634e9dcbfe3bd7ae87833e1f5873315d638cd6c93c465b3e28e63a8b99e5feb9

Analysis

max time kernel
4s
platform
windows7_x64
resource
win7-20220901-en
resource tags

arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
submitted
02/01/2023, 07:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Waves Complete 11.0 patch.exe
Size

2.3MB
MD5

0aa368655d48e48cfe43032438f8d254
SHA1

e7fff539d8263787d52c0843222c393f94438495
SHA256

634e9dcbfe3bd7ae87833e1f5873315d638cd6c93c465b3e28e63a8b99e5feb9
SHA512

2f923b246ba4837cdb485e3d07505e833556bc02f3587accfce7cdae3236847805e559adbba35d13c94bd50334a831324146ed5603aa2f28e34957ff0e47c0a1
SSDEEP

49152:TcsQ6QXfLRrH6TIj9GI7eM5wXO2bXu8S95p:T1QTXfljH9HorTuJ95p

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1296	Waves Complete 11.0 patch.tmp

Loads dropped DLL 2 IoCs

pid	Process
1284	Waves Complete 11.0 patch.exe
1296	Waves Complete 11.0 patch.tmp

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1296	Waves Complete 11.0 patch.tmp
1296	Waves Complete 11.0 patch.tmp

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
1296	Waves Complete 11.0 patch.tmp

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 1284 wrote to memory of 1296	1284	Waves Complete 11.0 patch.exe	27
PID 1284 wrote to memory of 1296	1284	Waves Complete 11.0 patch.exe	27
PID 1284 wrote to memory of 1296	1284	Waves Complete 11.0 patch.exe	27
PID 1284 wrote to memory of 1296	1284	Waves Complete 11.0 patch.exe	27
PID 1284 wrote to memory of 1296	1284	Waves Complete 11.0 patch.exe	27
PID 1284 wrote to memory of 1296	1284	Waves Complete 11.0 patch.exe	27
PID 1284 wrote to memory of 1296	1284	Waves Complete 11.0 patch.exe	27

C:\Users\Admin\AppData\Local\Temp\Waves Complete 11.0 patch.exe
"C:\Users\Admin\AppData\Local\Temp\Waves Complete 11.0 patch.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1284
- C:\Users\Admin\AppData\Local\Temp\is-NLFHC.tmp\Waves Complete 11.0 patch.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-NLFHC.tmp\Waves Complete 11.0 patch.tmp" /SL5="$80022,1566027,831488,C:\Users\Admin\AppData\Local\Temp\Waves Complete 11.0 patch.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  PID:1296

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\is-NLFHC.tmp\Waves Complete 11.0 patch.tmp

Filesize
2.5MB

MD5
1f1a8434fa24e7dad34698d2fc226340

SHA1
d224541b937616da552b230ea6f9517ed1e80e2c

SHA256
056c410033aa47825bc57f1ed9a631067f3e8c4bbc2acedf1c81a7b4455cd776

SHA512
4179509e9d7b4aa6e58921f9492604c50b51f2a7ee25dd72476817971a92658985ee5d3f802ec02db1c0f8df0795ee19d11177dc0f8414a6f1c76d138fd47b19

Download Submit
\Users\Admin\AppData\Local\Temp\is-9FN75.tmp\_isetup\_iscrypt.dll

Filesize
2KB

MD5
a69559718ab506675e907fe49deb71e9

SHA1
bc8f404ffdb1960b50c12ff9413c893b56f2e36f

SHA256
2f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc

SHA512
e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63

Download Submit
\Users\Admin\AppData\Local\Temp\is-NLFHC.tmp\Waves Complete 11.0 patch.tmp

Filesize
2.5MB

MD5
1f1a8434fa24e7dad34698d2fc226340

SHA1
d224541b937616da552b230ea6f9517ed1e80e2c

SHA256
056c410033aa47825bc57f1ed9a631067f3e8c4bbc2acedf1c81a7b4455cd776

SHA512
4179509e9d7b4aa6e58921f9492604c50b51f2a7ee25dd72476817971a92658985ee5d3f802ec02db1c0f8df0795ee19d11177dc0f8414a6f1c76d138fd47b19

Download Submit
memory/1284-55-0x0000000000400000-0x00000000004D9000-memory.dmp

Filesize
868KB

Download
memory/1284-54-0x0000000075931000-0x0000000075933000-memory.dmp

Filesize
8KB

Download
memory/1284-62-0x0000000000400000-0x00000000004D9000-memory.dmp

Filesize
868KB

Download
memory/1284-64-0x0000000000400000-0x00000000004D9000-memory.dmp

Filesize
868KB

Download
memory/1296-63-0x0000000074181000-0x0000000074183000-memory.dmp

Filesize
8KB

Download