Analysis Overview
SHA256
12ce07c0c5f98363157cb1dcd11a67006e761b0d48394670558e85eab1493726
Threat Level: Shows suspicious behavior
The file 12ce07c0c5f98363157cb1dcd11a67006e761b0d48394670558e85eab1493726 was found to be: Shows suspicious behavior.
Malicious Activity Summary
Executes dropped EXE
Loads dropped DLL
Adds Run key to start application
Unsigned PE
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-04-07 18:45
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-04-07 18:45
Reported
2024-04-07 18:48
Platform
win7-20240215-en
Max time kernel
121s
Max time network
122s
Command Line
Signatures
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\ProgramData\Update\WwanSvc.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\12ce07c0c5f98363157cb1dcd11a67006e761b0d48394670558e85eab1493726.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Window Update = "\"C:\\ProgramData\\Update\\WwanSvc.exe\" /run" | C:\Users\Admin\AppData\Local\Temp\12ce07c0c5f98363157cb1dcd11a67006e761b0d48394670558e85eab1493726.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1288 wrote to memory of 1744 | N/A | C:\Users\Admin\AppData\Local\Temp\12ce07c0c5f98363157cb1dcd11a67006e761b0d48394670558e85eab1493726.exe | C:\ProgramData\Update\WwanSvc.exe |
| PID 1288 wrote to memory of 1744 | N/A | C:\Users\Admin\AppData\Local\Temp\12ce07c0c5f98363157cb1dcd11a67006e761b0d48394670558e85eab1493726.exe | C:\ProgramData\Update\WwanSvc.exe |
| PID 1288 wrote to memory of 1744 | N/A | C:\Users\Admin\AppData\Local\Temp\12ce07c0c5f98363157cb1dcd11a67006e761b0d48394670558e85eab1493726.exe | C:\ProgramData\Update\WwanSvc.exe |
| PID 1288 wrote to memory of 1744 | N/A | C:\Users\Admin\AppData\Local\Temp\12ce07c0c5f98363157cb1dcd11a67006e761b0d48394670558e85eab1493726.exe | C:\ProgramData\Update\WwanSvc.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\12ce07c0c5f98363157cb1dcd11a67006e761b0d48394670558e85eab1493726.exe
"C:\Users\Admin\AppData\Local\Temp\12ce07c0c5f98363157cb1dcd11a67006e761b0d48394670558e85eab1493726.exe"
C:\ProgramData\Update\WwanSvc.exe
"C:\ProgramData\Update\WwanSvc.exe" /run
Network
| Country | Destination | Domain | Proto |
| CA | 158.69.115.115:443 | tcp |
Files
\ProgramData\Update\WwanSvc.exe
| MD5 | 33cb0f7ca176ea9f215ebd9d32b6865b |
| SHA1 | 67f6df785f103edfd9b2e6dd1f3c273cc50e94a1 |
| SHA256 | e78327e106345230a1fff086a38d361197ddd7ab05179eb7c438ff9a94d6f9ab |
| SHA512 | c317089889a0f586ab63efe012c4191b97f167cc0c33d35b791327180fbd3bad0355004f10f0918a17c864644b4dc168139b7a6de7655ac8a2523748ddd4a55d |
Analysis: behavioral2
Detonation Overview
Submitted
2024-04-07 18:45
Reported
2024-04-07 18:48
Platform
win10v2004-20240226-en
Max time kernel
93s
Max time network
155s
Command Line
Signatures
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\ProgramData\Update\WwanSvc.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Window Update = "\"C:\\ProgramData\\Update\\WwanSvc.exe\" /run" | C:\Users\Admin\AppData\Local\Temp\12ce07c0c5f98363157cb1dcd11a67006e761b0d48394670558e85eab1493726.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 4136 wrote to memory of 3844 | N/A | C:\Users\Admin\AppData\Local\Temp\12ce07c0c5f98363157cb1dcd11a67006e761b0d48394670558e85eab1493726.exe | C:\ProgramData\Update\WwanSvc.exe |
| PID 4136 wrote to memory of 3844 | N/A | C:\Users\Admin\AppData\Local\Temp\12ce07c0c5f98363157cb1dcd11a67006e761b0d48394670558e85eab1493726.exe | C:\ProgramData\Update\WwanSvc.exe |
| PID 4136 wrote to memory of 3844 | N/A | C:\Users\Admin\AppData\Local\Temp\12ce07c0c5f98363157cb1dcd11a67006e761b0d48394670558e85eab1493726.exe | C:\ProgramData\Update\WwanSvc.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\12ce07c0c5f98363157cb1dcd11a67006e761b0d48394670558e85eab1493726.exe
"C:\Users\Admin\AppData\Local\Temp\12ce07c0c5f98363157cb1dcd11a67006e761b0d48394670558e85eab1493726.exe"
C:\ProgramData\Update\WwanSvc.exe
"C:\ProgramData\Update\WwanSvc.exe" /run
Network
| Country | Destination | Domain | Proto |
| CA | 158.69.115.115:443 | tcp | |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 138.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 99.56.20.217.in-addr.arpa | udp |
Files
C:\ProgramData\Update\WwanSvc.exe
| MD5 | ae54f76702c0ddc293991ac2436bcda5 |
| SHA1 | 1a44b790cb27e0bbfa1355687a34f41ab3431962 |
| SHA256 | 7a61692c7329a0d7c14ffa05ac2380e80c9b6765863910f8acf84fdb40a92f63 |
| SHA512 | 8426631d5fa31e672c3dec8c49d2d19e6a7f285bf5ffb4920b4a5dc5e1e4cd09b87616c75ffa4b8cac9d1b79700107320232d1f114a28a524e656280c81cc0fb |