efabe2f8ccfdd5b98e83dbb88e9de84101b5694960f9d55dc577c1d68e26872a

Analysis

max time kernel
35s
max time network
36s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
30-09-2024 19:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

efabe2f8ccfdd5b98e83dbb88e9de84101b5694960f9d55dc577c1d68e26872a.exe
Size

94KB
MD5

3b6ff7daea550f62b657fa8a606f6f7a
SHA1

7ce4eeef0cc8f7605bc94a3f20e7f2ee1bc3c36e
SHA256

efabe2f8ccfdd5b98e83dbb88e9de84101b5694960f9d55dc577c1d68e26872a
SHA512

cbdebf1bad011159a8f2accc0ddd64ece2adbfddb6a3da3ca6e61791456e87ffb1d0feb61e79d27e421bd656bfd1f465ee7d35c531b4c68359a38828f5ba43c6
SSDEEP

1536:tF0AJELoJHG9qa+oa33KJJzAKWYr0v7iJSzIRXKTzRZICrWaGZh7l:tiAyLN9qa+oEGrWViJSzIR6JJrWNZr

Score

7^/10

discovery persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
4480	WwanSvc.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Window Update = "\"C:\\ProgramData\\Update\\WwanSvc.exe\" /run"	efabe2f8ccfdd5b98e83dbb88e9de84101b5694960f9d55dc577c1d68e26872a.exe

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	efabe2f8ccfdd5b98e83dbb88e9de84101b5694960f9d55dc577c1d68e26872a.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WwanSvc.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 760 wrote to memory of 4480	760	efabe2f8ccfdd5b98e83dbb88e9de84101b5694960f9d55dc577c1d68e26872a.exe	82
PID 760 wrote to memory of 4480	760	efabe2f8ccfdd5b98e83dbb88e9de84101b5694960f9d55dc577c1d68e26872a.exe	82
PID 760 wrote to memory of 4480	760	efabe2f8ccfdd5b98e83dbb88e9de84101b5694960f9d55dc577c1d68e26872a.exe	82

C:\Users\Admin\AppData\Local\Temp\efabe2f8ccfdd5b98e83dbb88e9de84101b5694960f9d55dc577c1d68e26872a.exe
"C:\Users\Admin\AppData\Local\Temp\efabe2f8ccfdd5b98e83dbb88e9de84101b5694960f9d55dc577c1d68e26872a.exe"
1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:760
- C:\ProgramData\Update\WwanSvc.exe
  "C:\ProgramData\Update\WwanSvc.exe" /run
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:4480

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Update\WwanSvc.exe

Filesize
94KB

MD5
24952303a7a25885dc60036b94ab01b3

SHA1
036c336f9eddeb6cdc364dcf41060008bf2625b0

SHA256
d3c527b7124ba15519259504a4710ec8deb4974ea91b2602c06b1f3bb8de977c

SHA512
05c0bf47eb9f2f596a7dd01ad3040ba1c767eb5ee215b5f9ee0c1d992abe0008802a45de3cd21748eb9cfe121e95a3c8cb7c61fbc05061c84381d029493f98d7

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads