Analysis
-
max time kernel
137s -
max time network
97s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
22-05-2024 02:34
Static task
static1
Behavioral task
behavioral1
Sample
881198bc48f759f72e84a5d36a2f2ead1f6ebff61eb0cd66b06867e392c96731.exe
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
881198bc48f759f72e84a5d36a2f2ead1f6ebff61eb0cd66b06867e392c96731.exe
Resource
win10v2004-20240508-en
General
-
Target
881198bc48f759f72e84a5d36a2f2ead1f6ebff61eb0cd66b06867e392c96731.exe
-
Size
97KB
-
MD5
4d66ca291472b260cf85d69e5e11744d
-
SHA1
558ae68a5381ccff489c5df12e14bb44b21b22c3
-
SHA256
881198bc48f759f72e84a5d36a2f2ead1f6ebff61eb0cd66b06867e392c96731
-
SHA512
55cf23fec7ad49ba416cf65357c9addd65925f29d636aa16cd93e5eda92a4f7ea95a3c77c5616a4e965a5da672da0a14c1c44a7c11f18b78c00f38b5117914e4
-
SSDEEP
1536:iF0AJzLopHG9aa+9qX3apJoAKWYr0vcioyjp2RXKTzRZICrWaGZh7E:iiApLN9aa+9U2EWyipjp2R6JJrWNZa
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
WwanSvc.exepid process 724 WwanSvc.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
881198bc48f759f72e84a5d36a2f2ead1f6ebff61eb0cd66b06867e392c96731.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Window Update = "\"C:\\ProgramData\\Update\\WwanSvc.exe\" /run" 881198bc48f759f72e84a5d36a2f2ead1f6ebff61eb0cd66b06867e392c96731.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
881198bc48f759f72e84a5d36a2f2ead1f6ebff61eb0cd66b06867e392c96731.exedescription pid process target process PID 2872 wrote to memory of 724 2872 881198bc48f759f72e84a5d36a2f2ead1f6ebff61eb0cd66b06867e392c96731.exe WwanSvc.exe PID 2872 wrote to memory of 724 2872 881198bc48f759f72e84a5d36a2f2ead1f6ebff61eb0cd66b06867e392c96731.exe WwanSvc.exe PID 2872 wrote to memory of 724 2872 881198bc48f759f72e84a5d36a2f2ead1f6ebff61eb0cd66b06867e392c96731.exe WwanSvc.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\881198bc48f759f72e84a5d36a2f2ead1f6ebff61eb0cd66b06867e392c96731.exe"C:\Users\Admin\AppData\Local\Temp\881198bc48f759f72e84a5d36a2f2ead1f6ebff61eb0cd66b06867e392c96731.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\ProgramData\Update\WwanSvc.exe"C:\ProgramData\Update\WwanSvc.exe" /run2⤵
- Executes dropped EXE
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\ProgramData\Update\WwanSvc.exeFilesize
97KB
MD5d0bae28d9091e2ae8d37dfa191dad513
SHA1d461a2ad0d2715ba9c40d2ba9e19acc5e33a03bf
SHA2567af932ce9658b2a675dad31428dd5381124cf63a6fbf216be5614cdc1fef0d59
SHA5120434bfc71e58e93d2863b383c812bbc08fabe957122bd7f4f7419e125f34e953dca87fb287015cce930ed153448d1dccff9b35015ff623c969b97942601e3d24
-
memory/724-6-0x0000000000DE0000-0x0000000000DFE000-memory.dmpFilesize
120KB
-
memory/724-7-0x0000000000DE0000-0x0000000000DFE000-memory.dmpFilesize
120KB
-
memory/2872-0-0x0000000000970000-0x000000000098E000-memory.dmpFilesize
120KB
-
memory/2872-4-0x0000000000970000-0x000000000098E000-memory.dmpFilesize
120KB