Malware Analysis Report

2025-03-14 23:42

Sample ID 240407-xebp8sbc81
Target 12ce07c0c5f98363157cb1dcd11a67006e761b0d48394670558e85eab1493726
SHA256 12ce07c0c5f98363157cb1dcd11a67006e761b0d48394670558e85eab1493726
Tags
persistence
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

12ce07c0c5f98363157cb1dcd11a67006e761b0d48394670558e85eab1493726

Threat Level: Shows suspicious behavior

The file 12ce07c0c5f98363157cb1dcd11a67006e761b0d48394670558e85eab1493726 was found to be: Shows suspicious behavior.

Malicious Activity Summary

persistence

Executes dropped EXE

Loads dropped DLL

Adds Run key to start application

Unsigned PE

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-04-07 18:45

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-04-07 18:45

Reported

2024-04-07 18:48

Platform

win7-20240215-en

Max time kernel

121s

Max time network

122s

Command Line

"C:\Users\Admin\AppData\Local\Temp\12ce07c0c5f98363157cb1dcd11a67006e761b0d48394670558e85eab1493726.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\ProgramData\Update\WwanSvc.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Window Update = "\"C:\\ProgramData\\Update\\WwanSvc.exe\" /run" C:\Users\Admin\AppData\Local\Temp\12ce07c0c5f98363157cb1dcd11a67006e761b0d48394670558e85eab1493726.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\12ce07c0c5f98363157cb1dcd11a67006e761b0d48394670558e85eab1493726.exe

"C:\Users\Admin\AppData\Local\Temp\12ce07c0c5f98363157cb1dcd11a67006e761b0d48394670558e85eab1493726.exe"

C:\ProgramData\Update\WwanSvc.exe

"C:\ProgramData\Update\WwanSvc.exe" /run

Network

Country Destination Domain Proto
CA 158.69.115.115:443 tcp

Files

\ProgramData\Update\WwanSvc.exe

MD5 33cb0f7ca176ea9f215ebd9d32b6865b
SHA1 67f6df785f103edfd9b2e6dd1f3c273cc50e94a1
SHA256 e78327e106345230a1fff086a38d361197ddd7ab05179eb7c438ff9a94d6f9ab
SHA512 c317089889a0f586ab63efe012c4191b97f167cc0c33d35b791327180fbd3bad0355004f10f0918a17c864644b4dc168139b7a6de7655ac8a2523748ddd4a55d

Analysis: behavioral2

Detonation Overview

Submitted

2024-04-07 18:45

Reported

2024-04-07 18:48

Platform

win10v2004-20240226-en

Max time kernel

93s

Max time network

155s

Command Line

"C:\Users\Admin\AppData\Local\Temp\12ce07c0c5f98363157cb1dcd11a67006e761b0d48394670558e85eab1493726.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\ProgramData\Update\WwanSvc.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Window Update = "\"C:\\ProgramData\\Update\\WwanSvc.exe\" /run" C:\Users\Admin\AppData\Local\Temp\12ce07c0c5f98363157cb1dcd11a67006e761b0d48394670558e85eab1493726.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\12ce07c0c5f98363157cb1dcd11a67006e761b0d48394670558e85eab1493726.exe

"C:\Users\Admin\AppData\Local\Temp\12ce07c0c5f98363157cb1dcd11a67006e761b0d48394670558e85eab1493726.exe"

C:\ProgramData\Update\WwanSvc.exe

"C:\ProgramData\Update\WwanSvc.exe" /run

Network

Country Destination Domain Proto
CA 158.69.115.115:443 tcp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 138.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 99.56.20.217.in-addr.arpa udp

Files

C:\ProgramData\Update\WwanSvc.exe

MD5 ae54f76702c0ddc293991ac2436bcda5
SHA1 1a44b790cb27e0bbfa1355687a34f41ab3431962
SHA256 7a61692c7329a0d7c14ffa05ac2380e80c9b6765863910f8acf84fdb40a92f63
SHA512 8426631d5fa31e672c3dec8c49d2d19e6a7f285bf5ffb4920b4a5dc5e1e4cd09b87616c75ffa4b8cac9d1b79700107320232d1f114a28a524e656280c81cc0fb