General

  • Target

    Wave Executor v1.0.0.zip

  • Size

    193.3MB

  • Sample

    240415-zyzmhsgd87

  • MD5

    f84c6f9d1c61fab76d994ee8874ab83b

  • SHA1

    2f91aa604cc7c1dd2af1984671e17e8a3dfa23f9

  • SHA256

    15735509c9653921b91537641ca907b0bafc07ce3b34340a06dd85b11da5ebde

  • SHA512

    80dd939d0b14e41721be92fb8e008c1d94dc074a0d66d74977ac649c9f6b5614df8848a08b0ce7cfda046ca30425191574abaf752e3d6b9c7e8d5f10d3bd3d47

  • SSDEEP

    6291456:24gr0y1jqsrHPNWEgrBttbrCSQFI1rJiV:00y1jqs7PQrrBvSuYV

Malware Config

Targets

    • Target

      Wave Executor v1.0.0.zip

    • Size

      193.3MB

    • MD5

      f84c6f9d1c61fab76d994ee8874ab83b

    • SHA1

      2f91aa604cc7c1dd2af1984671e17e8a3dfa23f9

    • SHA256

      15735509c9653921b91537641ca907b0bafc07ce3b34340a06dd85b11da5ebde

    • SHA512

      80dd939d0b14e41721be92fb8e008c1d94dc074a0d66d74977ac649c9f6b5614df8848a08b0ce7cfda046ca30425191574abaf752e3d6b9c7e8d5f10d3bd3d47

    • SSDEEP

      6291456:24gr0y1jqsrHPNWEgrBttbrCSQFI1rJiV:00y1jqs7PQrrBvSuYV

    • Identifies VirtualBox via ACPI registry values (likely anti-VM)

    • Downloads MZ/PE file

    • Modifies Installed Components in the registry

    • Sets file execution options in registry

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Registers COM server for autorun

    • Themida packer

      Detects Themida, an advanced Windows software protection system.

    • Adds Run key to start application

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Checks whether UAC is enabled

    • Installs/modifies Browser Helper Object

      BHOs are DLL modules which act as plugins for Internet Explorer.

    • Checks system information in the registry

      System information is often read in order to detect sandboxing environments.

    • Drops file in System32 directory

    • Suspicious use of NtCreateThreadExHideFromDebugger

    • Suspicious use of NtSetInformationThreadHideFromDebugger

MITRE ATT&CK Enterprise v15

Tasks