Analysis

  • max time kernel
    142s
  • max time network
    141s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
  • submitted
    09/04/2024, 09:51

General

  • Target

    WaveTrial.rar

  • Size

    156.4MB

  • MD5

    0159c8632597db4afc30105f24cdd3ea

  • SHA1

    5e80272c6ff0d820cdb0a4f98f7fbf0d558f5957

  • SHA256

    0ff0224edb6a27b5c23adc7fb759864bb3c645f2cf2f38d0a0290c1fa691fdd2

  • SHA512

    587e4dc7ae21036f3aaec3e99955670ef0c457fab23db79b71f0963acc79a1f2eca61b2233b6770672a139b0f8a9ae98ad65bed2431aac476fe7d4e293e666fe

  • SSDEEP

    3145728:GeUQUfKvWr13d8VZDUdp27PkF5oeUahBcPVyMVob2395nOl0tUD:MKuh+DU72TkF5oeVBMX3nnptUD

Score
7/10

Malware Config

Signatures

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Checks processor information in registry 2 TTPs 5 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Modifies registry class 2 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of FindShellTrayWindow 27 IoCs
  • Suspicious use of SendNotifyMessage 25 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Windows\system32\cmd.exe
    cmd /c C:\Users\Admin\AppData\Local\Temp\WaveTrial.rar
    1⤵
    • Checks computer location settings
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:2616
    • C:\Program Files\7-Zip\7zFM.exe
      "C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\WaveTrial.rar"
      2⤵
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of FindShellTrayWindow
      PID:3172
  • C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:4076
    • C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe"
      2⤵
      • Checks processor information in registry
      • Modifies registry class
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:4816
      • C:\Program Files\Mozilla Firefox\firefox.exe
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4816.0.726234541\672011793" -parentBuildID 20221007134813 -prefsHandle 1928 -prefMapHandle 1920 -prefsLen 20749 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {c0081c51-7019-464b-8ec5-a092cdad7337} 4816 "\\.\pipe\gecko-crash-server-pipe.4816" 2008 26cdb4dba58 gpu
        3⤵
          PID:2292
        • C:\Program Files\Mozilla Firefox\firefox.exe
          "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4816.1.2158106\1193042170" -parentBuildID 20221007134813 -prefsHandle 2400 -prefMapHandle 2396 -prefsLen 20785 -prefMapSize 233444 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {59cad56c-9db3-47cc-a807-b86269392670} 4816 "\\.\pipe\gecko-crash-server-pipe.4816" 2408 26ccede5058 socket
          3⤵
            PID:856
          • C:\Program Files\Mozilla Firefox\firefox.exe
            "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4816.2.1479661422\996495868" -childID 1 -isForBrowser -prefsHandle 3116 -prefMapHandle 2984 -prefsLen 20888 -prefMapSize 233444 -jsInitHandle 1372 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {c8eafb41-1f04-4adc-9984-94af6c8b5e3b} 4816 "\\.\pipe\gecko-crash-server-pipe.4816" 3204 26cdb45f658 tab
            3⤵
              PID:1428
            • C:\Program Files\Mozilla Firefox\firefox.exe
              "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4816.3.1344961891\383601313" -childID 2 -isForBrowser -prefsHandle 3568 -prefMapHandle 3564 -prefsLen 26066 -prefMapSize 233444 -jsInitHandle 1372 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {3f3dc314-b456-47c5-8acc-e3bb6ee2b862} 4816 "\\.\pipe\gecko-crash-server-pipe.4816" 3576 26cced62258 tab
              3⤵
                PID:4804
              • C:\Program Files\Mozilla Firefox\firefox.exe
                "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4816.4.279783477\294694602" -childID 3 -isForBrowser -prefsHandle 4492 -prefMapHandle 4460 -prefsLen 26125 -prefMapSize 233444 -jsInitHandle 1372 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {0eec83e8-c66a-4953-9593-4e207a12c1dc} 4816 "\\.\pipe\gecko-crash-server-pipe.4816" 4500 26ce118b358 tab
                3⤵
                  PID:1508
                • C:\Program Files\Mozilla Firefox\firefox.exe
                  "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4816.5.1040166190\811701079" -childID 4 -isForBrowser -prefsHandle 4992 -prefMapHandle 4984 -prefsLen 26125 -prefMapSize 233444 -jsInitHandle 1372 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {d8e1364e-1f18-4eee-b79a-27c9dfd6ccc4} 4816 "\\.\pipe\gecko-crash-server-pipe.4816" 5032 26ce118a458 tab
                  3⤵
                    PID:4076
                  • C:\Program Files\Mozilla Firefox\firefox.exe
                    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4816.6.528817261\1125009486" -childID 5 -isForBrowser -prefsHandle 5184 -prefMapHandle 5188 -prefsLen 26125 -prefMapSize 233444 -jsInitHandle 1372 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {e914fe80-4746-4717-9bd1-985c9d24cea2} 4816 "\\.\pipe\gecko-crash-server-pipe.4816" 5176 26ce19a7158 tab
                    3⤵
                      PID:3388
                    • C:\Program Files\Mozilla Firefox\firefox.exe
                      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4816.7.834536693\567761241" -childID 6 -isForBrowser -prefsHandle 5376 -prefMapHandle 5380 -prefsLen 26125 -prefMapSize 233444 -jsInitHandle 1372 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {54882ece-1574-4dfe-b97c-21fdcacb94df} 4816 "\\.\pipe\gecko-crash-server-pipe.4816" 5368 26ce19a8658 tab
                      3⤵
                        PID:2144
                      • C:\Program Files\Mozilla Firefox\firefox.exe
                        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4816.8.1400102620\312217508" -childID 7 -isForBrowser -prefsHandle 5904 -prefMapHandle 5912 -prefsLen 26285 -prefMapSize 233444 -jsInitHandle 1372 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {35ae2207-b07f-4189-88e0-67ca5094446a} 4816 "\\.\pipe\gecko-crash-server-pipe.4816" 5928 26ce3935e58 tab
                        3⤵
                          PID:1980

                    Network

                          MITRE ATT&CK Enterprise v15

                          Replay Monitor

                          Loading Replay Monitor...

                          Downloads

                          • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\on1px6pk.default-release\datareporting\glean\db\data.safe.bin

                            Filesize

                            2KB

                            MD5

                            26976cbcf304636732e81f8744098e34

                            SHA1

                            98baaf560aabe9c101af3327b0cc77f73cfe664b

                            SHA256

                            60c58de5ed1a02315abe205ac1684e8651e604dce119b42d3e2bec8acb8e1100

                            SHA512

                            e43498021825047313b76a48cc04a1254bf47fcad4c5f3c139910950a75d60d194d0d73032986879c503ee61273a7594fe65020bf9cf20a938218b4f34c591c2

                          • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\on1px6pk.default-release\datareporting\glean\pending_pings\b870e24c-8cd3-4743-aec0-4789e9f42606

                            Filesize

                            746B

                            MD5

                            0c4d32b0a8334490cd341487997f355a

                            SHA1

                            0a21c78f540234c7d6366d2fec442cb8e22d56f4

                            SHA256

                            4c7593f2dbdbba3fe34d41d3c21fe68efc9ab7aac726794e8dfd6e5615891e0e

                            SHA512

                            de6e3803411e3ee676ce1d12977afbbb569079eb0962a7c87121b7eb29a081315428ecfb8d61a0158b8d32f0061756ff0388aad7e2c6f572c70889678ac20efa

                          • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\on1px6pk.default-release\datareporting\glean\pending_pings\fa768dda-e100-4ee3-9560-9b056161bc19

                            Filesize

                            10KB

                            MD5

                            14fa955ac34a43bf6a2e8f70f984b4e4

                            SHA1

                            0c552401cbdf89dc64da34a739efafce543d70b3

                            SHA256

                            c9e63da624880c6df524c9025f831c16705af5b72bb78966101bdb2025fc5597

                            SHA512

                            2c830baffc5dacdfbcd3c9b9d08fa578bdd306ee4c53bdea94c27d75dc5eb2484ed2ffb906c182933d215db9aab0fb5deafe3271d94ed073e0b8063787832041

