Analysis Overview
SHA256
04d9aa941b5fcf9a06676ac33f2733fb29229bc6670eacc7b1e22c67268ce676
Threat Level: Shows suspicious behavior
The file 471fa1b436cf3eb3240350c658c6ee30.bin was found to be: Shows suspicious behavior.
Malicious Activity Summary
Executes dropped EXE
UPX packed file
Loads dropped DLL
Adds Run key to start application
Unsigned PE
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-06-14 01:41
Signatures
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-14 01:41
Reported
2024-06-14 01:44
Platform
win10v2004-20240611-en
Max time kernel
141s
Max time network
95s
Command Line
Signatures
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\ProgramData\Update\WwanSvc.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Window Update = "\"C:\\ProgramData\\Update\\WwanSvc.exe\" /run" | C:\Users\Admin\AppData\Local\Temp\471fa1b436cf3eb3240350c658c6ee30.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 4560 wrote to memory of 1568 | N/A | C:\Users\Admin\AppData\Local\Temp\471fa1b436cf3eb3240350c658c6ee30.exe | C:\ProgramData\Update\WwanSvc.exe |
| PID 4560 wrote to memory of 1568 | N/A | C:\Users\Admin\AppData\Local\Temp\471fa1b436cf3eb3240350c658c6ee30.exe | C:\ProgramData\Update\WwanSvc.exe |
| PID 4560 wrote to memory of 1568 | N/A | C:\Users\Admin\AppData\Local\Temp\471fa1b436cf3eb3240350c658c6ee30.exe | C:\ProgramData\Update\WwanSvc.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\471fa1b436cf3eb3240350c658c6ee30.exe
"C:\Users\Admin\AppData\Local\Temp\471fa1b436cf3eb3240350c658c6ee30.exe"
C:\ProgramData\Update\WwanSvc.exe
"C:\ProgramData\Update\WwanSvc.exe" /run
Network
| Country | Destination | Domain | Proto |
| CA | 158.69.115.115:443 | tcp | |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| NL | 23.62.61.97:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 20.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 97.61.62.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 35.15.31.184.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 30.243.111.52.in-addr.arpa | udp |
Files
memory/4560-0-0x0000000000E40000-0x0000000000E68000-memory.dmp
memory/4560-4-0x0000000000E40000-0x0000000000E68000-memory.dmp
C:\ProgramData\Update\WwanSvc.exe
| MD5 | 84014a7516ea4a567b6dd36669264ea5 |
| SHA1 | e2f6cd43a7aa0addd374992f9fcd5fb7d368f525 |
| SHA256 | e3d61f03cd196ec7ba4e4850b996fce344fa2d424f4457832774619afedad9a6 |
| SHA512 | 9d61d256e723841fae276b2d337bb1734e1a13d46b1b64560f963ea4e32d10c7d640f3de803e4cd3337fab883be8960b0f0daa491fcf60f36a403fa442281936 |
memory/1568-6-0x0000000000740000-0x0000000000768000-memory.dmp
memory/1568-7-0x0000000000740000-0x0000000000768000-memory.dmp
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-14 01:41
Reported
2024-06-14 01:44
Platform
win7-20240611-en
Max time kernel
118s
Max time network
119s
Command Line
Signatures
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\ProgramData\Update\WwanSvc.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\471fa1b436cf3eb3240350c658c6ee30.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Window Update = "\"C:\\ProgramData\\Update\\WwanSvc.exe\" /run" | C:\Users\Admin\AppData\Local\Temp\471fa1b436cf3eb3240350c658c6ee30.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1752 wrote to memory of 2052 | N/A | C:\Users\Admin\AppData\Local\Temp\471fa1b436cf3eb3240350c658c6ee30.exe | C:\ProgramData\Update\WwanSvc.exe |
| PID 1752 wrote to memory of 2052 | N/A | C:\Users\Admin\AppData\Local\Temp\471fa1b436cf3eb3240350c658c6ee30.exe | C:\ProgramData\Update\WwanSvc.exe |
| PID 1752 wrote to memory of 2052 | N/A | C:\Users\Admin\AppData\Local\Temp\471fa1b436cf3eb3240350c658c6ee30.exe | C:\ProgramData\Update\WwanSvc.exe |
| PID 1752 wrote to memory of 2052 | N/A | C:\Users\Admin\AppData\Local\Temp\471fa1b436cf3eb3240350c658c6ee30.exe | C:\ProgramData\Update\WwanSvc.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\471fa1b436cf3eb3240350c658c6ee30.exe
"C:\Users\Admin\AppData\Local\Temp\471fa1b436cf3eb3240350c658c6ee30.exe"
C:\ProgramData\Update\WwanSvc.exe
"C:\ProgramData\Update\WwanSvc.exe" /run
Network
| Country | Destination | Domain | Proto |
| CA | 158.69.115.115:443 | tcp |
Files
memory/1752-1-0x0000000000E50000-0x0000000000E78000-memory.dmp
\ProgramData\Update\WwanSvc.exe
| MD5 | 7180ade1cec8ca4e99e963b474d86eac |
| SHA1 | 34b35299dd3b41f23ed379ca973de0ed225cbfa1 |
| SHA256 | a08ac842a89db8dac3e64150dec631c85b21f48aabbbab69301cfa8063c0b47e |
| SHA512 | 3100c62766548867900432948900b5518d057cc39927b9b2346c444c849adea7eeaab9dc16c53874a605f1332eb0bf8fca15f3d25f125652690ef6d677666c4e |
memory/1752-4-0x00000000000F0000-0x0000000000118000-memory.dmp
memory/2052-7-0x0000000000AA0000-0x0000000000AC8000-memory.dmp
memory/1752-8-0x0000000000E50000-0x0000000000E78000-memory.dmp