be59211e901699b238bb614dac0d1f9b06c39cd29b1ed17b5b20dea891ea9778

Analysis

max time kernel
118s
max time network
123s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
23-05-2024 02:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

be59211e901699b238bb614dac0d1f9b06c39cd29b1ed17b5b20dea891ea9778.exe
Size

122KB
MD5

25ee766a9d302e06670be20ca384e377
SHA1

0a54923e768c7908c9b148711e39cc6a64e6c5cc
SHA256

be59211e901699b238bb614dac0d1f9b06c39cd29b1ed17b5b20dea891ea9778
SHA512

12a56b0e4dac24da2032eaac1576ac578b9c9b239789573dea0f1d9fd5a860645f1f0b3b187a475aef53a794f8e17d7fade47a921864dded0517e368ab641018
SSDEEP

3072:BiAyLN9aa+9U2rW1ipjp2R6JJrWNZKYvQd24:iLP+9U2rW1iqcJJrW7d4

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

Processes:

WwanSvc.exe

pid process

1772 WwanSvc.exe
Loads dropped DLL 1 IoCs

Processes:

be59211e901699b238bb614dac0d1f9b06c39cd29b1ed17b5b20dea891ea9778.exe

pid process

1152 be59211e901699b238bb614dac0d1f9b06c39cd29b1ed17b5b20dea891ea9778.exe

pid	process
1772	WwanSvc.exe

pid	process
1152	be59211e901699b238bb614dac0d1f9b06c39cd29b1ed17b5b20dea891ea9778.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

be59211e901699b238bb614dac0d1f9b06c39cd29b1ed17b5b20dea891ea9778.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Window Update = "\"C:\\ProgramData\\Update\\WwanSvc.exe\" /run"	be59211e901699b238bb614dac0d1f9b06c39cd29b1ed17b5b20dea891ea9778.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

be59211e901699b238bb614dac0d1f9b06c39cd29b1ed17b5b20dea891ea9778.exe

description	pid	process	target process
PID 1152 wrote to memory of 1772	1152	be59211e901699b238bb614dac0d1f9b06c39cd29b1ed17b5b20dea891ea9778.exe	WwanSvc.exe
PID 1152 wrote to memory of 1772	1152	be59211e901699b238bb614dac0d1f9b06c39cd29b1ed17b5b20dea891ea9778.exe	WwanSvc.exe
PID 1152 wrote to memory of 1772	1152	be59211e901699b238bb614dac0d1f9b06c39cd29b1ed17b5b20dea891ea9778.exe	WwanSvc.exe
PID 1152 wrote to memory of 1772	1152	be59211e901699b238bb614dac0d1f9b06c39cd29b1ed17b5b20dea891ea9778.exe	WwanSvc.exe

C:\Users\Admin\AppData\Local\Temp\be59211e901699b238bb614dac0d1f9b06c39cd29b1ed17b5b20dea891ea9778.exe
"C:\Users\Admin\AppData\Local\Temp\be59211e901699b238bb614dac0d1f9b06c39cd29b1ed17b5b20dea891ea9778.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1152

C:\ProgramData\Update\WwanSvc.exe
"C:\ProgramData\Update\WwanSvc.exe" /run
2⤵
- Executes dropped EXE
PID:1772

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\ProgramData\Update\WwanSvc.exe
Filesize
122KB

MD5
4e604c725e7aac985a310e5e7b5581fd

SHA1
ca0fc293927840d7df8de1b224d44f4b6439e06f

SHA256
c42720622a81b0cd79b5167b5439266f01426657fb49848307684e299b84c374

SHA512
41c8235e3631238c6b65dbafcd34f667a83b6e55e053b6daa78e30f1f1568fffee58219d79496860253d9fe2bc6251c008dbb791e2b6a368e69e8f9802f4ab73

Download Submit