Malware Analysis Report

2025-01-02 02:57

Sample ID 210930-pmrseshfg9
Target fb9634f7f285e1b11b44d55c58f0c2e8d14fa5ace58670d8c806b09d6570c629
SHA256 fb9634f7f285e1b11b44d55c58f0c2e8d14fa5ace58670d8c806b09d6570c629
Tags
persistence
score
8/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
8/10

SHA256

fb9634f7f285e1b11b44d55c58f0c2e8d14fa5ace58670d8c806b09d6570c629

Threat Level: Likely malicious

The file fb9634f7f285e1b11b44d55c58f0c2e8d14fa5ace58670d8c806b09d6570c629 was found to be: Likely malicious.

Malicious Activity Summary

persistence

Executes dropped EXE

Deletes itself

Loads dropped DLL

Adds Run key to start application

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

Runs ping.exe

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2021-09-30 12:27

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2021-09-30 12:27

Reported

2021-09-30 12:30

Platform

win7-en-20210920

Max time kernel

148s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\fb9634f7f285e1b11b44d55c58f0c2e8d14fa5ace58670d8c806b09d6570c629.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe N/A

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" C:\Users\Admin\AppData\Local\Temp\fb9634f7f285e1b11b44d55c58f0c2e8d14fa5ace58670d8c806b09d6570c629.exe N/A

Enumerates physical storage devices

Runs ping.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\fb9634f7f285e1b11b44d55c58f0c2e8d14fa5ace58670d8c806b09d6570c629.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1144 wrote to memory of 1996 N/A C:\Users\Admin\AppData\Local\Temp\fb9634f7f285e1b11b44d55c58f0c2e8d14fa5ace58670d8c806b09d6570c629.exe C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
PID 1144 wrote to memory of 1996 N/A C:\Users\Admin\AppData\Local\Temp\fb9634f7f285e1b11b44d55c58f0c2e8d14fa5ace58670d8c806b09d6570c629.exe C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
PID 1144 wrote to memory of 1996 N/A C:\Users\Admin\AppData\Local\Temp\fb9634f7f285e1b11b44d55c58f0c2e8d14fa5ace58670d8c806b09d6570c629.exe C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
PID 1144 wrote to memory of 1996 N/A C:\Users\Admin\AppData\Local\Temp\fb9634f7f285e1b11b44d55c58f0c2e8d14fa5ace58670d8c806b09d6570c629.exe C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
PID 1144 wrote to memory of 740 N/A C:\Users\Admin\AppData\Local\Temp\fb9634f7f285e1b11b44d55c58f0c2e8d14fa5ace58670d8c806b09d6570c629.exe C:\Windows\SysWOW64\cmd.exe
PID 1144 wrote to memory of 740 N/A C:\Users\Admin\AppData\Local\Temp\fb9634f7f285e1b11b44d55c58f0c2e8d14fa5ace58670d8c806b09d6570c629.exe C:\Windows\SysWOW64\cmd.exe
PID 1144 wrote to memory of 740 N/A C:\Users\Admin\AppData\Local\Temp\fb9634f7f285e1b11b44d55c58f0c2e8d14fa5ace58670d8c806b09d6570c629.exe C:\Windows\SysWOW64\cmd.exe
PID 1144 wrote to memory of 740 N/A C:\Users\Admin\AppData\Local\Temp\fb9634f7f285e1b11b44d55c58f0c2e8d14fa5ace58670d8c806b09d6570c629.exe C:\Windows\SysWOW64\cmd.exe
PID 740 wrote to memory of 1364 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 740 wrote to memory of 1364 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 740 wrote to memory of 1364 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 740 wrote to memory of 1364 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE

Processes

C:\Users\Admin\AppData\Local\Temp\fb9634f7f285e1b11b44d55c58f0c2e8d14fa5ace58670d8c806b09d6570c629.exe

"C:\Users\Admin\AppData\Local\Temp\fb9634f7f285e1b11b44d55c58f0c2e8d14fa5ace58670d8c806b09d6570c629.exe"

C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe

C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\fb9634f7f285e1b11b44d55c58f0c2e8d14fa5ace58670d8c806b09d6570c629.exe"

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1

Network

Country Destination Domain Proto
US 8.8.8.8:53 www.polarroute.com udp
US 204.11.56.48:80 www.polarroute.com tcp
US 204.11.56.48:80 www.polarroute.com tcp
US 204.11.56.48:80 www.polarroute.com tcp
US 204.11.56.48:80 www.polarroute.com tcp
US 8.8.8.8:53 www.northpoleroute.com udp
US 204.11.56.48:80 www.northpoleroute.com tcp
US 204.11.56.48:80 www.northpoleroute.com tcp
US 204.11.56.48:80 www.northpoleroute.com tcp
US 204.11.56.48:80 www.northpoleroute.com tcp

