Analysis
-
max time kernel
119s -
max time network
119s -
platform
windows7_x64 -
resource
win7-20240508-en -
resource tags
arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system -
submitted
22-05-2024 02:34
Static task
static1
Behavioral task
behavioral1
Sample
881198bc48f759f72e84a5d36a2f2ead1f6ebff61eb0cd66b06867e392c96731.exe
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
881198bc48f759f72e84a5d36a2f2ead1f6ebff61eb0cd66b06867e392c96731.exe
Resource
win10v2004-20240508-en
General
-
Target
881198bc48f759f72e84a5d36a2f2ead1f6ebff61eb0cd66b06867e392c96731.exe
-
Size
97KB
-
MD5
4d66ca291472b260cf85d69e5e11744d
-
SHA1
558ae68a5381ccff489c5df12e14bb44b21b22c3
-
SHA256
881198bc48f759f72e84a5d36a2f2ead1f6ebff61eb0cd66b06867e392c96731
-
SHA512
55cf23fec7ad49ba416cf65357c9addd65925f29d636aa16cd93e5eda92a4f7ea95a3c77c5616a4e965a5da672da0a14c1c44a7c11f18b78c00f38b5117914e4
-
SSDEEP
1536:iF0AJzLopHG9aa+9qX3apJoAKWYr0vcioyjp2RXKTzRZICrWaGZh7E:iiApLN9aa+9U2EWyipjp2R6JJrWNZa
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
WwanSvc.exepid process 1196 WwanSvc.exe -
Loads dropped DLL 1 IoCs
Processes:
881198bc48f759f72e84a5d36a2f2ead1f6ebff61eb0cd66b06867e392c96731.exepid process 1232 881198bc48f759f72e84a5d36a2f2ead1f6ebff61eb0cd66b06867e392c96731.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
881198bc48f759f72e84a5d36a2f2ead1f6ebff61eb0cd66b06867e392c96731.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Window Update = "\"C:\\ProgramData\\Update\\WwanSvc.exe\" /run" 881198bc48f759f72e84a5d36a2f2ead1f6ebff61eb0cd66b06867e392c96731.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
881198bc48f759f72e84a5d36a2f2ead1f6ebff61eb0cd66b06867e392c96731.exedescription pid process target process PID 1232 wrote to memory of 1196 1232 881198bc48f759f72e84a5d36a2f2ead1f6ebff61eb0cd66b06867e392c96731.exe WwanSvc.exe PID 1232 wrote to memory of 1196 1232 881198bc48f759f72e84a5d36a2f2ead1f6ebff61eb0cd66b06867e392c96731.exe WwanSvc.exe PID 1232 wrote to memory of 1196 1232 881198bc48f759f72e84a5d36a2f2ead1f6ebff61eb0cd66b06867e392c96731.exe WwanSvc.exe PID 1232 wrote to memory of 1196 1232 881198bc48f759f72e84a5d36a2f2ead1f6ebff61eb0cd66b06867e392c96731.exe WwanSvc.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\881198bc48f759f72e84a5d36a2f2ead1f6ebff61eb0cd66b06867e392c96731.exe"C:\Users\Admin\AppData\Local\Temp\881198bc48f759f72e84a5d36a2f2ead1f6ebff61eb0cd66b06867e392c96731.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\ProgramData\Update\WwanSvc.exe"C:\ProgramData\Update\WwanSvc.exe" /run2⤵
- Executes dropped EXE
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\ProgramData\Update\WwanSvc.exeFilesize
97KB
MD5fb6bd4c927a64b9a45a18503683b13c7
SHA169bca15ab99ddb36a999d3dc73ee2ea996ba5dde
SHA25654909fcfa8713490726ae489da1fb426d290b5ad2fbc0625bf6d04e1053ca521
SHA51215b6a743f0081d483de7ca83e03b88019a084ab0f9d7956fa0d13d0c5620428dc8f0bae1be92863c947d35cb4b285cc063da6a5f6ec4fb64a6cd6031cc478628
-
memory/1196-7-0x0000000000FA0000-0x0000000000FBE000-memory.dmpFilesize
120KB
-
memory/1196-10-0x0000000000FA0000-0x0000000000FBE000-memory.dmpFilesize
120KB
-
memory/1232-0-0x0000000000D60000-0x0000000000D7E000-memory.dmpFilesize
120KB
-
memory/1232-5-0x0000000000080000-0x000000000009E000-memory.dmpFilesize
120KB
-
memory/1232-8-0x0000000000D60000-0x0000000000D7E000-memory.dmpFilesize
120KB
-
memory/1232-9-0x0000000000080000-0x000000000009E000-memory.dmpFilesize
120KB
-
memory/1232-11-0x0000000000D60000-0x0000000000D7E000-memory.dmpFilesize
120KB