Analysis
-
max time kernel
141s -
max time network
95s -
platform
windows10-2004_x64 -
resource
win10v2004-20240611-en -
resource tags
arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system -
submitted
14-06-2024 01:41
Behavioral task
behavioral1
Sample
471fa1b436cf3eb3240350c658c6ee30.exe
Resource
win7-20240611-en
Behavioral task
behavioral2
Sample
471fa1b436cf3eb3240350c658c6ee30.exe
Resource
win10v2004-20240611-en
General
-
Target
471fa1b436cf3eb3240350c658c6ee30.exe
-
Size
134KB
-
MD5
471fa1b436cf3eb3240350c658c6ee30
-
SHA1
1a6150f14cc5e5e7878e9ba8db353a699bc21199
-
SHA256
04d9aa941b5fcf9a06676ac33f2733fb29229bc6670eacc7b1e22c67268ce676
-
SHA512
bcb444637b458a8389d5161ff72e564ca7da5d47df1d85a1deb7495d52f4374fb903168cdfc3c31f85c8e34d260c9c4cfa3953e6394e7ed247b0483b48ebfb39
-
SSDEEP
1536:rF0AJELopHG9aa+9qX3apJzAKWYr0v7ioy6paK2AZqMIK7aGZh38Qf:riAyLN9aa+9U2rW1ip6pr2At7NZuQf
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
WwanSvc.exepid process 1568 WwanSvc.exe -
Processes:
resource yara_rule behavioral2/memory/4560-0-0x0000000000E40000-0x0000000000E68000-memory.dmp upx behavioral2/memory/4560-4-0x0000000000E40000-0x0000000000E68000-memory.dmp upx C:\ProgramData\Update\WwanSvc.exe upx behavioral2/memory/1568-6-0x0000000000740000-0x0000000000768000-memory.dmp upx behavioral2/memory/1568-7-0x0000000000740000-0x0000000000768000-memory.dmp upx -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
471fa1b436cf3eb3240350c658c6ee30.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Window Update = "\"C:\\ProgramData\\Update\\WwanSvc.exe\" /run" 471fa1b436cf3eb3240350c658c6ee30.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
471fa1b436cf3eb3240350c658c6ee30.exedescription pid process target process PID 4560 wrote to memory of 1568 4560 471fa1b436cf3eb3240350c658c6ee30.exe WwanSvc.exe PID 4560 wrote to memory of 1568 4560 471fa1b436cf3eb3240350c658c6ee30.exe WwanSvc.exe PID 4560 wrote to memory of 1568 4560 471fa1b436cf3eb3240350c658c6ee30.exe WwanSvc.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\471fa1b436cf3eb3240350c658c6ee30.exe"C:\Users\Admin\AppData\Local\Temp\471fa1b436cf3eb3240350c658c6ee30.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4560 -
C:\ProgramData\Update\WwanSvc.exe"C:\ProgramData\Update\WwanSvc.exe" /run2⤵
- Executes dropped EXE
PID:1568
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
134KB
MD584014a7516ea4a567b6dd36669264ea5
SHA1e2f6cd43a7aa0addd374992f9fcd5fb7d368f525
SHA256e3d61f03cd196ec7ba4e4850b996fce344fa2d424f4457832774619afedad9a6
SHA5129d61d256e723841fae276b2d337bb1734e1a13d46b1b64560f963ea4e32d10c7d640f3de803e4cd3337fab883be8960b0f0daa491fcf60f36a403fa442281936