Malware Analysis Report

2025-01-02 02:55

Sample ID 210930-pncpwshfh4
Target a834a21c79f7a4ce5bf5c72ffb03fe6a643181ddf3c014b9acfc07ce7c19ce06
SHA256 a834a21c79f7a4ce5bf5c72ffb03fe6a643181ddf3c014b9acfc07ce7c19ce06
Tags
persistence
score
8/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
8/10

SHA256

a834a21c79f7a4ce5bf5c72ffb03fe6a643181ddf3c014b9acfc07ce7c19ce06

Threat Level: Likely malicious

The file a834a21c79f7a4ce5bf5c72ffb03fe6a643181ddf3c014b9acfc07ce7c19ce06 was found to be: Likely malicious.

Malicious Activity Summary

persistence

Executes dropped EXE

Deletes itself

Loads dropped DLL

Adds Run key to start application

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

Runs ping.exe

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2021-09-30 12:28

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2021-09-30 12:28

Reported

2021-09-30 12:31

Platform

win7v20210408

Max time kernel

145s

Max time network

195s

Command Line

"C:\Users\Admin\AppData\Local\Temp\a834a21c79f7a4ce5bf5c72ffb03fe6a643181ddf3c014b9acfc07ce7c19ce06.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe N/A

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" C:\Users\Admin\AppData\Local\Temp\a834a21c79f7a4ce5bf5c72ffb03fe6a643181ddf3c014b9acfc07ce7c19ce06.exe N/A

Enumerates physical storage devices

Runs ping.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\a834a21c79f7a4ce5bf5c72ffb03fe6a643181ddf3c014b9acfc07ce7c19ce06.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1980 wrote to memory of 1968 N/A C:\Users\Admin\AppData\Local\Temp\a834a21c79f7a4ce5bf5c72ffb03fe6a643181ddf3c014b9acfc07ce7c19ce06.exe C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
PID 1980 wrote to memory of 1968 N/A C:\Users\Admin\AppData\Local\Temp\a834a21c79f7a4ce5bf5c72ffb03fe6a643181ddf3c014b9acfc07ce7c19ce06.exe C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
PID 1980 wrote to memory of 1968 N/A C:\Users\Admin\AppData\Local\Temp\a834a21c79f7a4ce5bf5c72ffb03fe6a643181ddf3c014b9acfc07ce7c19ce06.exe C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
PID 1980 wrote to memory of 1968 N/A C:\Users\Admin\AppData\Local\Temp\a834a21c79f7a4ce5bf5c72ffb03fe6a643181ddf3c014b9acfc07ce7c19ce06.exe C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
PID 1980 wrote to memory of 1000 N/A C:\Users\Admin\AppData\Local\Temp\a834a21c79f7a4ce5bf5c72ffb03fe6a643181ddf3c014b9acfc07ce7c19ce06.exe C:\Windows\SysWOW64\cmd.exe
PID 1980 wrote to memory of 1000 N/A C:\Users\Admin\AppData\Local\Temp\a834a21c79f7a4ce5bf5c72ffb03fe6a643181ddf3c014b9acfc07ce7c19ce06.exe C:\Windows\SysWOW64\cmd.exe
PID 1980 wrote to memory of 1000 N/A C:\Users\Admin\AppData\Local\Temp\a834a21c79f7a4ce5bf5c72ffb03fe6a643181ddf3c014b9acfc07ce7c19ce06.exe C:\Windows\SysWOW64\cmd.exe
PID 1980 wrote to memory of 1000 N/A C:\Users\Admin\AppData\Local\Temp\a834a21c79f7a4ce5bf5c72ffb03fe6a643181ddf3c014b9acfc07ce7c19ce06.exe C:\Windows\SysWOW64\cmd.exe
PID 1000 wrote to memory of 580 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 1000 wrote to memory of 580 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 1000 wrote to memory of 580 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 1000 wrote to memory of 580 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE

Processes

C:\Users\Admin\AppData\Local\Temp\a834a21c79f7a4ce5bf5c72ffb03fe6a643181ddf3c014b9acfc07ce7c19ce06.exe

"C:\Users\Admin\AppData\Local\Temp\a834a21c79f7a4ce5bf5c72ffb03fe6a643181ddf3c014b9acfc07ce7c19ce06.exe"

C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe

C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\a834a21c79f7a4ce5bf5c72ffb03fe6a643181ddf3c014b9acfc07ce7c19ce06.exe"

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1

Network

Country Destination Domain Proto
US 8.8.8.8:53 citrix.vipreclod.com udp
TH 184.22.175.13:80 tcp
TH 184.22.175.13:80 tcp
TH 184.22.175.13:80 tcp

