Malware Analysis Report

2024-11-15 05:45

Sample ID 240614-b4hdeszgqf
Target 471fa1b436cf3eb3240350c658c6ee30.bin
SHA256 04d9aa941b5fcf9a06676ac33f2733fb29229bc6670eacc7b1e22c67268ce676
Tags
persistence upx
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

04d9aa941b5fcf9a06676ac33f2733fb29229bc6670eacc7b1e22c67268ce676

Threat Level: Shows suspicious behavior

The file 471fa1b436cf3eb3240350c658c6ee30.bin was found to be: Shows suspicious behavior.

Malicious Activity Summary

persistence upx

Executes dropped EXE

UPX packed file

Loads dropped DLL

Adds Run key to start application

Unsigned PE

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-14 01:41

Signatures

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-14 01:41

Reported

2024-06-14 01:44

Platform

win10v2004-20240611-en

Max time kernel

141s

Max time network

95s

Command Line

"C:\Users\Admin\AppData\Local\Temp\471fa1b436cf3eb3240350c658c6ee30.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\ProgramData\Update\WwanSvc.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Window Update = "\"C:\\ProgramData\\Update\\WwanSvc.exe\" /run" C:\Users\Admin\AppData\Local\Temp\471fa1b436cf3eb3240350c658c6ee30.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\471fa1b436cf3eb3240350c658c6ee30.exe

"C:\Users\Admin\AppData\Local\Temp\471fa1b436cf3eb3240350c658c6ee30.exe"

C:\ProgramData\Update\WwanSvc.exe

"C:\ProgramData\Update\WwanSvc.exe" /run

Network

Country Destination Domain Proto
CA 158.69.115.115:443 tcp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
NL 23.62.61.97:443 www.bing.com tcp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 20.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 97.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 35.15.31.184.in-addr.arpa udp
US 8.8.8.8:53 30.243.111.52.in-addr.arpa udp

Files

memory/4560-0-0x0000000000E40000-0x0000000000E68000-memory.dmp

memory/4560-4-0x0000000000E40000-0x0000000000E68000-memory.dmp

C:\ProgramData\Update\WwanSvc.exe

MD5 84014a7516ea4a567b6dd36669264ea5
SHA1 e2f6cd43a7aa0addd374992f9fcd5fb7d368f525
SHA256 e3d61f03cd196ec7ba4e4850b996fce344fa2d424f4457832774619afedad9a6
SHA512 9d61d256e723841fae276b2d337bb1734e1a13d46b1b64560f963ea4e32d10c7d640f3de803e4cd3337fab883be8960b0f0daa491fcf60f36a403fa442281936

memory/1568-6-0x0000000000740000-0x0000000000768000-memory.dmp

memory/1568-7-0x0000000000740000-0x0000000000768000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-14 01:41

Reported

2024-06-14 01:44

Platform

win7-20240611-en

Max time kernel

118s

Max time network

119s

Command Line

"C:\Users\Admin\AppData\Local\Temp\471fa1b436cf3eb3240350c658c6ee30.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\ProgramData\Update\WwanSvc.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\471fa1b436cf3eb3240350c658c6ee30.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Window Update = "\"C:\\ProgramData\\Update\\WwanSvc.exe\" /run" C:\Users\Admin\AppData\Local\Temp\471fa1b436cf3eb3240350c658c6ee30.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\471fa1b436cf3eb3240350c658c6ee30.exe

"C:\Users\Admin\AppData\Local\Temp\471fa1b436cf3eb3240350c658c6ee30.exe"

C:\ProgramData\Update\WwanSvc.exe

"C:\ProgramData\Update\WwanSvc.exe" /run

Network

Country Destination Domain Proto
CA 158.69.115.115:443 tcp

Files

memory/1752-1-0x0000000000E50000-0x0000000000E78000-memory.dmp

\ProgramData\Update\WwanSvc.exe

MD5 7180ade1cec8ca4e99e963b474d86eac
SHA1 34b35299dd3b41f23ed379ca973de0ed225cbfa1
SHA256 a08ac842a89db8dac3e64150dec631c85b21f48aabbbab69301cfa8063c0b47e
SHA512 3100c62766548867900432948900b5518d057cc39927b9b2346c444c849adea7eeaab9dc16c53874a605f1332eb0bf8fca15f3d25f125652690ef6d677666c4e

memory/1752-4-0x00000000000F0000-0x0000000000118000-memory.dmp

memory/2052-7-0x0000000000AA0000-0x0000000000AC8000-memory.dmp

memory/1752-8-0x0000000000E50000-0x0000000000E78000-memory.dmp