5ceaa1057428542d3882ea0900651e6586e45a8cd3c24bb484c94a6feadd6090

Analysis

max time kernel
148s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
10/07/2024, 23:15

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

5ceaa1057428542d3882ea0900651e6586e45a8cd3c24bb484c94a6feadd6090.exe
Size

94KB
MD5

dd10f338d602a79f6ff96a914cf272ea
SHA1

c932baae9dddbf122520e5941fb383f3760a9906
SHA256

5ceaa1057428542d3882ea0900651e6586e45a8cd3c24bb484c94a6feadd6090
SHA512

87e08522535519ec9b38b1edc652f83d78de14255d4c2a86b70ba2996d23f8868b0e7aee020c9e5f7595fa3055f89d68020fcf20e2e8d35341038292d79fcc48
SSDEEP

1536:tF0AJELoJHG9qa+oa33KJJzAKWYr0v7iJSzIRXKTzRZICrWaGZh7A:tiAyLN9qa+oEGrWViJSzIR6JJrWNZq

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2400	WwanSvc.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Window Update = "\"C:\\ProgramData\\Update\\WwanSvc.exe\" /run"	5ceaa1057428542d3882ea0900651e6586e45a8cd3c24bb484c94a6feadd6090.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 2092 wrote to memory of 2400	2092	5ceaa1057428542d3882ea0900651e6586e45a8cd3c24bb484c94a6feadd6090.exe	84
PID 2092 wrote to memory of 2400	2092	5ceaa1057428542d3882ea0900651e6586e45a8cd3c24bb484c94a6feadd6090.exe	84
PID 2092 wrote to memory of 2400	2092	5ceaa1057428542d3882ea0900651e6586e45a8cd3c24bb484c94a6feadd6090.exe	84

C:\Users\Admin\AppData\Local\Temp\5ceaa1057428542d3882ea0900651e6586e45a8cd3c24bb484c94a6feadd6090.exe
"C:\Users\Admin\AppData\Local\Temp\5ceaa1057428542d3882ea0900651e6586e45a8cd3c24bb484c94a6feadd6090.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2092
- C:\ProgramData\Update\WwanSvc.exe
  "C:\ProgramData\Update\WwanSvc.exe" /run
  2⤵
  - Executes dropped EXE
  PID:2400

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Update\WwanSvc.exe

Filesize
94KB

MD5
612460a5714f6ee6d851f4f0ccbe9dee

SHA1
7aaf80fc0afa4f1709e73c97d3a5c7b9400a2734

SHA256
787c2ce8b3c8b8125004153e329eaa421aa4187dd7e815741b68ac4564771ce3

SHA512
f3a18225b4e79c681932346b2f655333aca817daa655bd9438ea8de1aeb994948e761c023d5bfe22fef2e8e78212dcb0d98e6003f1cedf1c78d70243088d5d11

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads