75c15423341966e26fd2b095546933348db0c1618e40d929bb96dbdf39fc668b

Analysis

max time kernel
120s
max time network
120s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
09/05/2024, 23:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

75c15423341966e26fd2b095546933348db0c1618e40d929bb96dbdf39fc668b.exe
Size

134KB
MD5

3dd90bb09e62b0e6662a7ed70c42239b
SHA1

9f970261b611abdf06f295d29eddcbc88383cfb8
SHA256

75c15423341966e26fd2b095546933348db0c1618e40d929bb96dbdf39fc668b
SHA512

b1c6c302b85bd6927ecb871e8996fa1f9804136eb2f0109d416d2dd0febdc9ee78f21ad76e4f546bccfeea314422d6df9d3d2f2d84eda8d40cec8ed0f913571d
SSDEEP

1536:rF0AJELopHG9aa+9qX3apJzAKWYr0v7ioy6paK2AZqMIK7aGZh38Q7:riAyLN9aa+9U2rW1ip6pr2At7NZuQ7

Score

9^/10

persistence upx

Malware Config

Signatures

UPX dump on OEP (original entry point) 6 IoCs

resource	yara_rule
behavioral1/memory/2176-0-0x0000000000040000-0x0000000000068000-memory.dmp	UPX
behavioral1/files/0x00350000000165d4-2.dat	UPX
behavioral1/memory/2440-6-0x0000000001350000-0x0000000001378000-memory.dmp	UPX
behavioral1/memory/2176-7-0x0000000000040000-0x0000000000068000-memory.dmp	UPX
behavioral1/memory/2440-9-0x0000000001350000-0x0000000001378000-memory.dmp	UPX
behavioral1/memory/2176-10-0x0000000000040000-0x0000000000068000-memory.dmp	UPX

Executes dropped EXE 1 IoCs

pid	Process
2440	WwanSvc.exe

Loads dropped DLL 1 IoCs

pid	Process
2176	75c15423341966e26fd2b095546933348db0c1618e40d929bb96dbdf39fc668b.exe

UPX packed file 6 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2176-0-0x0000000000040000-0x0000000000068000-memory.dmp	upx
behavioral1/files/0x00350000000165d4-2.dat	upx
behavioral1/memory/2440-6-0x0000000001350000-0x0000000001378000-memory.dmp	upx
behavioral1/memory/2176-7-0x0000000000040000-0x0000000000068000-memory.dmp	upx
behavioral1/memory/2440-9-0x0000000001350000-0x0000000001378000-memory.dmp	upx
behavioral1/memory/2176-10-0x0000000000040000-0x0000000000068000-memory.dmp	upx

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Window Update = "\"C:\\ProgramData\\Update\\WwanSvc.exe\" /run"	75c15423341966e26fd2b095546933348db0c1618e40d929bb96dbdf39fc668b.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2176 wrote to memory of 2440	2176	75c15423341966e26fd2b095546933348db0c1618e40d929bb96dbdf39fc668b.exe	28
PID 2176 wrote to memory of 2440	2176	75c15423341966e26fd2b095546933348db0c1618e40d929bb96dbdf39fc668b.exe	28
PID 2176 wrote to memory of 2440	2176	75c15423341966e26fd2b095546933348db0c1618e40d929bb96dbdf39fc668b.exe	28
PID 2176 wrote to memory of 2440	2176	75c15423341966e26fd2b095546933348db0c1618e40d929bb96dbdf39fc668b.exe	28

C:\Users\Admin\AppData\Local\Temp\75c15423341966e26fd2b095546933348db0c1618e40d929bb96dbdf39fc668b.exe
"C:\Users\Admin\AppData\Local\Temp\75c15423341966e26fd2b095546933348db0c1618e40d929bb96dbdf39fc668b.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2176
- C:\ProgramData\Update\WwanSvc.exe
  "C:\ProgramData\Update\WwanSvc.exe" /run
  2⤵
  - Executes dropped EXE
  PID:2440

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\ProgramData\Update\WwanSvc.exe

Filesize
134KB

MD5
b65f26a9e564186b8b6007f77b7b2551

SHA1
db6779d582f8637021b9e6a9a18de725434ceb53

SHA256
ec9d95c6fdc35ff7e1e549dacd9db71bd41c595e9b82beeae06faf06961fef1f

SHA512
e8b1c8c95a02155cb8c3831cc521319870bf88a482f93410785f8bcb8a834ceb2119e8a8a3649a24b1a2d5de4440eb3b89c68a793d9a2c4eef3af12211d1fbb7

Download Submit
memory/2176-0-0x0000000000040000-0x0000000000068000-memory.dmp

Filesize
160KB

Download
memory/2176-7-0x0000000000040000-0x0000000000068000-memory.dmp

Filesize
160KB

Download
memory/2176-8-0x00000000001C0000-0x00000000001E8000-memory.dmp

Filesize
160KB

Download
memory/2176-10-0x0000000000040000-0x0000000000068000-memory.dmp

Filesize
160KB

Download
memory/2440-6-0x0000000001350000-0x0000000001378000-memory.dmp

Filesize
160KB

Download
memory/2440-9-0x0000000001350000-0x0000000001378000-memory.dmp

Filesize
160KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads