6ca3b7e1bab753a5a96bfe0882044bc95539470c980ee91e4f97e6302a6b1ad3

Analysis

max time kernel
30s
max time network
18s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
26/07/2024, 17:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

362592b09114e5d56e98094dd5098790N.exe
Size

134KB
MD5

362592b09114e5d56e98094dd5098790
SHA1

e3628695b459590353604fef1a7b5034c93a62ab
SHA256

6ca3b7e1bab753a5a96bfe0882044bc95539470c980ee91e4f97e6302a6b1ad3
SHA512

dfa80c5805ac8e3c7a8912f33c77e80ebdc8baaad183d4b6c5dc451881ba7bf296b02a6a9fbe9f5d32c53d285370c68b92b237e5312c2fcd9a40159ee7d8d2fb
SSDEEP

1536:rF0AJELopHG9aa+9qX3apJzAKWYr0v7ioy6paK2AZqMIK7aGZh38QY:riAyLN9aa+9U2rW1ip6pr2At7NZuQY

Score

7^/10

discovery persistence upx

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1868	WwanSvc.exe

Loads dropped DLL 1 IoCs

pid	Process
2548	362592b09114e5d56e98094dd5098790N.exe

UPX packed file 5 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2548-0-0x0000000000AE0000-0x0000000000B08000-memory.dmp	upx
behavioral1/files/0x0008000000016dcb-2.dat	upx
behavioral1/memory/1868-7-0x0000000000B30000-0x0000000000B58000-memory.dmp	upx
behavioral1/memory/2548-8-0x0000000000AE0000-0x0000000000B08000-memory.dmp	upx
behavioral1/memory/2548-10-0x0000000000AE0000-0x0000000000B08000-memory.dmp	upx

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Window Update = "\"C:\\ProgramData\\Update\\WwanSvc.exe\" /run"	362592b09114e5d56e98094dd5098790N.exe

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	362592b09114e5d56e98094dd5098790N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WwanSvc.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2548 wrote to memory of 1868	2548	362592b09114e5d56e98094dd5098790N.exe	30
PID 2548 wrote to memory of 1868	2548	362592b09114e5d56e98094dd5098790N.exe	30
PID 2548 wrote to memory of 1868	2548	362592b09114e5d56e98094dd5098790N.exe	30
PID 2548 wrote to memory of 1868	2548	362592b09114e5d56e98094dd5098790N.exe	30

C:\Users\Admin\AppData\Local\Temp\362592b09114e5d56e98094dd5098790N.exe
"C:\Users\Admin\AppData\Local\Temp\362592b09114e5d56e98094dd5098790N.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2548
- C:\ProgramData\Update\WwanSvc.exe
  "C:\ProgramData\Update\WwanSvc.exe" /run
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1868

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\ProgramData\Update\WwanSvc.exe

Filesize
134KB

MD5
6d990272b06f82f97296fd5fe86f4425

SHA1
16bf5f26feba87ef05c8b8e46c2557a841d8db1d

SHA256
98c488c328af6cee3669e155e326363e58f05dcde9134abfd41142e95a24d608

SHA512
c4c1087c82a56d45be208f1057df0c18f90eea0be8b1fd38b33d64898689188c39222a180840ee4547e7371d9903f1057e750d9c5c4b14c9c4432f78fc80e19f

Download Submit
memory/1868-7-0x0000000000B30000-0x0000000000B58000-memory.dmp

Filesize
160KB

Download
memory/2548-0-0x0000000000AE0000-0x0000000000B08000-memory.dmp

Filesize
160KB

Download
memory/2548-5-0x00000000000F0000-0x0000000000118000-memory.dmp

Filesize
160KB

Download
memory/2548-8-0x0000000000AE0000-0x0000000000B08000-memory.dmp

Filesize
160KB

Download
memory/2548-9-0x00000000000F0000-0x0000000000118000-memory.dmp

Filesize
160KB

Download
memory/2548-10-0x0000000000AE0000-0x0000000000B08000-memory.dmp

Filesize
160KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads