Analysis
-
max time kernel
30s -
max time network
23s -
platform
windows7_x64 -
resource
win7-20240708-en -
resource tags
arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system -
submitted
17/08/2024, 16:13
Static task
static1
Behavioral task
behavioral1
Sample
872818ea9b27d10483530d3721a9c480N.exe
Resource
win7-20240708-en
Behavioral task
behavioral2
Sample
872818ea9b27d10483530d3721a9c480N.exe
Resource
win10v2004-20240802-en
General
-
Target
872818ea9b27d10483530d3721a9c480N.exe
-
Size
94KB
-
MD5
872818ea9b27d10483530d3721a9c480
-
SHA1
f65e211f8dcce84ab70ca7c7e208e9ece4fbf44d
-
SHA256
487ea66d23d5110e626bb9581e8f45fcb6da55943aab5e5a8e9ae9c51748d035
-
SHA512
75d1575225091fed01fc9ae8bfd4c4648d9e4385ff802753e9e03fac34b0678bb785a80c42d0611fa29f460023827419581a3d999b4c7876770a03d8c5d2b6bb
-
SSDEEP
1536:tF0AJELoJHG9qa+oa33KJJzAKWYr0v7iJSzIRXKTzRZICrWaGZh7C:tiAyLN9qa+oEGrWViJSzIR6JJrWNZk
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 2752 WwanSvc.exe -
Loads dropped DLL 1 IoCs
pid Process 3028 872818ea9b27d10483530d3721a9c480N.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Window Update = "\"C:\\ProgramData\\Update\\WwanSvc.exe\" /run" 872818ea9b27d10483530d3721a9c480N.exe -
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 872818ea9b27d10483530d3721a9c480N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WwanSvc.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 3028 wrote to memory of 2752 3028 872818ea9b27d10483530d3721a9c480N.exe 30 PID 3028 wrote to memory of 2752 3028 872818ea9b27d10483530d3721a9c480N.exe 30 PID 3028 wrote to memory of 2752 3028 872818ea9b27d10483530d3721a9c480N.exe 30 PID 3028 wrote to memory of 2752 3028 872818ea9b27d10483530d3721a9c480N.exe 30
Processes
-
C:\Users\Admin\AppData\Local\Temp\872818ea9b27d10483530d3721a9c480N.exe"C:\Users\Admin\AppData\Local\Temp\872818ea9b27d10483530d3721a9c480N.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3028 -
C:\ProgramData\Update\WwanSvc.exe"C:\ProgramData\Update\WwanSvc.exe" /run2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2752
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
94KB
MD5d37d4098f665ba07afa04e37a770362e
SHA18d5729aeb2b3730b2898203b0f963fa3ad0f270d
SHA25682434c691a5036b552b9e5403ffb1842769e4343b5f5f5aba283627dafc2b93a
SHA5124bf4f69076c95ea90513ac287b44bf9cc0a6906a398ce625e117a13a313ec4c32b6d2cf50db55fe76323c8baa5cb12923881249c7a3e0bf7abb7943c76ed0e5d