bfe3488c27e0c664abee59896fcd22e717bd18c0d7b0a16e7d20587947771ef2

Analysis

max time kernel
119s
max time network
120s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
20/06/2024, 02:34

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

bfe3488c27e0c664abee59896fcd22e717bd18c0d7b0a16e7d20587947771ef2.exe
Size

134KB
MD5

70e50f3a73b1f1be005ef32dd6f97d84
SHA1

56e595bdcc27b7d43ce6e6d76bfe2bb10e1bc806
SHA256

bfe3488c27e0c664abee59896fcd22e717bd18c0d7b0a16e7d20587947771ef2
SHA512

d2d08d11acdd1552a72aed9883de98ecd2487d817298d003ccdd7b6591961fe116390d1dadf2aa09f7a612ed84c07e3ee680c00f8e9045a107d5ca3a67c024ba
SSDEEP

1536:rF0AJELopHG9aa+9qX3apJzAKWYr0v7ioy6paK2AZqMIK7aGZh38QY:riAyLN9aa+9U2rW1ip6pr2At7NZuQY

Score

9^/10

persistence upx

Malware Config

Signatures

UPX dump on OEP (original entry point) 6 IoCs

resource	yara_rule
behavioral1/memory/2392-0-0x0000000000970000-0x0000000000998000-memory.dmp	UPX
behavioral1/files/0x0009000000015616-2.dat	UPX
behavioral1/memory/2392-4-0x0000000000080000-0x00000000000A8000-memory.dmp	UPX
behavioral1/memory/2392-7-0x0000000000970000-0x0000000000998000-memory.dmp	UPX
behavioral1/memory/2864-8-0x0000000000CD0000-0x0000000000CF8000-memory.dmp	UPX
behavioral1/memory/2392-9-0x0000000000970000-0x0000000000998000-memory.dmp	UPX

Executes dropped EXE 1 IoCs

pid	Process
2864	WwanSvc.exe

Loads dropped DLL 1 IoCs

pid	Process
2392	bfe3488c27e0c664abee59896fcd22e717bd18c0d7b0a16e7d20587947771ef2.exe

UPX packed file 6 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2392-0-0x0000000000970000-0x0000000000998000-memory.dmp	upx
behavioral1/files/0x0009000000015616-2.dat	upx
behavioral1/memory/2392-4-0x0000000000080000-0x00000000000A8000-memory.dmp	upx
behavioral1/memory/2392-7-0x0000000000970000-0x0000000000998000-memory.dmp	upx
behavioral1/memory/2864-8-0x0000000000CD0000-0x0000000000CF8000-memory.dmp	upx
behavioral1/memory/2392-9-0x0000000000970000-0x0000000000998000-memory.dmp	upx

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Window Update = "\"C:\\ProgramData\\Update\\WwanSvc.exe\" /run"	bfe3488c27e0c664abee59896fcd22e717bd18c0d7b0a16e7d20587947771ef2.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2392 wrote to memory of 2864	2392	bfe3488c27e0c664abee59896fcd22e717bd18c0d7b0a16e7d20587947771ef2.exe	28
PID 2392 wrote to memory of 2864	2392	bfe3488c27e0c664abee59896fcd22e717bd18c0d7b0a16e7d20587947771ef2.exe	28
PID 2392 wrote to memory of 2864	2392	bfe3488c27e0c664abee59896fcd22e717bd18c0d7b0a16e7d20587947771ef2.exe	28
PID 2392 wrote to memory of 2864	2392	bfe3488c27e0c664abee59896fcd22e717bd18c0d7b0a16e7d20587947771ef2.exe	28

C:\Users\Admin\AppData\Local\Temp\bfe3488c27e0c664abee59896fcd22e717bd18c0d7b0a16e7d20587947771ef2.exe
"C:\Users\Admin\AppData\Local\Temp\bfe3488c27e0c664abee59896fcd22e717bd18c0d7b0a16e7d20587947771ef2.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2392
- C:\ProgramData\Update\WwanSvc.exe
  "C:\ProgramData\Update\WwanSvc.exe" /run
  2⤵
  - Executes dropped EXE
  PID:2864

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\ProgramData\Update\WwanSvc.exe

Filesize
134KB

MD5
a1697575b5c61218a1aa28eaeeb5f9fa

SHA1
568c97395995c95349cc59465c7b8d5d6e43bf91

SHA256
3da2c9392d68026d934a683bcdcc6b8a3cc1bbe9788960ba03193d647c9bed33

SHA512
eb29a884fc1d78fb1c4e68d664ba4a4774ad36748ccf4504f5549e22b47c2f7d8a0609caf4b4d7b788576dd29383f9a331bb6a6282d30d133c5de9e961e4d6fa

Download Submit
memory/2392-0-0x0000000000970000-0x0000000000998000-memory.dmp

Filesize
160KB

Download
memory/2392-4-0x0000000000080000-0x00000000000A8000-memory.dmp

Filesize
160KB

Download
memory/2392-7-0x0000000000970000-0x0000000000998000-memory.dmp

Filesize
160KB

Download
memory/2392-9-0x0000000000970000-0x0000000000998000-memory.dmp

Filesize
160KB

Download
memory/2864-8-0x0000000000CD0000-0x0000000000CF8000-memory.dmp

Filesize
160KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads