Analysis Overview
SHA256
0c156039dd212a729ad189801e8361b3d51720353dc2a581dd4e5d12f4e5444d
Threat Level: Shows suspicious behavior
The file 0c156039dd212a729ad189801e8361b3d51720353dc2a581dd4e5d12f4e5444d was found to be: Shows suspicious behavior.
Malicious Activity Summary
Executes dropped EXE
Loads dropped DLL
Adds Run key to start application
Unsigned PE
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-04-07 18:30
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-04-07 18:30
Reported
2024-04-07 18:33
Platform
win7-20240221-en
Max time kernel
121s
Max time network
126s
Command Line
Signatures
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\ProgramData\Update\WwanSvc.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\0c156039dd212a729ad189801e8361b3d51720353dc2a581dd4e5d12f4e5444d.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Window Update = "\"C:\\ProgramData\\Update\\WwanSvc.exe\" /run" | C:\Users\Admin\AppData\Local\Temp\0c156039dd212a729ad189801e8361b3d51720353dc2a581dd4e5d12f4e5444d.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2296 wrote to memory of 1732 | N/A | C:\Users\Admin\AppData\Local\Temp\0c156039dd212a729ad189801e8361b3d51720353dc2a581dd4e5d12f4e5444d.exe | C:\ProgramData\Update\WwanSvc.exe |
| PID 2296 wrote to memory of 1732 | N/A | C:\Users\Admin\AppData\Local\Temp\0c156039dd212a729ad189801e8361b3d51720353dc2a581dd4e5d12f4e5444d.exe | C:\ProgramData\Update\WwanSvc.exe |
| PID 2296 wrote to memory of 1732 | N/A | C:\Users\Admin\AppData\Local\Temp\0c156039dd212a729ad189801e8361b3d51720353dc2a581dd4e5d12f4e5444d.exe | C:\ProgramData\Update\WwanSvc.exe |
| PID 2296 wrote to memory of 1732 | N/A | C:\Users\Admin\AppData\Local\Temp\0c156039dd212a729ad189801e8361b3d51720353dc2a581dd4e5d12f4e5444d.exe | C:\ProgramData\Update\WwanSvc.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\0c156039dd212a729ad189801e8361b3d51720353dc2a581dd4e5d12f4e5444d.exe
"C:\Users\Admin\AppData\Local\Temp\0c156039dd212a729ad189801e8361b3d51720353dc2a581dd4e5d12f4e5444d.exe"
C:\ProgramData\Update\WwanSvc.exe
"C:\ProgramData\Update\WwanSvc.exe" /run
Network
| Country | Destination | Domain | Proto |
| CA | 158.69.115.115:443 | tcp |
Files
C:\ProgramData\Update\WwanSvc.exe
| MD5 | ceb24cc925ee2624137f393a42cf217d |
| SHA1 | 7043efe679bbde97bda07a19b4b38950e00fd65f |
| SHA256 | 7f46f99b9b7f9b3ccd14c9ddb36b08fc6544232508bed3d8595fe63cd6eca9bc |
| SHA512 | d4066afa95cbd9d5ea3aec06ed328167e9b0c8d10fb0b0a9b5a69a6fa20bf733da914be8c8432b23adac7536cc7759117a5e734f5deeff3dc920b04d3ce9b721 |
Analysis: behavioral2
Detonation Overview
Submitted
2024-04-07 18:30
Reported
2024-04-07 18:33
Platform
win10v2004-20240226-en
Max time kernel
91s
Max time network
155s
Command Line
Signatures
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\ProgramData\Update\WwanSvc.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Window Update = "\"C:\\ProgramData\\Update\\WwanSvc.exe\" /run" | C:\Users\Admin\AppData\Local\Temp\0c156039dd212a729ad189801e8361b3d51720353dc2a581dd4e5d12f4e5444d.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1792 wrote to memory of 2560 | N/A | C:\Users\Admin\AppData\Local\Temp\0c156039dd212a729ad189801e8361b3d51720353dc2a581dd4e5d12f4e5444d.exe | C:\ProgramData\Update\WwanSvc.exe |
| PID 1792 wrote to memory of 2560 | N/A | C:\Users\Admin\AppData\Local\Temp\0c156039dd212a729ad189801e8361b3d51720353dc2a581dd4e5d12f4e5444d.exe | C:\ProgramData\Update\WwanSvc.exe |
| PID 1792 wrote to memory of 2560 | N/A | C:\Users\Admin\AppData\Local\Temp\0c156039dd212a729ad189801e8361b3d51720353dc2a581dd4e5d12f4e5444d.exe | C:\ProgramData\Update\WwanSvc.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\0c156039dd212a729ad189801e8361b3d51720353dc2a581dd4e5d12f4e5444d.exe
"C:\Users\Admin\AppData\Local\Temp\0c156039dd212a729ad189801e8361b3d51720353dc2a581dd4e5d12f4e5444d.exe"
C:\ProgramData\Update\WwanSvc.exe
"C:\ProgramData\Update\WwanSvc.exe" /run
Network
| Country | Destination | Domain | Proto |
| CA | 158.69.115.115:443 | tcp | |
| US | 8.8.8.8:53 | 133.211.185.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.197.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 72.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.165.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 249.197.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 23.236.111.52.in-addr.arpa | udp |
Files
C:\ProgramData\Update\WwanSvc.exe
| MD5 | 3da7167a6ea0c63e5ed293a3b24a6eea |
| SHA1 | b49ed7815c9ee4a8a4d8aef6d4aa9857f093848f |
| SHA256 | 43972f0c3148e6b34f6c9ba31444fd3b523341716e1b46692e417180e1edaca3 |
| SHA512 | 82e6f85abe825e4a6e4abb1940ba05807ca81ff5171fccb683d015b9e336037627c4e93eefb7c206efc6e223ed640c362bbd989f66835d5ae602c3178ce6917a |