d37420357fdab515e6b2a68f257f1ac10b9fa46b9364bb56df8d8903d467d9bd

Analysis

max time kernel
102s
max time network
103s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
24-08-2024 20:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

252429c9c3e4114ee9a7b167b9dab540N.exe
Size

94KB
MD5

252429c9c3e4114ee9a7b167b9dab540
SHA1

58be12fd1d53d5ecdd863ee4a39a0a1b30e31480
SHA256

d37420357fdab515e6b2a68f257f1ac10b9fa46b9364bb56df8d8903d467d9bd
SHA512

dee0e75f3e94fe9d7406f3f32a22dca42fe0498afaac35360c7d7b909e2783d2cae256a1f977ae8bf220953fb73dc24cc9550932337178836a83c68dc57dbe43
SSDEEP

1536:tF0AJELoJHG9qa+oa33KJJzAKWYr0v7iJSzIRXKTzRZICrWaGZh7d:tiAyLN9qa+oEGrWViJSzIR6JJrWNZb

Score

7^/10

discovery persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
4124	WwanSvc.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Window Update = "\"C:\\ProgramData\\Update\\WwanSvc.exe\" /run"	252429c9c3e4114ee9a7b167b9dab540N.exe

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	252429c9c3e4114ee9a7b167b9dab540N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WwanSvc.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 3096 wrote to memory of 4124	3096	252429c9c3e4114ee9a7b167b9dab540N.exe	86
PID 3096 wrote to memory of 4124	3096	252429c9c3e4114ee9a7b167b9dab540N.exe	86
PID 3096 wrote to memory of 4124	3096	252429c9c3e4114ee9a7b167b9dab540N.exe	86

C:\Users\Admin\AppData\Local\Temp\252429c9c3e4114ee9a7b167b9dab540N.exe
"C:\Users\Admin\AppData\Local\Temp\252429c9c3e4114ee9a7b167b9dab540N.exe"
1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3096
- C:\ProgramData\Update\WwanSvc.exe
  "C:\ProgramData\Update\WwanSvc.exe" /run
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:4124

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Update\WwanSvc.exe

Filesize
94KB

MD5
0094af7a34473ac02f36cf3440eb1ff1

SHA1
34319f5aae0dc93dcad496a33c439aaa34ae7d7b

SHA256
b7058125d103abde50c557f8b0fb9794b7d2d756ef86570e224d2583004be097

SHA512
5b8b913186cb03261237138f82cb7150d720262bc796491bc4dfdc11294560a91b3e7b9f2a9211dcfb34378745f73e7f9b49ab2cea60cc6a1e70857c37c54710

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads