Malware Analysis Report

2025-08-10 21:44

Sample ID 240610-e16tdsca81
Target 27c3c3332858f987703c95ebe6ee05929acb306f4358afab4432230a497dbeb1
SHA256 27c3c3332858f987703c95ebe6ee05929acb306f4358afab4432230a497dbeb1
Tags
upx persistence
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

27c3c3332858f987703c95ebe6ee05929acb306f4358afab4432230a497dbeb1

Threat Level: Known bad

The file 27c3c3332858f987703c95ebe6ee05929acb306f4358afab4432230a497dbeb1 was found to be: Known bad.

Malicious Activity Summary

upx persistence

UPX dump on OEP (original entry point)

UPX dump on OEP (original entry point)

UPX packed file

Executes dropped EXE

Loads dropped DLL

Adds Run key to start application

Unsigned PE

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-10 04:25

Signatures

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-10 04:25

Reported

2024-06-10 04:41

Platform

win7-20240508-en

Max time kernel

121s

Max time network

125s

Command Line

"C:\Users\Admin\AppData\Local\Temp\27c3c3332858f987703c95ebe6ee05929acb306f4358afab4432230a497dbeb1.exe"

Signatures

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\ProgramData\Update\WwanSvc.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Window Update = "\"C:\\ProgramData\\Update\\WwanSvc.exe\" /run" C:\Users\Admin\AppData\Local\Temp\27c3c3332858f987703c95ebe6ee05929acb306f4358afab4432230a497dbeb1.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\27c3c3332858f987703c95ebe6ee05929acb306f4358afab4432230a497dbeb1.exe

"C:\Users\Admin\AppData\Local\Temp\27c3c3332858f987703c95ebe6ee05929acb306f4358afab4432230a497dbeb1.exe"

C:\ProgramData\Update\WwanSvc.exe

"C:\ProgramData\Update\WwanSvc.exe" /run

Network

Country Destination Domain Proto
CA 158.69.115.115:443 tcp

Files

memory/1184-7-0x0000000000150000-0x0000000000178000-memory.dmp

C:\ProgramData\Update\WwanSvc.exe

MD5 7e4f34874f33457d5bfa9a98b4313f86
SHA1 384ad060c5f349bded904fa6bd4b78a565c986aa
SHA256 4f18e33213ef62d169def6b74bbe3f1e961e876353159ae0ee4275c69fe0ac53
SHA512 dce210898898841920209924ab1b3a50b9edd1a5b707c1c8137ede8d93d889234209bf47337236da3c293601a7aeae4ac090f28a9c2bd65002cb175f3bf4e38a

memory/2140-5-0x00000000000F0000-0x0000000000118000-memory.dmp

memory/2140-0-0x0000000000C50000-0x0000000000C78000-memory.dmp

memory/2140-8-0x0000000000C50000-0x0000000000C78000-memory.dmp

memory/2140-9-0x00000000000F0000-0x0000000000118000-memory.dmp

memory/2140-10-0x0000000000C50000-0x0000000000C78000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-10 04:25

Reported

2024-06-10 04:44

Platform

win10v2004-20240508-en

Max time kernel

148s

Max time network

131s

Command Line

"C:\Users\Admin\AppData\Local\Temp\27c3c3332858f987703c95ebe6ee05929acb306f4358afab4432230a497dbeb1.exe"

Signatures

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\ProgramData\Update\WwanSvc.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Window Update = "\"C:\\ProgramData\\Update\\WwanSvc.exe\" /run" C:\Users\Admin\AppData\Local\Temp\27c3c3332858f987703c95ebe6ee05929acb306f4358afab4432230a497dbeb1.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\27c3c3332858f987703c95ebe6ee05929acb306f4358afab4432230a497dbeb1.exe

"C:\Users\Admin\AppData\Local\Temp\27c3c3332858f987703c95ebe6ee05929acb306f4358afab4432230a497dbeb1.exe"

C:\ProgramData\Update\WwanSvc.exe

"C:\ProgramData\Update\WwanSvc.exe" /run

Network

Country Destination Domain Proto
CA 158.69.115.115:443 tcp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 0.204.248.87.in-addr.arpa udp
US 8.8.8.8:53 68.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 203.107.17.2.in-addr.arpa udp
US 52.111.227.11:443 tcp
US 8.8.8.8:53 144.107.17.2.in-addr.arpa udp
US 8.8.8.8:53 23.236.111.52.in-addr.arpa udp

Files

memory/3644-0-0x0000000000AE0000-0x0000000000B08000-memory.dmp

C:\ProgramData\Update\WwanSvc.exe

MD5 6044f64411e0ac9798ff8a2309b796af
SHA1 d5fa187d428af0e096faf6e421ab8d04f2ef8d8d
SHA256 4fb66f6260a73dbdc417a52ef9dd000aecd16b02e1c1f6cf8741ff2b4a8f1385
SHA512 579b6d9249d63b954eb015f6a68494ce241434f7e37c3f2ca23e4037ae0a6d548c936e671c6776028c37e264c62c472659f9fb47853880a718b328c96e7d81b1

memory/780-6-0x0000000000C10000-0x0000000000C38000-memory.dmp

memory/3644-5-0x0000000000AE0000-0x0000000000B08000-memory.dmp