Malware Analysis Report

2025-01-02 02:54

Sample ID 210930-pgm72shfd5
Target b04ebbf7600432ec350fb3a11cb9ee849d0e2a2d305131a5cfc2b5d299c00767
SHA256 b04ebbf7600432ec350fb3a11cb9ee849d0e2a2d305131a5cfc2b5d299c00767
Tags
persistence
score
8/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
8/10

SHA256

b04ebbf7600432ec350fb3a11cb9ee849d0e2a2d305131a5cfc2b5d299c00767

Threat Level: Likely malicious

The file b04ebbf7600432ec350fb3a11cb9ee849d0e2a2d305131a5cfc2b5d299c00767 was found to be: Likely malicious.

Malicious Activity Summary

persistence

Executes dropped EXE

Deletes itself

Loads dropped DLL

Adds Run key to start application

Enumerates physical storage devices

Runs ping.exe

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2021-09-30 12:18

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2021-09-30 12:18

Reported

2021-09-30 12:22

Platform

win7-en-20210920

Max time kernel

144s

Max time network

152s

Command Line

"C:\Users\Admin\AppData\Local\Temp\b04ebbf7600432ec350fb3a11cb9ee849d0e2a2d305131a5cfc2b5d299c00767.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe N/A

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" C:\Users\Admin\AppData\Local\Temp\b04ebbf7600432ec350fb3a11cb9ee849d0e2a2d305131a5cfc2b5d299c00767.exe N/A

Enumerates physical storage devices

Runs ping.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\b04ebbf7600432ec350fb3a11cb9ee849d0e2a2d305131a5cfc2b5d299c00767.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1724 wrote to memory of 1592 N/A C:\Users\Admin\AppData\Local\Temp\b04ebbf7600432ec350fb3a11cb9ee849d0e2a2d305131a5cfc2b5d299c00767.exe C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
PID 1724 wrote to memory of 1592 N/A C:\Users\Admin\AppData\Local\Temp\b04ebbf7600432ec350fb3a11cb9ee849d0e2a2d305131a5cfc2b5d299c00767.exe C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
PID 1724 wrote to memory of 1592 N/A C:\Users\Admin\AppData\Local\Temp\b04ebbf7600432ec350fb3a11cb9ee849d0e2a2d305131a5cfc2b5d299c00767.exe C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
PID 1724 wrote to memory of 1592 N/A C:\Users\Admin\AppData\Local\Temp\b04ebbf7600432ec350fb3a11cb9ee849d0e2a2d305131a5cfc2b5d299c00767.exe C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
PID 1724 wrote to memory of 1500 N/A C:\Users\Admin\AppData\Local\Temp\b04ebbf7600432ec350fb3a11cb9ee849d0e2a2d305131a5cfc2b5d299c00767.exe C:\Windows\SysWOW64\cmd.exe
PID 1724 wrote to memory of 1500 N/A C:\Users\Admin\AppData\Local\Temp\b04ebbf7600432ec350fb3a11cb9ee849d0e2a2d305131a5cfc2b5d299c00767.exe C:\Windows\SysWOW64\cmd.exe
PID 1724 wrote to memory of 1500 N/A C:\Users\Admin\AppData\Local\Temp\b04ebbf7600432ec350fb3a11cb9ee849d0e2a2d305131a5cfc2b5d299c00767.exe C:\Windows\SysWOW64\cmd.exe
PID 1724 wrote to memory of 1500 N/A C:\Users\Admin\AppData\Local\Temp\b04ebbf7600432ec350fb3a11cb9ee849d0e2a2d305131a5cfc2b5d299c00767.exe C:\Windows\SysWOW64\cmd.exe
PID 1500 wrote to memory of 912 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 1500 wrote to memory of 912 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 1500 wrote to memory of 912 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 1500 wrote to memory of 912 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE

Processes

C:\Users\Admin\AppData\Local\Temp\b04ebbf7600432ec350fb3a11cb9ee849d0e2a2d305131a5cfc2b5d299c00767.exe

"C:\Users\Admin\AppData\Local\Temp\b04ebbf7600432ec350fb3a11cb9ee849d0e2a2d305131a5cfc2b5d299c00767.exe"

C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe

C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\b04ebbf7600432ec350fb3a11cb9ee849d0e2a2d305131a5cfc2b5d299c00767.exe"

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1

Network

Country Destination Domain Proto
US 216.218.185.162:80 tcp
US 8.8.8.8:53 citrix.vipreclod.com udp
TH 184.22.175.13:80 tcp
TH 184.22.175.13:80 tcp
TH 184.22.175.13:80 tcp

