Malware Analysis Report

2025-03-14 23:29

Sample ID 240407-w5yf9aba6y
Target 0c156039dd212a729ad189801e8361b3d51720353dc2a581dd4e5d12f4e5444d
SHA256 0c156039dd212a729ad189801e8361b3d51720353dc2a581dd4e5d12f4e5444d
Tags
persistence
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

0c156039dd212a729ad189801e8361b3d51720353dc2a581dd4e5d12f4e5444d

Threat Level: Shows suspicious behavior

The file 0c156039dd212a729ad189801e8361b3d51720353dc2a581dd4e5d12f4e5444d was found to be: Shows suspicious behavior.

Malicious Activity Summary

persistence

Executes dropped EXE

Loads dropped DLL

Adds Run key to start application

Unsigned PE

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-04-07 18:30

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-04-07 18:30

Reported

2024-04-07 18:33

Platform

win7-20240221-en

Max time kernel

121s

Max time network

126s

Command Line

"C:\Users\Admin\AppData\Local\Temp\0c156039dd212a729ad189801e8361b3d51720353dc2a581dd4e5d12f4e5444d.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\ProgramData\Update\WwanSvc.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Window Update = "\"C:\\ProgramData\\Update\\WwanSvc.exe\" /run" C:\Users\Admin\AppData\Local\Temp\0c156039dd212a729ad189801e8361b3d51720353dc2a581dd4e5d12f4e5444d.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\0c156039dd212a729ad189801e8361b3d51720353dc2a581dd4e5d12f4e5444d.exe

"C:\Users\Admin\AppData\Local\Temp\0c156039dd212a729ad189801e8361b3d51720353dc2a581dd4e5d12f4e5444d.exe"

C:\ProgramData\Update\WwanSvc.exe

"C:\ProgramData\Update\WwanSvc.exe" /run

Network

Country Destination Domain Proto
CA 158.69.115.115:443 tcp

Files

C:\ProgramData\Update\WwanSvc.exe

MD5 ceb24cc925ee2624137f393a42cf217d
SHA1 7043efe679bbde97bda07a19b4b38950e00fd65f
SHA256 7f46f99b9b7f9b3ccd14c9ddb36b08fc6544232508bed3d8595fe63cd6eca9bc
SHA512 d4066afa95cbd9d5ea3aec06ed328167e9b0c8d10fb0b0a9b5a69a6fa20bf733da914be8c8432b23adac7536cc7759117a5e734f5deeff3dc920b04d3ce9b721

Analysis: behavioral2

Detonation Overview

Submitted

2024-04-07 18:30

Reported

2024-04-07 18:33

Platform

win10v2004-20240226-en

Max time kernel

91s

Max time network

155s

Command Line

"C:\Users\Admin\AppData\Local\Temp\0c156039dd212a729ad189801e8361b3d51720353dc2a581dd4e5d12f4e5444d.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\ProgramData\Update\WwanSvc.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Window Update = "\"C:\\ProgramData\\Update\\WwanSvc.exe\" /run" C:\Users\Admin\AppData\Local\Temp\0c156039dd212a729ad189801e8361b3d51720353dc2a581dd4e5d12f4e5444d.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\0c156039dd212a729ad189801e8361b3d51720353dc2a581dd4e5d12f4e5444d.exe

"C:\Users\Admin\AppData\Local\Temp\0c156039dd212a729ad189801e8361b3d51720353dc2a581dd4e5d12f4e5444d.exe"

C:\ProgramData\Update\WwanSvc.exe

"C:\ProgramData\Update\WwanSvc.exe" /run

Network

Country Destination Domain Proto
CA 158.69.115.115:443 tcp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 240.197.17.2.in-addr.arpa udp
US 8.8.8.8:53 72.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 249.197.17.2.in-addr.arpa udp
US 8.8.8.8:53 23.236.111.52.in-addr.arpa udp

Files

C:\ProgramData\Update\WwanSvc.exe

MD5 3da7167a6ea0c63e5ed293a3b24a6eea
SHA1 b49ed7815c9ee4a8a4d8aef6d4aa9857f093848f
SHA256 43972f0c3148e6b34f6c9ba31444fd3b523341716e1b46692e417180e1edaca3
SHA512 82e6f85abe825e4a6e4abb1940ba05807ca81ff5171fccb683d015b9e336037627c4e93eefb7c206efc6e223ed640c362bbd989f66835d5ae602c3178ce6917a