Files

memory/1980-59-0x00000000767B1000-0x00000000767B3000-memory.dmp

\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe

MD5 37b6eecd2f4eee03c9634dccd6bf774a
SHA1 e1e9a4a05fde7862eda994a78a04b3046a445ae2
SHA256 d23025eb3e1d8571783bd99d29a47f6fd8b684ae1ccd915be5db267d3233b4ce
SHA512 c986d633b477599ace18e9dcb3ecae0bd5c80f66c0773658979239875857cf18676cecbdea7db5da309395d489f625edb69aa25521f87afcc4b4eb8b1c36ae1b

memory/1968-62-0x0000000000000000-mapping.dmp

\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe

MD5 37b6eecd2f4eee03c9634dccd6bf774a
SHA1 e1e9a4a05fde7862eda994a78a04b3046a445ae2
SHA256 d23025eb3e1d8571783bd99d29a47f6fd8b684ae1ccd915be5db267d3233b4ce
SHA512 c986d633b477599ace18e9dcb3ecae0bd5c80f66c0773658979239875857cf18676cecbdea7db5da309395d489f625edb69aa25521f87afcc4b4eb8b1c36ae1b

C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe

MD5 37b6eecd2f4eee03c9634dccd6bf774a
SHA1 e1e9a4a05fde7862eda994a78a04b3046a445ae2
SHA256 d23025eb3e1d8571783bd99d29a47f6fd8b684ae1ccd915be5db267d3233b4ce
SHA512 c986d633b477599ace18e9dcb3ecae0bd5c80f66c0773658979239875857cf18676cecbdea7db5da309395d489f625edb69aa25521f87afcc4b4eb8b1c36ae1b

memory/1000-65-0x0000000000000000-mapping.dmp

memory/580-66-0x0000000000000000-mapping.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2021-09-30 12:28

Reported

2021-09-30 12:30

Platform

win10-en-20210920

Max time kernel

149s

Max time network

149s

Command Line

"C:\Users\Admin\AppData\Local\Temp\a834a21c79f7a4ce5bf5c72ffb03fe6a643181ddf3c014b9acfc07ce7c19ce06.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" C:\Users\Admin\AppData\Local\Temp\a834a21c79f7a4ce5bf5c72ffb03fe6a643181ddf3c014b9acfc07ce7c19ce06.exe N/A

Enumerates physical storage devices

Runs ping.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\a834a21c79f7a4ce5bf5c72ffb03fe6a643181ddf3c014b9acfc07ce7c19ce06.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\a834a21c79f7a4ce5bf5c72ffb03fe6a643181ddf3c014b9acfc07ce7c19ce06.exe

"C:\Users\Admin\AppData\Local\Temp\a834a21c79f7a4ce5bf5c72ffb03fe6a643181ddf3c014b9acfc07ce7c19ce06.exe"

C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe

C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\a834a21c79f7a4ce5bf5c72ffb03fe6a643181ddf3c014b9acfc07ce7c19ce06.exe"

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1

Network

Country Destination Domain Proto
US 8.8.8.8:53 citrix.vipreclod.com udp
US 8.8.8.8:53 citrix.vipreclod.com udp
US 8.8.8.8:53 citrix.vipreclod.com udp
US 52.109.8.21:443 tcp
US 8.8.8.8:53 citrix.vipreclod.com udp
TH 184.22.175.13:80 tcp
TH 184.22.175.13:80 tcp
TH 184.22.175.13:80 tcp

Files

memory/2548-115-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe

MD5 5ddab95dbb99a217951afdaa1bb17277
SHA1 a1919706acb195e8ca761a494e6f467975df687d
SHA256 d367e229f8bc9d139139adf5572c7f232ab73b039b78d0b55c0287cac5793fa5
SHA512 44bab7fd2d208be0ef666294cd69671f0c8b400c1e5e37e641be467b63774145a48cb91ed97128642769a8d0fc6cd834bd3ae527b1fa63157b0831e7704e4e7a

C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe

MD5 5ddab95dbb99a217951afdaa1bb17277
SHA1 a1919706acb195e8ca761a494e6f467975df687d
SHA256 d367e229f8bc9d139139adf5572c7f232ab73b039b78d0b55c0287cac5793fa5
SHA512 44bab7fd2d208be0ef666294cd69671f0c8b400c1e5e37e641be467b63774145a48cb91ed97128642769a8d0fc6cd834bd3ae527b1fa63157b0831e7704e4e7a

memory/3492-118-0x0000000000000000-mapping.dmp

memory/2628-119-0x0000000000000000-mapping.dmp