Files

memory/1144-53-0x0000000076581000-0x0000000076583000-memory.dmp

memory/1996-55-0x0000000000000000-mapping.dmp

\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe

MD5 cc369833508bbe64d824b6986b457197
SHA1 6aa9a93dafdac6b28b0fc893e04059fb26dd09de
SHA256 d4784d93ab8e7a6e1e4da6e5ea666c7b5259f2d5f2c9854c1d61c05648c7d9be
SHA512 a56442a30301a354c87a2b47ae8ae3d30b9f1bcf2a86d881dca836094fe544fc9e0fdc0051819790aa41bf7c91b0068d1316ede0d609c1e1e5ed54ded4a98aa9

C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe

MD5 cc369833508bbe64d824b6986b457197
SHA1 6aa9a93dafdac6b28b0fc893e04059fb26dd09de
SHA256 d4784d93ab8e7a6e1e4da6e5ea666c7b5259f2d5f2c9854c1d61c05648c7d9be
SHA512 a56442a30301a354c87a2b47ae8ae3d30b9f1bcf2a86d881dca836094fe544fc9e0fdc0051819790aa41bf7c91b0068d1316ede0d609c1e1e5ed54ded4a98aa9

memory/740-58-0x0000000000000000-mapping.dmp

memory/1364-59-0x0000000000000000-mapping.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2021-09-30 12:27

Reported

2021-09-30 12:29

Platform

win10-en-20210920

Max time kernel

138s

Max time network

141s

Command Line

"C:\Users\Admin\AppData\Local\Temp\fb9634f7f285e1b11b44d55c58f0c2e8d14fa5ace58670d8c806b09d6570c629.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" C:\Users\Admin\AppData\Local\Temp\fb9634f7f285e1b11b44d55c58f0c2e8d14fa5ace58670d8c806b09d6570c629.exe N/A

Enumerates physical storage devices

Runs ping.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\fb9634f7f285e1b11b44d55c58f0c2e8d14fa5ace58670d8c806b09d6570c629.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\fb9634f7f285e1b11b44d55c58f0c2e8d14fa5ace58670d8c806b09d6570c629.exe

"C:\Users\Admin\AppData\Local\Temp\fb9634f7f285e1b11b44d55c58f0c2e8d14fa5ace58670d8c806b09d6570c629.exe"

C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe

C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\fb9634f7f285e1b11b44d55c58f0c2e8d14fa5ace58670d8c806b09d6570c629.exe"

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1

Network

Country Destination Domain Proto
US 8.8.8.8:53 www.polarroute.com udp
US 204.11.56.48:80 www.polarroute.com tcp
US 8.253.208.121:80 tcp
US 204.11.56.48:80 www.polarroute.com tcp
US 204.11.56.48:80 www.polarroute.com tcp
GB 51.104.15.252:443 tcp
US 204.11.56.48:80 www.polarroute.com tcp
US 8.8.8.8:53 www.northpoleroute.com udp
US 204.11.56.48:80 www.northpoleroute.com tcp
US 204.11.56.48:80 www.northpoleroute.com tcp
US 204.11.56.48:80 www.northpoleroute.com tcp
US 204.11.56.48:80 www.northpoleroute.com tcp

Files

memory/2708-115-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe

MD5 b705ccb617ae0218d0a61d37e1153513
SHA1 58d2aed89e7ef3dd5ea3cb203733ee02f3ee78ae
SHA256 6cc2c05c1ba0af3f776cf4ac02e852968f4eeb3e50d76fff2b774fb35c88e649
SHA512 0c29a6f72990bdf87d86c029fbf5ba023cfaf8c8964dc339959e5b8af10c749effb54de8932afa5747395ad8874b917b490aee6eed043099322580a7f7c5cd3f

C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe

MD5 b705ccb617ae0218d0a61d37e1153513
SHA1 58d2aed89e7ef3dd5ea3cb203733ee02f3ee78ae
SHA256 6cc2c05c1ba0af3f776cf4ac02e852968f4eeb3e50d76fff2b774fb35c88e649
SHA512 0c29a6f72990bdf87d86c029fbf5ba023cfaf8c8964dc339959e5b8af10c749effb54de8932afa5747395ad8874b917b490aee6eed043099322580a7f7c5cd3f

memory/3964-118-0x0000000000000000-mapping.dmp

memory/8-119-0x0000000000000000-mapping.dmp