Analysis
-
max time kernel
33s -
max time network
39s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
09/04/2024, 10:15
Behavioral task
behavioral1
Sample
WaveTrial.rar
Resource
win7-20240215-en
General
-
Target
WaveTrial.rar
-
Size
156.4MB
-
MD5
0159c8632597db4afc30105f24cdd3ea
-
SHA1
5e80272c6ff0d820cdb0a4f98f7fbf0d558f5957
-
SHA256
0ff0224edb6a27b5c23adc7fb759864bb3c645f2cf2f38d0a0290c1fa691fdd2
-
SHA512
587e4dc7ae21036f3aaec3e99955670ef0c457fab23db79b71f0963acc79a1f2eca61b2233b6770672a139b0f8a9ae98ad65bed2431aac476fe7d4e293e666fe
-
SSDEEP
3145728:GeUQUfKvWr13d8VZDUdp27PkF5oeUahBcPVyMVob2395nOl0tUD:MKuh+DU72TkF5oeVBMX3nnptUD
Malware Config
Signatures
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ Injector.exe -
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion Injector.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion Injector.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\Control Panel\International\Geo\Nation cmd.exe -
Executes dropped EXE 1 IoCs
pid Process 4328 Injector.exe -
resource yara_rule behavioral2/files/0x000700000002322e-4.dat themida behavioral2/memory/4328-9-0x00007FF79B2B0000-0x00007FF79BC10000-memory.dmp themida behavioral2/memory/4328-11-0x00007FF79B2B0000-0x00007FF79BC10000-memory.dmp themida behavioral2/memory/4328-12-0x00007FF79B2B0000-0x00007FF79BC10000-memory.dmp themida behavioral2/memory/4328-13-0x00007FF79B2B0000-0x00007FF79BC10000-memory.dmp themida behavioral2/memory/4328-14-0x00007FF79B2B0000-0x00007FF79BC10000-memory.dmp themida behavioral2/memory/4328-15-0x00007FF79B2B0000-0x00007FF79BC10000-memory.dmp themida -
description ioc Process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Injector.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
pid Process 4328 Injector.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000_Classes\Local Settings cmd.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 2520 7zFM.exe 2520 7zFM.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 2520 7zFM.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
description pid Process Token: SeRestorePrivilege 2520 7zFM.exe Token: 35 2520 7zFM.exe Token: SeSecurityPrivilege 2520 7zFM.exe Token: SeSecurityPrivilege 2520 7zFM.exe -
Suspicious use of FindShellTrayWindow 3 IoCs
pid Process 2520 7zFM.exe 2520 7zFM.exe 2520 7zFM.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 2052 wrote to memory of 2520 2052 cmd.exe 88 PID 2052 wrote to memory of 2520 2052 cmd.exe 88 PID 2520 wrote to memory of 4328 2520 7zFM.exe 101 PID 2520 wrote to memory of 4328 2520 7zFM.exe 101
Processes
-
C:\Windows\system32\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\WaveTrial.rar1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2052 -
C:\Program Files\7-Zip\7zFM.exe"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\WaveTrial.rar"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:2520 -
C:\Users\Admin\AppData\Local\Temp\7zO8D99E787\Injector.exe"C:\Users\Admin\AppData\Local\Temp\7zO8D99E787\Injector.exe"3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:4328
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3.4MB
MD5c6b39ee166d5b0a2c8a9021ccd1593ae
SHA1e480e7c282f64e8b0179c82afe154dd59d14217d
SHA256443b665c5f545a2bdd7855f86bf70a5ee7f35eda1b6b08615161f5809cbda02b
SHA5123864aea36c522ca5658412128e6a4c862a647cf3b1054b9adbe418488590a37600d7639c3eba94ca9de76f087b244b95644c667213b1122889cf2d9b7a4652d2