Overview

overview

6

Static

static

3

BanWaveChecker.exe

windows7-x64

1

BanWaveChecker.exe

windows10-2004-x64

6

Analysis

  • max time kernel
    53s
  • max time network
    57s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
  • submitted
    10/04/2024, 12:54

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    BanWaveChecker.exe

  • Size

    137KB

  • MD5

    04082c914781563022ff92f58f13a4a8

  • SHA1

    b49afc648a03152b527f16dee47fb8136803f410

  • SHA256

    f96d590968aa6557fbd02e4b326024d4d9115609d58c2e79f8c1fc5171f44553

  • SHA512

    0c1796391972239023ef4f293f1a5b379ec9af975b912c5d7367ac08ab765916a80992e7622736fe0aad8606d1a184aa4ebd95e5cf3a78bf42405c220ecf6c50

  • SSDEEP

    3072:VefQZKfOC31VwyY9egNtfNjJvjmqqF7Hb/LMm5MiD+2Q7xo:VDewyY9egLRePYm55

Score
6/10

Malware Config

Signatures

  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 4 IoCs
  • Checks processor information in registry 2 TTPs 8 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Modifies registry class 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of FindShellTrayWindow 4 IoCs
  • Suspicious use of SendNotifyMessage 3 IoCs
  • Suspicious use of SetWindowsHookEx 7 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\BanWaveChecker.exe
    "C:\Users\Admin\AppData\Local\Temp\BanWaveChecker.exe"
    1⤵
      PID:2652
    • C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe"
      1⤵
      • Suspicious use of WriteProcessMemory
      PID:1460
      • C:\Program Files\Mozilla Firefox\firefox.exe
        "C:\Program Files\Mozilla Firefox\firefox.exe"
        2⤵
        • Checks processor information in registry
        • Modifies registry class
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:3616
        • C:\Program Files\Mozilla Firefox\firefox.exe
          "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3616.0.751236970\1434516693" -parentBuildID 20221007134813 -prefsHandle 1876 -prefMapHandle 1868 -prefsLen 20749 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {fa7f5091-2d5a-4b90-aeb8-8681d9b01845} 3616 "\\.\pipe\gecko-crash-server-pipe.3616" 1964 2607bdb6b58 gpu
          3⤵
            PID:2924
          • C:\Program Files\Mozilla Firefox\firefox.exe
            "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3616.1.1200676159\1454230372" -parentBuildID 20221007134813 -prefsHandle 2352 -prefMapHandle 2348 -prefsLen 20785 -prefMapSize 233444 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {76804cc1-6acc-4cda-bd46-8cfb98615808} 3616 "\\.\pipe\gecko-crash-server-pipe.3616" 2364 2606f572858 socket
            3⤵
            • Checks processor information in registry
            PID:2908
          • C:\Program Files\Mozilla Firefox\firefox.exe
            "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3616.2.792785428\508372140" -childID 1 -isForBrowser -prefsHandle 3132 -prefMapHandle 3164 -prefsLen 20888 -prefMapSize 233444 -jsInitHandle 1428 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {b6b0374b-0654-4f50-95f3-ab5dcd5df42a} 3616 "\\.\pipe\gecko-crash-server-pipe.3616" 3028 2600228ff58 tab
            3⤵
              PID:5008
            • C:\Program Files\Mozilla Firefox\firefox.exe
              "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3616.3.295305387\337975969" -childID 2 -isForBrowser -prefsHandle 3608 -prefMapHandle 3604 -prefsLen 26066 -prefMapSize 233444 -jsInitHandle 1428 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {bdb85752-d518-4e54-9d57-2b34c01a775f} 3616 "\\.\pipe\gecko-crash-server-pipe.3616" 3620 260009c0458 tab
              3⤵
                PID:1596
              • C:\Program Files\Mozilla Firefox\firefox.exe
                "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3616.4.1954383662\416375819" -childID 3 -isForBrowser -prefsHandle 3972 -prefMapHandle 4008 -prefsLen 26125 -prefMapSize 233444 -jsInitHandle 1428 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {bd46e8bd-a33e-4de2-8f10-7632ef0fb2c2} 3616 "\\.\pipe\gecko-crash-server-pipe.3616" 3996 26003939f58 tab
                3⤵
                  PID:3956
                • C:\Program Files\Mozilla Firefox\firefox.exe
                  "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3616.5.1839614414\122650364" -childID 4 -isForBrowser -prefsHandle 5060 -prefMapHandle 5104 -prefsLen 26125 -prefMapSize 233444 -jsInitHandle 1428 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {dae70404-e02e-4832-80b0-6d465134c60e} 3616 "\\.\pipe\gecko-crash-server-pipe.3616" 5100 260044ed358 tab
                  3⤵
                    PID:2352
                  • C:\Program Files\Mozilla Firefox\firefox.exe
                    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3616.6.1308620215\1247825256" -childID 5 -isForBrowser -prefsHandle 5204 -prefMapHandle 5208 -prefsLen 26125 -prefMapSize 233444 -jsInitHandle 1428 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {ec0456d2-b8cc-4c2c-87b9-325a0cc8836d} 3616 "\\.\pipe\gecko-crash-server-pipe.3616" 5196 2600476fc58 tab
                    3⤵
                      PID:3624
                    • C:\Program Files\Mozilla Firefox\firefox.exe
                      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3616.7.1288605237\1104950209" -childID 6 -isForBrowser -prefsHandle 5396 -prefMapHandle 5400 -prefsLen 26125 -prefMapSize 233444 -jsInitHandle 1428 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {803eaf4c-517e-4703-9d52-8997b3c9cbf1} 3616 "\\.\pipe\gecko-crash-server-pipe.3616" 5388 26004770558 tab
                      3⤵
                        PID:4992
                      • C:\Program Files\Mozilla Firefox\firefox.exe
                        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3616.8.1863198080\1869701399" -childID 7 -isForBrowser -prefsHandle 4932 -prefMapHandle 4244 -prefsLen 26285 -prefMapSize 233444 -jsInitHandle 1428 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {c4df13c0-8021-4ffb-9ab7-804efaa4c50b} 3616 "\\.\pipe\gecko-crash-server-pipe.3616" 5812 26005d9c258 tab
                        3⤵
                          PID:3676

                    Network

                    MITRE ATT&CK Enterprise v15

                    Replay Monitor

                    Loading Replay Monitor...

                    Downloads

                    • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\on1px6pk.default-release\datareporting\glean\db\data.safe.bin
                      Filesize

                      2KB

                      MD5

                      41eaa7e53c54cd91ee2ded3b1d6eb859

                      SHA1

                      29a150721e9638a03e4e35a88fc76dfed7ef2562

                      SHA256

                      fb4637a2209530b465ada6133a6958fdf1a08b531111790a67228b0f54c47f41

                      SHA512

                      1c0e0de1e818d3bb269fcf2859b978cd0c5c8243c6fae62d4ba9cc15b73314567a2c14003070c9b5eaded9c156d29b7d59dd561775dc6d78ea0617d50c9b9e9f

                      Download Submit

                    • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\on1px6pk.default-release\datareporting\glean\pending_pings\6e40ee4d-57bc-4595-bc1c-c77065029428
                      Filesize

                      10KB

                      MD5

                      e600530ddf9225373a0a313ddb07a49b

                      SHA1

                      b938922b6dd02096b29b36e09ae3e16aa882a808

                      SHA256

                      0da18c359d7f39fc95850c923b3780880bc2bfb3d6a12c0dae96f9f13855d5a3

                      SHA512

                      33c6611cc5a17185bc68073b87432c272e963a294e974d0cf1ad2c5894be96d428a297dced7f52e982de6a6bc9239c43766428a3dd8f8f04a802c9675771ad1a

