Analysis
-
max time kernel
118s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
23-05-2024 02:31
Static task
static1
Behavioral task
behavioral1
Sample
be59211e901699b238bb614dac0d1f9b06c39cd29b1ed17b5b20dea891ea9778.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
be59211e901699b238bb614dac0d1f9b06c39cd29b1ed17b5b20dea891ea9778.exe
Resource
win10v2004-20240426-en
General
-
Target
be59211e901699b238bb614dac0d1f9b06c39cd29b1ed17b5b20dea891ea9778.exe
-
Size
122KB
-
MD5
25ee766a9d302e06670be20ca384e377
-
SHA1
0a54923e768c7908c9b148711e39cc6a64e6c5cc
-
SHA256
be59211e901699b238bb614dac0d1f9b06c39cd29b1ed17b5b20dea891ea9778
-
SHA512
12a56b0e4dac24da2032eaac1576ac578b9c9b239789573dea0f1d9fd5a860645f1f0b3b187a475aef53a794f8e17d7fade47a921864dded0517e368ab641018
-
SSDEEP
3072:BiAyLN9aa+9U2rW1ipjp2R6JJrWNZKYvQd24:iLP+9U2rW1iqcJJrW7d4
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
WwanSvc.exepid process 1772 WwanSvc.exe -
Loads dropped DLL 1 IoCs
Processes:
be59211e901699b238bb614dac0d1f9b06c39cd29b1ed17b5b20dea891ea9778.exepid process 1152 be59211e901699b238bb614dac0d1f9b06c39cd29b1ed17b5b20dea891ea9778.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
be59211e901699b238bb614dac0d1f9b06c39cd29b1ed17b5b20dea891ea9778.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Window Update = "\"C:\\ProgramData\\Update\\WwanSvc.exe\" /run" be59211e901699b238bb614dac0d1f9b06c39cd29b1ed17b5b20dea891ea9778.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
be59211e901699b238bb614dac0d1f9b06c39cd29b1ed17b5b20dea891ea9778.exedescription pid process target process PID 1152 wrote to memory of 1772 1152 be59211e901699b238bb614dac0d1f9b06c39cd29b1ed17b5b20dea891ea9778.exe WwanSvc.exe PID 1152 wrote to memory of 1772 1152 be59211e901699b238bb614dac0d1f9b06c39cd29b1ed17b5b20dea891ea9778.exe WwanSvc.exe PID 1152 wrote to memory of 1772 1152 be59211e901699b238bb614dac0d1f9b06c39cd29b1ed17b5b20dea891ea9778.exe WwanSvc.exe PID 1152 wrote to memory of 1772 1152 be59211e901699b238bb614dac0d1f9b06c39cd29b1ed17b5b20dea891ea9778.exe WwanSvc.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\be59211e901699b238bb614dac0d1f9b06c39cd29b1ed17b5b20dea891ea9778.exe"C:\Users\Admin\AppData\Local\Temp\be59211e901699b238bb614dac0d1f9b06c39cd29b1ed17b5b20dea891ea9778.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1152 -
C:\ProgramData\Update\WwanSvc.exe"C:\ProgramData\Update\WwanSvc.exe" /run2⤵
- Executes dropped EXE
PID:1772
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
\ProgramData\Update\WwanSvc.exeFilesize
122KB
MD54e604c725e7aac985a310e5e7b5581fd
SHA1ca0fc293927840d7df8de1b224d44f4b6439e06f
SHA256c42720622a81b0cd79b5167b5439266f01426657fb49848307684e299b84c374
SHA51241c8235e3631238c6b65dbafcd34f667a83b6e55e053b6daa78e30f1f1568fffee58219d79496860253d9fe2bc6251c008dbb791e2b6a368e69e8f9802f4ab73