038b29ddfd3f71a15960defe026ae1d62409013b4eade02f166b90207f37a4b7

General

Target

PulseWave_dbg.1.2.exe
Size

34.8MB
MD5

055e9f9abb388ab49d4b5af6923bfdda
SHA1

3886ca0cde1afa56e616657fe4da17a7715adfe5
SHA256

038b29ddfd3f71a15960defe026ae1d62409013b4eade02f166b90207f37a4b7
SHA512

8b49352a50893ea4f7841c47cf291b612f6fded911072a157b10c84c56847076d3f446c3ddf38d88d9b191f2ac0b765edb9c320f7ccb898c1b50a9a20daa7c71
SSDEEP

393216:Ho6w76AHDyUrtLM4uq0dppmfz0TMVre9Q7s4ad3PTVzwuprjnKCVc+pr3op:aHDymtLMTpi0pGSxwwfnKCVV3op

Score

6^/10

Malware Config

Signatures

Enumerates connected drives 3 TTPs 1 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\F:	PulseWave_dbg.1.2.exe

Modifies system certificate store 2 TTPs 5 IoCs

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F0177503321D47F7FED273FEFE1404B878ADC54A\Blob = 1900000001000000100000009acf22e8a82fc9e7f690215e8926dd70140000000100000014000000a9db73ff8a9b3586f326db9be5d63f4e96d6c854030000000100000014000000f0177503321d47f7fed273fefe1404b878adc54a0f00000001000000200000000d7c69c30e4b6305c5785063437244ded1ff90af67c0be91bab97f490b378d06040000000100000010000000d257478b77c1f99552246394986c48832000000001000000f9020000308202f5308201dda00302010202103d6813651ed8531274180b304d11707c300d06092a864886f70d01010b050030133111300f06035504031308436c6f75644e6574301e170d3233303630323135303030305a170d3238303533313135303030305a30133111300f06035504031308436c6f75644e657430820122300d06092a864886f70d01010105000382010f003082010a0282010100dc427ddb7c120d85181fc47db91be386d11513570f45588818de2a11e5e3a08cf8eb842b7f36dbaaeba39fb91d44f5dfa11d2be2eb7969465c3112996197c65013fde11170703e518313be431f176b849490b54b8967a7639bc010426446218e7205b0a7935692e1ae23053cbe0b4122bf4798948c24fe21db057164c7df534602d0432d9e1afe6476567702fe0cb72cfb4c520588032664652e7df3c78ffb8dcb29f9fd1d72c956600c90132169be8267010266295a91fff1625e8b24dcff0733cfcc60b4bb781ad90450867ca1565cc2accd4001d42244c8d2c20417cf9c487728ec7f37f93f71658435ef88a535a754c7a5583e053ad68f2a857b2245ff110203010001a3453043300e0603551d0f0101ff04040302010630120603551d130101ff040830060101ff020101301d0603551d0e04160414a9db73ff8a9b3586f326db9be5d63f4e96d6c854300d06092a864886f70d01010b05000382010100849833e1b66de049742b80d34e83787b11795a3df27f0066aff3d70cf616468518ed96d0f26271a58f3fe1597b06d898a4e3946a357e938227d115edc76498fbaf0a26173c253bab383178115bf8cf9356481647ccd8d3dd897bffa1aaa5db9e0a149a5d92c3335c6c7082bb7647d99d5e8401e19a44015d14b1f9ecf06c148c349befb5ae2831f96a2895b0a776fbfb85f02cd02e50e5a13f5dd7869e96c85885cbf5fb7bfc4c1dd2bcf6a383290189e5cba29f829369c039afca746b342c747078b55cb3e2bd1b51c42b4883d875b0fb7860ef1179e1d651091e37187ebe06b8ff0cf0ff4b3b7a40b7f805e6a91e171f96a0ef401a49e30f5f17cfa4b3c673	PulseWave_dbg.1.2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F0177503321D47F7FED273FEFE1404B878ADC54A	PulseWave_dbg.1.2.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F0177503321D47F7FED273FEFE1404B878ADC54A\Blob = 0f00000001000000200000000d7c69c30e4b6305c5785063437244ded1ff90af67c0be91bab97f490b378d06030000000100000014000000f0177503321d47f7fed273fefe1404b878adc54a2000000001000000f9020000308202f5308201dda00302010202103d6813651ed8531274180b304d11707c300d06092a864886f70d01010b050030133111300f06035504031308436c6f75644e6574301e170d3233303630323135303030305a170d3238303533313135303030305a30133111300f06035504031308436c6f75644e657430820122300d06092a864886f70d01010105000382010f003082010a0282010100dc427ddb7c120d85181fc47db91be386d11513570f45588818de2a11e5e3a08cf8eb842b7f36dbaaeba39fb91d44f5dfa11d2be2eb7969465c3112996197c65013fde11170703e518313be431f176b849490b54b8967a7639bc010426446218e7205b0a7935692e1ae23053cbe0b4122bf4798948c24fe21db057164c7df534602d0432d9e1afe6476567702fe0cb72cfb4c520588032664652e7df3c78ffb8dcb29f9fd1d72c956600c90132169be8267010266295a91fff1625e8b24dcff0733cfcc60b4bb781ad90450867ca1565cc2accd4001d42244c8d2c20417cf9c487728ec7f37f93f71658435ef88a535a754c7a5583e053ad68f2a857b2245ff110203010001a3453043300e0603551d0f0101ff04040302010630120603551d130101ff040830060101ff020101301d0603551d0e04160414a9db73ff8a9b3586f326db9be5d63f4e96d6c854300d06092a864886f70d01010b05000382010100849833e1b66de049742b80d34e83787b11795a3df27f0066aff3d70cf616468518ed96d0f26271a58f3fe1597b06d898a4e3946a357e938227d115edc76498fbaf0a26173c253bab383178115bf8cf9356481647ccd8d3dd897bffa1aaa5db9e0a149a5d92c3335c6c7082bb7647d99d5e8401e19a44015d14b1f9ecf06c148c349befb5ae2831f96a2895b0a776fbfb85f02cd02e50e5a13f5dd7869e96c85885cbf5fb7bfc4c1dd2bcf6a383290189e5cba29f829369c039afca746b342c747078b55cb3e2bd1b51c42b4883d875b0fb7860ef1179e1d651091e37187ebe06b8ff0cf0ff4b3b7a40b7f805e6a91e171f96a0ef401a49e30f5f17cfa4b3c673	PulseWave_dbg.1.2.