Files

memory/1724-53-0x0000000075651000-0x0000000075653000-memory.dmp

\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe

MD5 b0733c80e0dbe4a1859ac1e686e41f67
SHA1 1be4e656b7514e74735935381b97eab4f4214378
SHA256 5ca3c49c32f2a40df464d8e8bdfddbe073d680dd0cd8dd5cb402c1e233d16d34
SHA512 94f7f56d2e2b30975cc157a1d22048de535bc07f90d64fa8be0c0571e3f112078a2ddee83e74ccba4c0d2dc8978e74251668d3441222d5fa294181343cc71745

\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe

MD5 b0733c80e0dbe4a1859ac1e686e41f67
SHA1 1be4e656b7514e74735935381b97eab4f4214378
SHA256 5ca3c49c32f2a40df464d8e8bdfddbe073d680dd0cd8dd5cb402c1e233d16d34
SHA512 94f7f56d2e2b30975cc157a1d22048de535bc07f90d64fa8be0c0571e3f112078a2ddee83e74ccba4c0d2dc8978e74251668d3441222d5fa294181343cc71745

memory/1592-56-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe

MD5 b0733c80e0dbe4a1859ac1e686e41f67
SHA1 1be4e656b7514e74735935381b97eab4f4214378
SHA256 5ca3c49c32f2a40df464d8e8bdfddbe073d680dd0cd8dd5cb402c1e233d16d34
SHA512 94f7f56d2e2b30975cc157a1d22048de535bc07f90d64fa8be0c0571e3f112078a2ddee83e74ccba4c0d2dc8978e74251668d3441222d5fa294181343cc71745

memory/1500-59-0x0000000000000000-mapping.dmp

memory/912-60-0x0000000000000000-mapping.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2021-09-30 12:18

Reported

2021-09-30 12:22

Platform

win10-en-20210920

Max time kernel

114s

Max time network

118s

Command Line

"C:\Users\Admin\AppData\Local\Temp\b04ebbf7600432ec350fb3a11cb9ee849d0e2a2d305131a5cfc2b5d299c00767.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" C:\Users\Admin\AppData\Local\Temp\b04ebbf7600432ec350fb3a11cb9ee849d0e2a2d305131a5cfc2b5d299c00767.exe N/A

Enumerates physical storage devices

Runs ping.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\b04ebbf7600432ec350fb3a11cb9ee849d0e2a2d305131a5cfc2b5d299c00767.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\b04ebbf7600432ec350fb3a11cb9ee849d0e2a2d305131a5cfc2b5d299c00767.exe

"C:\Users\Admin\AppData\Local\Temp\b04ebbf7600432ec350fb3a11cb9ee849d0e2a2d305131a5cfc2b5d299c00767.exe"

C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe

C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\b04ebbf7600432ec350fb3a11cb9ee849d0e2a2d305131a5cfc2b5d299c00767.exe"

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1

Network

Country Destination Domain Proto
US 8.8.8.8:53 citrix.vipreclod.com udp
US 8.8.8.8:53 citrix.vipreclod.com udp
NL 52.109.88.36:443 tcp
US 8.8.8.8:53 citrix.vipreclod.com udp
US 8.8.8.8:53 citrix.vipreclod.com udp
TH 184.22.175.13:80 tcp
TH 184.22.175.13:80 tcp

Files

memory/3344-115-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe

MD5 8b256f877144fe1beedfabff7588e261
SHA1 787f481fa0e8cac42a65db81d0968fd51dd8aa70
SHA256 be56e91192d11927636e08c59debbdcfa8eb1c2659f30853507ac8abd7a789a2
SHA512 d47ff0d861afe16fd3b0a96705e2ddabd7c00326d5583fcc9df9186bd9c2e65806cb3819910388a933d7cf24143e998549ea29528cea8be6a46865e9a2fa02ca

C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe

MD5 8b256f877144fe1beedfabff7588e261
SHA1 787f481fa0e8cac42a65db81d0968fd51dd8aa70
SHA256 be56e91192d11927636e08c59debbdcfa8eb1c2659f30853507ac8abd7a789a2
SHA512 d47ff0d861afe16fd3b0a96705e2ddabd7c00326d5583fcc9df9186bd9c2e65806cb3819910388a933d7cf24143e998549ea29528cea8be6a46865e9a2fa02ca

memory/4152-118-0x0000000000000000-mapping.dmp

memory/708-119-0x0000000000000000-mapping.dmp