                          • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\on1px6pk.default-release\prefs-1.js

                            Filesize

                            6KB

                            MD5

                            23475947b9a615ea1043ef9b0ecb3938

                            SHA1

                            230d7453dbb8d1bd8cd2c6db3d9695c5b19acff8

                            SHA256

                            31d1e2734950fcc515dc9002fdaf1aefc5911b6fe26a39d7274faf0f5b651962

                            SHA512

                            1f3c02fb7a4deee7adf1d4571da5c7233f9c9fc677334c7025a7c343b7911c2ddc7359baa914f800db287f512124a7465317ffd934df360834f6e5479e99c180

                          • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\on1px6pk.default-release\prefs-1.js

                            Filesize

                            6KB

                            MD5

                            4462adcd11da59a89e8411ee857982d6

                            SHA1

                            bc2450061f6f1c766e5b5d343e394a553e619c6a

                            SHA256

                            6f9e649302fbd09da9631f705be8d5fe46cc4bea6f1877774f803dc797f126b1

                            SHA512

                            be87926f72d60f0d4943af1b748bb926ec41e648677fdadc6c2c047b9976fb019d10857034cd98768b7c140e42fac5e49032814628604f2da252251a8759916d

                          • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\on1px6pk.default-release\prefs.js

                            Filesize

                            6KB

                            MD5

                            7f9cd1beb3e87dfa4897299db2e232b7

                            SHA1

                            b5f7418d644edb1297ab5ff8574ad61605cf1da0

                            SHA256

                            95f09a0f44d0b5f70e4e30a1e87168f057b61e48d57da09cae2cd7bf056e768d

                            SHA512

                            453dad7c5adb27006376c5dcd3f039e8e24ef9434e815b5fe4970ad7b3b2fa6ee27faa3ad311e8c4c03151b81e16be884e5380c6b1844a3a688473176140a8d1

                          • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\on1px6pk.default-release\sessionstore-backups\recovery.jsonlz4

                            Filesize

                            4KB

                            MD5

                            6ac289a5f0f3c796a398071bc2f13146

                            SHA1

                            a1b7c8b4c76e3f0fd3a7af111963c59c5d86a249

                            SHA256

                            ea630bc7d9513d5853ce514a3e6cc3ff346ac59d37b964707b99a02ada247812

                            SHA512

                            7e93510ecfedf42a30a27086ad723db1d66e46500d9fce43da08526335707c15210bbe3d80a409bbd26e30efe8aaea2d7163407e16a8f0d88a1b233a74afb42d

                          • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\on1px6pk.default-release\sessionstore-backups\recovery.jsonlz4

                            Filesize

                            3KB

                            MD5

                            8527aaeeb85c002f75af3675f553648d

                            SHA1

                            8660ee1574ace4c6da52168923385d6e24a0c406

                            SHA256

                            96cdfea9e23fe190755a60e005a10c778757c6261101a368b3c44421a6b5a9c5

                            SHA512

                            773f3c071c6dacda9e7fb70e1507ccee659f746adc0cc8335d7929e9ff2da2a5c10ca341cdee2fcd7e926ff00e2509ed66d68d944dc64a87833161413e54da1b

                          • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\on1px6pk.default-release\sessionstore-backups\recovery.jsonlz4

                            Filesize

                            4KB

                            MD5

                            618a3435df81846ea45c653a0ce299b4

                            SHA1

                            2c18ac6650c1b6dc766999fd1ec5daf789e7c53d

                            SHA256

                            b35b334729929ddf936c8446cfca3899565dc3f009e24b6639ba3175bf86dfae

                            SHA512

                            aff21db4acb9bfd26eb39ad09ab27ae586a1d6a0c4b6d1d6794b6f4eadfd1e64148ef5a874f9afbb25c563e223fb84b49614611a98ad8d3ecd885d9426fc3dd9