Malware Analysis Report

2025-01-02 02:55

Sample ID 210930-jgeb9aghd5
Target efb2aac42ae3c336beae35ea0063d1cec78261857a246693fd9d91a233b43636
SHA256 efb2aac42ae3c336beae35ea0063d1cec78261857a246693fd9d91a233b43636
Tags
persistence
score
8/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
8/10

SHA256

efb2aac42ae3c336beae35ea0063d1cec78261857a246693fd9d91a233b43636

Threat Level: Likely malicious

The file efb2aac42ae3c336beae35ea0063d1cec78261857a246693fd9d91a233b43636 was found to be: Likely malicious.

Malicious Activity Summary

persistence

Executes dropped EXE

Deletes itself

Loads dropped DLL

Adds Run key to start application

Enumerates physical storage devices

Runs ping.exe

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2021-09-30 07:38

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2021-09-30 07:38

Reported

2021-09-30 07:41

Platform

win7v20210408

Max time kernel

146s

Max time network

188s

Command Line

"C:\Users\Admin\AppData\Local\Temp\efb2aac42ae3c336beae35ea0063d1cec78261857a246693fd9d91a233b43636.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe N/A

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" C:\Users\Admin\AppData\Local\Temp\efb2aac42ae3c336beae35ea0063d1cec78261857a246693fd9d91a233b43636.exe N/A

Enumerates physical storage devices

Runs ping.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\efb2aac42ae3c336beae35ea0063d1cec78261857a246693fd9d91a233b43636.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1956 wrote to memory of 1524 N/A C:\Users\Admin\AppData\Local\Temp\efb2aac42ae3c336beae35ea0063d1cec78261857a246693fd9d91a233b43636.exe C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
PID 1956 wrote to memory of 1524 N/A C:\Users\Admin\AppData\Local\Temp\efb2aac42ae3c336beae35ea0063d1cec78261857a246693fd9d91a233b43636.exe C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
PID 1956 wrote to memory of 1524 N/A C:\Users\Admin\AppData\Local\Temp\efb2aac42ae3c336beae35ea0063d1cec78261857a246693fd9d91a233b43636.exe C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
PID 1956 wrote to memory of 1524 N/A C:\Users\Admin\AppData\Local\Temp\efb2aac42ae3c336beae35ea0063d1cec78261857a246693fd9d91a233b43636.exe C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
PID 1956 wrote to memory of 604 N/A C:\Users\Admin\AppData\Local\Temp\efb2aac42ae3c336beae35ea0063d1cec78261857a246693fd9d91a233b43636.exe C:\Windows\SysWOW64\cmd.exe
PID 1956 wrote to memory of 604 N/A C:\Users\Admin\AppData\Local\Temp\efb2aac42ae3c336beae35ea0063d1cec78261857a246693fd9d91a233b43636.exe C:\Windows\SysWOW64\cmd.exe
PID 1956 wrote to memory of 604 N/A C:\Users\Admin\AppData\Local\Temp\efb2aac42ae3c336beae35ea0063d1cec78261857a246693fd9d91a233b43636.exe C:\Windows\SysWOW64\cmd.exe
PID 1956 wrote to memory of 604 N/A C:\Users\Admin\AppData\Local\Temp\efb2aac42ae3c336beae35ea0063d1cec78261857a246693fd9d91a233b43636.exe C:\Windows\SysWOW64\cmd.exe
PID 604 wrote to memory of 1472 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 604 wrote to memory of 1472 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 604 wrote to memory of 1472 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 604 wrote to memory of 1472 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE

Processes

C:\Users\Admin\AppData\Local\Temp\efb2aac42ae3c336beae35ea0063d1cec78261857a246693fd9d91a233b43636.exe

"C:\Users\Admin\AppData\Local\Temp\efb2aac42ae3c336beae35ea0063d1cec78261857a246693fd9d91a233b43636.exe"

C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe

C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\efb2aac42ae3c336beae35ea0063d1cec78261857a246693fd9d91a233b43636.exe"

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1

Network

Country Destination Domain Proto
US 8.8.8.8:53 citrix.vipreclod.com udp
TH 184.22.175.13:80 tcp
TH 184.22.175.13:80 tcp
TH 184.22.175.13:80 tcp

