e92f1295b4686c494cd3b6f74a8812834ebbe50629f60efe5149ca817f40e5f8cae9f4

C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe

MD5 9add0cb0aeb3349fbd3c6b127026dde8
SHA1 0b2b7629661eeadf324544e81b2b0ff59877de91
SHA256 345e370cc9095c4087fba2346e4da93bd5daa32c0ee25a625183f2d2bf937a74
SHA512 d6053960c26602ba82abc1eaf86e0b348dc9f2327f4616eb3c65dd3ab8e92f1295b4686c494cd3b6f74a8812834ebbe50629f60efe5149ca817f40e5f8cae9f4

memory/1308-66-0x0000000000000000-mapping.dmp

memory/1724-67-0x0000000000000000-mapping.dmp