                      Download Submit

                    • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\on1px6pk.default-release\datareporting\glean\pending_pings\85644c7a-985e-4d46-a26f-14bcac70d8d7
                      Filesize

                      746B

                      MD5

                      be3fc211fca78859484e733e8293a132

                      SHA1

                      1715a6ce1d5e9c58ce9aaacbf68db939bd152b15

                      SHA256

                      223ddcab78976a098309ecd21f86a13a0816e8d24af7ef667853fde2d80066a5

                      SHA512

                      a1a7bd1be9466d90261359d3a8653446521632162e73656d0fa6f25ee9e4b712b0fc3b2eb966305b2243356f419fddcda7979b6e30314387d4d0a582cde96e76

                      Download Submit

                    • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\on1px6pk.default-release\prefs-1.js
                      Filesize

                      6KB

                      MD5

                      de84dbf691f071bbf05b445ddc05007d

                      SHA1

                      bbfa205e453425dcd1f8ef3e55b733cb34c0a609

                      SHA256

                      3b864ffc214e5e6dc3055013b0dbd3dc8e77d25f8c4b853b867e576e4320d887

                      SHA512

                      6a6ad132778630747fe440c9078bfcaf7b008579a5856449e29576ca926e047176e8925489c34fb0e5ae72be3af58d7f837dfcf8c12a27ed89a1e3d49f61cd7b

                      Download Submit

                    • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\on1px6pk.default-release\prefs.js
                      Filesize

                      6KB

                      MD5

                      936e8064e2c337e78f88341e551f574b

                      SHA1

                      400bcecdc0ee47190ecc59ffed54b01f00da1e8f

                      SHA256

                      461e40eb4f4c8dab43781ee930f17fb2bd32de6070268ff83184617fee4c5836

                      SHA512

                      298c454dc8aaa09b947939d3f7411acd4acaaf07b429717ed13fe89f219273f74b95dd0d0d0dd37bea779ffc4d6cdfb56ec78c9566c25e55fea3ccb9b75f3e9a

                      Download Submit

                    • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\on1px6pk.default-release\sessionstore-backups\recovery.jsonlz4
                      Filesize

                      1KB

                      MD5

                      67b752953307f7d3cbaf803f4ca752ce

                      SHA1

                      de221cca357fa7cbc9743d54895601545f2f6ffe

                      SHA256

                      7a8e3ef423ec8cc75bcb2e957f784c263afabc171d85853f3fc37c9cba36feca

                      SHA512

                      d9202acd32ff545351f2f945f393a5e333d8290f35670fc6fd9c384323608a542a0471d10c23768add7f5e2abe7b8c56da76afe1b7a6406944cd259325a7ceb5

                      Download Submit

                    • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\on1px6pk.default-release\sessionstore.jsonlz4
                      Filesize

                      8KB

                      MD5

                      e7b716b8e1f5ba1b674740dc94a6dbd9

                      SHA1

                      16a75c99c0b964cf24d27ca14f8dde22e2b79c0e

                      SHA256

                      5638508233790d690a4697713139ef4d3c185bbbe421c122ba76f53ecfd71354

                      SHA512

                      cd6d82a3b5bffa94704ceb7dbea61f098401fdb0494e9c6318680e209f1a36c0b3905b9d9537ae1b16b0113fe5a1d3c9e0aade6f18423f8e249fb8d6648ef74e

                      Download Submit

                    • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\on1px6pk.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite
                      Filesize

                      184KB

                      MD5

                      dab1985145b2c23208a1df18fc935ce8

                      SHA1

                      3074c795bc51f42ec0367b5ae9f52de1a16eac09

                      SHA256

                      3a6eaaeabea9b73dbceb4bca7d3f9f3e361e17fc309e67c153b667831b101159

                      SHA512

                      b6c1968239bdce812fe67a2b8d35cfcd3f52d18aa7e352b28f322956519608c214298e893ef5fcbe40c878cfa95d4652126a1431c675cdaba26d89e4693a16e6

                      Download Submit