Malware Analysis Report

2025-08-11 06:11

Sample ID 240610-1kzk2a1gmg
Target 4a6f1e0d5c341d0d772264832ba6d71d5a5ba2f55b0d47429474f9b016ad951e
SHA256 4a6f1e0d5c341d0d772264832ba6d71d5a5ba2f55b0d47429474f9b016ad951e
Tags
upx persistence
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

4a6f1e0d5c341d0d772264832ba6d71d5a5ba2f55b0d47429474f9b016ad951e

Threat Level: Known bad

The file 4a6f1e0d5c341d0d772264832ba6d71d5a5ba2f55b0d47429474f9b016ad951e was found to be: Known bad.

Malicious Activity Summary

upx persistence

UPX dump on OEP (original entry point)

UPX dump on OEP (original entry point)

Executes dropped EXE

UPX packed file

Loads dropped DLL

Adds Run key to start application

Unsigned PE

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-10 21:43

Signatures

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-10 21:43

Reported

2024-06-10 21:45

Platform

win7-20240215-en

Max time kernel

117s

Max time network

120s

Command Line

"C:\Users\Admin\AppData\Local\Temp\4a6f1e0d5c341d0d772264832ba6d71d5a5ba2f55b0d47429474f9b016ad951e.exe"

Signatures

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\ProgramData\Update\WwanSvc.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Window Update = "\"C:\\ProgramData\\Update\\WwanSvc.exe\" /run" C:\Users\Admin\AppData\Local\Temp\4a6f1e0d5c341d0d772264832ba6d71d5a5ba2f55b0d47429474f9b016ad951e.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\4a6f1e0d5c341d0d772264832ba6d71d5a5ba2f55b0d47429474f9b016ad951e.exe

"C:\Users\Admin\AppData\Local\Temp\4a6f1e0d5c341d0d772264832ba6d71d5a5ba2f55b0d47429474f9b016ad951e.exe"

C:\ProgramData\Update\WwanSvc.exe

"C:\ProgramData\Update\WwanSvc.exe" /run

Network

Country Destination Domain Proto
CA 158.69.115.115:443 tcp

Files

memory/2816-1-0x0000000000210000-0x0000000000238000-memory.dmp

\ProgramData\Update\WwanSvc.exe

MD5 a5e955ea57064c9a8c815422b6d2ba3a
SHA1 2de4bc546adc9aff47a03e81c180914e542b4e50
SHA256 749184dc96d3b20569b2153c7c08d416d1a35df97f6843b49947c73f3a645516
SHA512 ef3422d2f2dc9efb3d012889020366aea48d3db745fd6ae7c9c5a70c0e7293ab8d18b7b1b67de34cb5d8ebefc05bd31607f35f3e7d4b0908b42cf0fcddf16ddc

memory/2276-6-0x00000000000C0000-0x00000000000E8000-memory.dmp

memory/2816-7-0x0000000000190000-0x00000000001B8000-memory.dmp

memory/2816-8-0x0000000000210000-0x0000000000238000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-10 21:43

Reported

2024-06-10 21:45

Platform

win10v2004-20240508-en

Max time kernel

145s

Max time network

51s

Command Line

"C:\Users\Admin\AppData\Local\Temp\4a6f1e0d5c341d0d772264832ba6d71d5a5ba2f55b0d47429474f9b016ad951e.exe"

Signatures

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\ProgramData\Update\WwanSvc.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Window Update = "\"C:\\ProgramData\\Update\\WwanSvc.exe\" /run" C:\Users\Admin\AppData\Local\Temp\4a6f1e0d5c341d0d772264832ba6d71d5a5ba2f55b0d47429474f9b016ad951e.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\4a6f1e0d5c341d0d772264832ba6d71d5a5ba2f55b0d47429474f9b016ad951e.exe

"C:\Users\Admin\AppData\Local\Temp\4a6f1e0d5c341d0d772264832ba6d71d5a5ba2f55b0d47429474f9b016ad951e.exe"

C:\ProgramData\Update\WwanSvc.exe

"C:\ProgramData\Update\WwanSvc.exe" /run

Network

Country Destination Domain Proto
CA 158.69.115.115:443 tcp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp

Files

memory/3444-0-0x00000000002D0000-0x00000000002F8000-memory.dmp

C:\ProgramData\Update\WwanSvc.exe

MD5 040860ce3717bc90ee9374dfeb907592
SHA1 12b4c12e5d6bee8c0bfa99ff69fceae3244bbad1
SHA256 ff322ae91e33de82baa1457a04ca52964046c792e6a4a01fb93e993e5c9c0970
SHA512 3bb65e7f6a8169228dcb21ba25787c2400e7d1627dfae2be8ec9d3ae98d916b0a5f3e099cde112878a5b0e07c0745545dda262eb45c44a1e40b3d5aadad58de1

memory/3444-4-0x00000000002D0000-0x00000000002F8000-memory.dmp

memory/3224-6-0x0000000000B80000-0x0000000000BA8000-memory.dmp