Analysis
-
max time kernel
121s -
max time network
125s -
platform
windows7_x64 -
resource
win7-20240508-en -
resource tags
arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system -
submitted
10/06/2024, 04:25
Behavioral task
behavioral1
Sample
27c3c3332858f987703c95ebe6ee05929acb306f4358afab4432230a497dbeb1.exe
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
27c3c3332858f987703c95ebe6ee05929acb306f4358afab4432230a497dbeb1.exe
Resource
win10v2004-20240508-en
General
-
Target
27c3c3332858f987703c95ebe6ee05929acb306f4358afab4432230a497dbeb1.exe
-
Size
134KB
-
MD5
990f22831d926266ea60fc313f9534a1
-
SHA1
5e2687b3c46aac42fca92a7ba4d009f12b86e1a9
-
SHA256
27c3c3332858f987703c95ebe6ee05929acb306f4358afab4432230a497dbeb1
-
SHA512
12af81fb69bd167848cd7f8bb5a71b2076f8e2237d3c3981c76cea3a3e4dd65475f166af66d97c78eaf934997f3059b9abe5b1f053f2c2c3db28fde1c415f09c
-
SSDEEP
1536:rF0AJELopHG9aa+9qX3apJzAKWYr0v7ioy6paK2AZqMIK7aGZh38Qr:riAyLN9aa+9U2rW1ip6pr2At7NZuQr
Malware Config
Signatures
-
UPX dump on OEP (original entry point) 5 IoCs
resource yara_rule behavioral1/memory/1184-7-0x0000000000150000-0x0000000000178000-memory.dmp UPX behavioral1/files/0x0037000000015686-6.dat UPX behavioral1/memory/2140-0-0x0000000000C50000-0x0000000000C78000-memory.dmp UPX behavioral1/memory/2140-8-0x0000000000C50000-0x0000000000C78000-memory.dmp UPX behavioral1/memory/2140-10-0x0000000000C50000-0x0000000000C78000-memory.dmp UPX -
Executes dropped EXE 1 IoCs
pid Process 1184 WwanSvc.exe -
Loads dropped DLL 1 IoCs
pid Process 2140 27c3c3332858f987703c95ebe6ee05929acb306f4358afab4432230a497dbeb1.exe -
resource yara_rule behavioral1/memory/1184-7-0x0000000000150000-0x0000000000178000-memory.dmp upx behavioral1/files/0x0037000000015686-6.dat upx behavioral1/memory/2140-0-0x0000000000C50000-0x0000000000C78000-memory.dmp upx behavioral1/memory/2140-8-0x0000000000C50000-0x0000000000C78000-memory.dmp upx behavioral1/memory/2140-10-0x0000000000C50000-0x0000000000C78000-memory.dmp upx -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Window Update = "\"C:\\ProgramData\\Update\\WwanSvc.exe\" /run" 27c3c3332858f987703c95ebe6ee05929acb306f4358afab4432230a497dbeb1.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 2140 wrote to memory of 1184 2140 27c3c3332858f987703c95ebe6ee05929acb306f4358afab4432230a497dbeb1.exe 29 PID 2140 wrote to memory of 1184 2140 27c3c3332858f987703c95ebe6ee05929acb306f4358afab4432230a497dbeb1.exe 29 PID 2140 wrote to memory of 1184 2140 27c3c3332858f987703c95ebe6ee05929acb306f4358afab4432230a497dbeb1.exe 29 PID 2140 wrote to memory of 1184 2140 27c3c3332858f987703c95ebe6ee05929acb306f4358afab4432230a497dbeb1.exe 29
Processes
-
C:\Users\Admin\AppData\Local\Temp\27c3c3332858f987703c95ebe6ee05929acb306f4358afab4432230a497dbeb1.exe"C:\Users\Admin\AppData\Local\Temp\27c3c3332858f987703c95ebe6ee05929acb306f4358afab4432230a497dbeb1.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2140 -
C:\ProgramData\Update\WwanSvc.exe"C:\ProgramData\Update\WwanSvc.exe" /run2⤵
- Executes dropped EXE
PID:1184
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
134KB
MD57e4f34874f33457d5bfa9a98b4313f86
SHA1384ad060c5f349bded904fa6bd4b78a565c986aa
SHA2564f18e33213ef62d169def6b74bbe3f1e961e876353159ae0ee4275c69fe0ac53
SHA512dce210898898841920209924ab1b3a50b9edd1a5b707c1c8137ede8d93d889234209bf47337236da3c293601a7aeae4ac090f28a9c2bd65002cb175f3bf4e38a