1ca93fdcc11135777684369edc2bb27d287ffa05d09533c69107e88c153d96c2

Analysis

max time kernel
1472s
max time network
1472s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
09-04-2024 00:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Wave/dist/shared/bin/globalTypes.d.luau
Size

418KB
MD5

4fb046cf2752a7e38784b9c223fc749a
SHA1

ec60cb7dca1a73001cffbcf858ec0a8714dbca1a
SHA256

89259d80bd757a1d0a5b47b5c7eac1d8f84071d71b49049dd49a37ef8dee727c
SHA512

763d7d904ae606b2e9692b46d5c18bab98eecd6973330f223da738f74f918530729df0ea8d91b976fc2787592d469c187bc027ad142dc5cef0d7b615948c7e13
SSDEEP

6144:siqczXlabtPJQc3zJqjFY/OSRlXAR6fTU4Dx0YvDr7YuHqkZhCd6dFyDWro/1SXB:SJQc3zJ5Dx+0

Score

3^/10

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 2 IoCs

Processes:

cmd.exeOpenWith.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000_Classes\Local Settings	cmd.exe
Key created	\REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000_Classes\Local Settings	OpenWith.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

svchost.exe

description pid process

Token: SeManageVolumePrivilege 2632 svchost.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

OpenWith.exe

pid process

1688 OpenWith.exe

description	pid	process
Token: SeManageVolumePrivilege	2632	svchost.exe

pid	process
1688	OpenWith.exe

C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\Wave\dist\shared\bin\globalTypes.d.luau
1⤵
- Modifies registry class
PID:4520

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:1688

C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" "C:\Windows\SYSTEM32\EDGEHTML.dll",#141 Microsoft.VCLibs.140.00_8wekyb3d8bbwe
1⤵
PID:1184

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k UnistackSvcGroup
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2632

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Comms\UnistoreDB\store.jfm

Filesize
16KB

MD5
f83521d5291efa297568a241519828f4

SHA1
3d9c8edbeaed2242b2fb04b22b3c79789819e7c7

SHA256
234c6fc5bf96a76de19b6de88b62aa277380b209338954d525587b34a1340dae

SHA512
2bdc276f0dc60613da7abce4564dfc62163a22423715af0a23202dbf21cdcd0f06dda4939a6561ef65d8fc645214dd77e94fa1b47ff3f2647ae4d6b7a2a846f8

Download Submit
memory/2632-40-0x00000251B0AD0000-0x00000251B0AD1000-memory.dmp

Filesize
4KB

Download
memory/2632-33-0x00000251B0AD0000-0x00000251B0AD1000-memory.dmp

Filesize
4KB

Download
memory/2632-42-0x00000251B0AD0000-0x00000251B0AD1000-memory.dmp

Filesize
4KB

Download
memory/2632-34-0x00000251B0AD0000-0x00000251B0AD1000-memory.dmp

Filesize
4KB

Download
memory/2632-35-0x00000251B0AD0000-0x00000251B0AD1000-memory.dmp

Filesize
4KB

Download
memory/2632-36-0x00000251B0AD0000-0x00000251B0AD1000-memory.dmp

Filesize
4KB

Download
memory/2632-37-0x00000251B0AD0000-0x00000251B0AD1000-memory.dmp

Filesize
4KB

Download
memory/2632-38-0x00000251B0AD0000-0x00000251B0AD1000-memory.dmp

Filesize
4KB

Download
memory/2632-43-0x00000251B0700000-0x00000251B0701000-memory.dmp

Filesize
4KB

Download
memory/2632-0-0x00000251A8440000-0x00000251A8450000-memory.dmp

Filesize
64KB

Download
memory/2632-68-0x00000251B0940000-0x00000251B0941000-memory.dmp

Filesize
4KB

Download
memory/2632-32-0x00000251B0AA0000-0x00000251B0AA1000-memory.dmp

Filesize
4KB

Download
memory/2632-39-0x00000251B0AD0000-0x00000251B0AD1000-memory.dmp

Filesize
4KB

Download
memory/2632-44-0x00000251B06F0000-0x00000251B06F1000-memory.dmp

Filesize
4KB

Download
memory/2632-46-0x00000251B0700000-0x00000251B0701000-memory.dmp

Filesize
4KB

Download
memory/2632-49-0x00000251B06F0000-0x00000251B06F1000-memory.dmp

Filesize
4KB

Download
memory/2632-52-0x00000251A7DE0000-0x00000251A7DE1000-memory.dmp

Filesize
4KB

Download
memory/2632-16-0x00000251A8540000-0x00000251A8550000-memory.dmp

Filesize
64KB

Download
memory/2632-64-0x00000251B0820000-0x00000251B0821000-memory.dmp

Filesize
4KB

Download
memory/2632-66-0x00000251B0830000-0x00000251B0831000-memory.dmp

Filesize
4KB

Download
memory/2632-67-0x00000251B0830000-0x00000251B0831000-memory.dmp

Filesize
4KB

Download
memory/2632-41-0x00000251B0AD0000-0x00000251B0AD1000-memory.dmp

Filesize
4KB

Download