Files

memory/1956-60-0x0000000075801000-0x0000000075803000-memory.dmp

\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe

MD5 e84b25c80298012b18df604e28c799e4
SHA1 46a16cac5c8ce4b69ef96fc7f1c0f67c5fe5a53c
SHA256 f4f00e9df2fed31a9cd0a153896a5ca204e85ef7a565e0b6b07985f0f4873608
SHA512 64583e10e60ca3dce0f27b6c31efb7ee018f5e9a5ecf9dea9e5de46874fae68f31775150907ba2ef65ac1d952c7bf3654977f57376d81c9f76070aa4d3028d93

\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe

MD5 e84b25c80298012b18df604e28c799e4
SHA1 46a16cac5c8ce4b69ef96fc7f1c0f67c5fe5a53c
SHA256 f4f00e9df2fed31a9cd0a153896a5ca204e85ef7a565e0b6b07985f0f4873608
SHA512 64583e10e60ca3dce0f27b6c31efb7ee018f5e9a5ecf9dea9e5de46874fae68f31775150907ba2ef65ac1d952c7bf3654977f57376d81c9f76070aa4d3028d93

memory/1524-63-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe

MD5 e84b25c80298012b18df604e28c799e4
SHA1 46a16cac5c8ce4b69ef96fc7f1c0f67c5fe5a53c
SHA256 f4f00e9df2fed31a9cd0a153896a5ca204e85ef7a565e0b6b07985f0f4873608
SHA512 64583e10e60ca3dce0f27b6c31efb7ee018f5e9a5ecf9dea9e5de46874fae68f31775150907ba2ef65ac1d952c7bf3654977f57376d81c9f76070aa4d3028d93

memory/604-66-0x0000000000000000-mapping.dmp

memory/1472-67-0x0000000000000000-mapping.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2021-09-30 07:38

Reported

2021-09-30 07:40

Platform

win10-en-20210920

Max time kernel

155s

Max time network

161s

Command Line

"C:\Users\Admin\AppData\Local\Temp\efb2aac42ae3c336beae35ea0063d1cec78261857a246693fd9d91a233b43636.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" C:\Users\Admin\AppData\Local\Temp\efb2aac42ae3c336beae35ea0063d1cec78261857a246693fd9d91a233b43636.exe N/A

Enumerates physical storage devices

Runs ping.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\efb2aac42ae3c336beae35ea0063d1cec78261857a246693fd9d91a233b43636.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\efb2aac42ae3c336beae35ea0063d1cec78261857a246693fd9d91a233b43636.exe

"C:\Users\Admin\AppData\Local\Temp\efb2aac42ae3c336beae35ea0063d1cec78261857a246693fd9d91a233b43636.exe"

C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe

C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\efb2aac42ae3c336beae35ea0063d1cec78261857a246693fd9d91a233b43636.exe"

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1

Network

Country Destination Domain Proto
US 8.8.8.8:53 citrix.vipreclod.com udp
US 8.8.8.8:53 citrix.vipreclod.com udp
US 8.8.8.8:53 citrix.vipreclod.com udp
US 8.8.8.8:53 citrix.vipreclod.com udp
TH 184.22.175.13:80 tcp
TH 184.22.175.13:80 tcp

Files

memory/1540-115-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe

MD5 8e2f263a2df4fe4a8da0458224356e7f
SHA1 61a804b122e6ba84387864a9a5b03878f75f5858
SHA256 5591f1fc15ef73a874683d7f60504667924dacf50205377e366955fb8e8e03a1
SHA512 dce0d2907adaa6e6bb57d67a8d18ebfde94e35294e330da68803312d755bc225dea98a9e783ddbbe76d8b5ec0dee7222b3162f59cc12c98c2110dcc46e4cafd0

C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe

MD5 8e2f263a2df4fe4a8da0458224356e7f
SHA1 61a804b122e6ba84387864a9a5b03878f75f5858
SHA256 5591f1fc15ef73a874683d7f60504667924dacf50205377e366955fb8e8e03a1
SHA512 dce0d2907adaa6e6bb57d67a8d18ebfde94e35294e330da68803312d755bc225dea98a9e783ddbbe76d8b5ec0dee7222b3162f59cc12c98c2110dcc46e4cafd0

memory/2784-118-0x0000000000000000-mapping.dmp

memory/3536-119-0x0000000000000000-mapping.dmp