Malware Analysis Report

2025-08-06 00:24

Sample ID 240611-a8dqcsxdrh
Target 96615c080c85c00403039e5116876ba7614897e974424b58246beb99214c95b3
SHA256 96615c080c85c00403039e5116876ba7614897e974424b58246beb99214c95b3
Tags
upx persistence
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

96615c080c85c00403039e5116876ba7614897e974424b58246beb99214c95b3

Threat Level: Known bad

The file 96615c080c85c00403039e5116876ba7614897e974424b58246beb99214c95b3 was found to be: Known bad.

Malicious Activity Summary

upx persistence

UPX dump on OEP (original entry point)

UPX dump on OEP (original entry point)

Executes dropped EXE

UPX packed file

Loads dropped DLL

Adds Run key to start application

Unsigned PE

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-11 00:52

Signatures

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-11 00:52

Reported

2024-06-11 00:55

Platform

win7-20240221-en

Max time kernel

120s

Max time network

126s

Command Line

"C:\Users\Admin\AppData\Local\Temp\96615c080c85c00403039e5116876ba7614897e974424b58246beb99214c95b3.exe"

Signatures

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\ProgramData\Update\WwanSvc.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Window Update = "\"C:\\ProgramData\\Update\\WwanSvc.exe\" /run" C:\Users\Admin\AppData\Local\Temp\96615c080c85c00403039e5116876ba7614897e974424b58246beb99214c95b3.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\96615c080c85c00403039e5116876ba7614897e974424b58246beb99214c95b3.exe

"C:\Users\Admin\AppData\Local\Temp\96615c080c85c00403039e5116876ba7614897e974424b58246beb99214c95b3.exe"

C:\ProgramData\Update\WwanSvc.exe

"C:\ProgramData\Update\WwanSvc.exe" /run

Network

Country Destination Domain Proto
CA 158.69.115.115:443 tcp

Files

memory/2744-0-0x0000000001020000-0x0000000001048000-memory.dmp

\ProgramData\Update\WwanSvc.exe

MD5 3f2d8bc3d4c5ee7aa147f42de5e0d1bf
SHA1 fdd16e59603715958c26ebbf9a45d0ac0ccf8486
SHA256 f1b52e3b55bdda424e280c976f8e58abc2f4706652a2f5bc8ca04492ec6ced6a
SHA512 0e3600f1e1dd48914308eba9f2489731ead1b24dad0d7217c1fe47cb8aab26f58d8580551b99d2127b20842246c3a5309a91ce1ea684c612c657e1824a994e27

memory/3008-6-0x0000000000C60000-0x0000000000C88000-memory.dmp

memory/2744-7-0x0000000001020000-0x0000000001048000-memory.dmp

memory/2744-8-0x0000000000C60000-0x0000000000C88000-memory.dmp

memory/3008-9-0x0000000000C60000-0x0000000000C88000-memory.dmp

memory/2744-10-0x0000000001020000-0x0000000001048000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-11 00:52

Reported

2024-06-11 00:55

Platform

win10v2004-20240426-en

Max time kernel

93s

Max time network

96s

Command Line

"C:\Users\Admin\AppData\Local\Temp\96615c080c85c00403039e5116876ba7614897e974424b58246beb99214c95b3.exe"

Signatures

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\ProgramData\Update\WwanSvc.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Window Update = "\"C:\\ProgramData\\Update\\WwanSvc.exe\" /run" C:\Users\Admin\AppData\Local\Temp\96615c080c85c00403039e5116876ba7614897e974424b58246beb99214c95b3.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\96615c080c85c00403039e5116876ba7614897e974424b58246beb99214c95b3.exe

"C:\Users\Admin\AppData\Local\Temp\96615c080c85c00403039e5116876ba7614897e974424b58246beb99214c95b3.exe"

C:\ProgramData\Update\WwanSvc.exe

"C:\ProgramData\Update\WwanSvc.exe" /run

Network

Country Destination Domain Proto
CA 158.69.115.115:443 tcp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 203.107.17.2.in-addr.arpa udp
US 8.8.8.8:53 136.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 138.107.17.2.in-addr.arpa udp

Files

memory/4688-1-0x0000000000EE0000-0x0000000000F08000-memory.dmp

memory/4688-5-0x0000000000EE0000-0x0000000000F08000-memory.dmp

C:\ProgramData\Update\WwanSvc.exe

MD5 cd82db61235bbfd857fab9a8232ec498
SHA1 aff7ae169ad9df51beb9e8a21a3e7e51509c503b
SHA256 a9910e9ba6aa7eac10ef72a1e5b6947335664d3efd104ecdef1fe8e2063f9d14
SHA512 609c652884116f60e2ebc7eaa1a948b55f97f4984f3b8e7dea8a61863c2f2d29f0f2ea614b8d1912716a0e335e38c3fcb2124c22b14dc24767d206a954d1ed0b

memory/1508-6-0x0000000000D50000-0x0000000000D78000-memory.dmp