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F0177503321D47F7FED273FEFE1404B878ADC54A\Blob = 140000000100000014000000a9db73ff8a9b3586f326db9be5d63f4e96d6c854030000000100000014000000f0177503321d47f7fed273fefe1404b878adc54a0f00000001000000200000000d7c69c30e4b6305c5785063437244ded1ff90af67c0be91bab97f490b378d062000000001000000f9020000308202f5308201dda00302010202103d6813651ed8531274180b304d11707c300d06092a864886f70d01010b050030133111300f06035504031308436c6f75644e6574301e170d3233303630323135303030305a170d3238303533313135303030305a30133111300f06035504031308436c6f75644e657430820122300d06092a864886f70d01010105000382010f003082010a0282010100dc427ddb7c120d85181fc47db91be386d11513570f45588818de2a11e5e3a08cf8eb842b7f36dbaaeba39fb91d44f5dfa11d2be2eb7969465c3112996197c65013fde11170703e518313be431f176b849490b54b8967a7639bc010426446218e7205b0a7935692e1ae23053cbe0b4122bf4798948c24fe21db057164c7df534602d0432d9e1afe6476567702fe0cb72cfb4c520588032664652e7df3c78ffb8dcb29f9fd1d72c956600c90132169be8267010266295a91fff1625e8b24dcff0733cfcc60b4bb781ad90450867ca1565cc2accd4001d42244c8d2c20417cf9c487728ec7f37f93f71658435ef88a535a754c7a5583e053ad68f2a857b2245ff110203010001a3453043300e0603551d0f0101ff04040302010630120603551d130101ff040830060101ff020101301d0603551d0e04160414a9db73ff8a9b3586f326db9be5d63f4e96d6c854300d06092a864886f70d01010b05000382010100849833e1b66de049742b80d34e83787b11795a3df27f0066aff3d70cf616468518ed96d0f26271a58f3fe1597b06d898a4e3946a357e938227d115edc76498fbaf0a26173c253bab383178115bf8cf9356481647ccd8d3dd897bffa1aaa5db9e0a149a5d92c3335c6c7082bb7647d99d5e8401e19a44015d14b1f9ecf06c148c349befb5ae2831f96a2895b0a776fbfb85f02cd02e50e5a13f5dd7869e96c85885cbf5fb7bfc4c1dd2bcf6a383290189e5cba29f829369c039afca746b342c747078b55cb3e2bd1b51c42b4883d875b0fb7860ef1179e1d651091e37187ebe06b8ff0cf0ff4b3b7a40b7f805e6a91e171f96a0ef401a49e30f5f17cfa4b3c673	PulseWave_dbg.1.2.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F0177503321D47F7FED273FEFE1404B878ADC54A\Blob = 040000000100000010000000d257478b77c1f99552246394986c48830f00000001000000200000000d7c69c30e4b6305c5785063437244ded1ff90af67c0be91bab97f490b378d06030000000100000014000000f0177503321d47f7fed273fefe1404b878adc54a140000000100000014000000a9db73ff8a9b3586f326db9be5d63f4e96d6c8542000000001000000f9020000308202f5308201dda00302010202103d6813651ed8531274180b304d11707c300d06092a864886f70d01010b050030133111300f06035504031308436c6f75644e6574301e170d3233303630323135303030305a170d3238303533313135303030305a30133111300f06035504031308436c6f75644e657430820122300d06092a864886f70d01010105000382010f003082010a0282010100dc427ddb7c120d85181fc47db91be386d11513570f45588818de2a11e5e3a08cf8eb842b7f36dbaaeba39fb91d44f5dfa11d2be2eb7969465c3112996197c65013fde11170703e518313be431f176b849490b54b8967a7639bc010426446218e7205b0a7935692e1ae23053cbe0b4122bf4798948c24fe21db057164c7df534602d0432d9e1afe6476567702fe0cb72cfb4c520588032664652e7df3c78ffb8dcb29f9fd1d72c956600c90132169be8267010266295a91fff1625e8b24dcff0733cfcc60b4bb781ad90450867ca1565cc2accd4001d42244c8d2c20417cf9c487728ec7f37f93f71658435ef88a535a754c7a5583e053ad68f2a857b2245ff110203010001a3453043300e0603551d0f0101ff04040302010630120603551d130101ff040830060101ff020101301d0603551d0e04160414a9db73ff8a9b3586f326db9be5d63f4e96d6c854300d06092a864886f70d01010b05000382010100849833e1b66de049742b80d34e83787b11795a3df27f0066aff3d70cf616468518ed96d0f26271a58f3fe1597b06d898a4e3946a357e938227d115edc76498fbaf0a26173c253bab383178115bf8cf9356481647ccd8d3dd897bffa1aaa5db9e0a149a5d92c3335c6c7082bb7647d99d5e8401e19a44015d14b1f9ecf06c148c349befb5ae2831f96a2895b0a776fbfb85f02cd02e50e5a13f5dd7869e96c85885cbf5fb7bfc4c1dd2bcf6a383290189e5cba29f829369c039afca746b342c747078b55cb3e2bd1b51c42b4883d875b0fb7860ef1179e1d651091e37187ebe06b8ff0cf0ff4b3b7a40b7f805e6a91e171f96a0ef401a49e30f5f17cfa4b3c673	PulseWave_dbg.1.2.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

pid	Process
1404	PulseWave_dbg.1.2.exe
1404	PulseWave_dbg.1.2.exe
1404	PulseWave_dbg.1.2.exe
1404	PulseWave_dbg.1.2.exe
1404	PulseWave_dbg.1.2.exe
1404	PulseWave_dbg.1.2.exe
1404	PulseWave_dbg.1.2.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeShutdownPrivilege	1404	PulseWave_dbg.1.2.exe

C:\Users\Admin\AppData\Local\Temp\PulseWave_dbg.1.2.exe
"C:\Users\Admin\AppData\Local\Temp\PulseWave_dbg.1.2.exe"
1⤵
- Enumerates connected drives
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1404

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Subvert Trust Controls

1

T1553

Install Root Certificate

1

T1553.004

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1404-54-0x00000000776D0000-0x00000000776D2000-memory.dmp

Filesize
8KB

Download
memory/1404-56-0x00000000776D0000-0x00000000776D2000-memory.dmp

Filesize
8KB

Download
memory/1404-59-0x0000000077520000-0x00000000776C9000-memory.dmp

Filesize
1.7MB

Download
memory/1404-58-0x00000000776D0000-0x00000000776D2000-memory.dmp

Filesize
8KB

Download
memory/1404-60-0x000000013F770000-0x00000001430AD000-memory.dmp

Filesize
57.2MB

Download
memory/1404-66-0x0000000077520000-0x00000000776C9000-memory.dmp

Filesize
1.7MB

Download
memory/1404-67-0x0000000077520000-0x00000000776C9000-memory.dmp

Filesize
1.7MB

Download

Analysis

Sharing