0ff0224edb6a27b5c23adc7fb759864bb3c645f2cf2f38d0a0290c1fa691fdd2

Analysis

max time kernel
120s
max time network
128s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
27/04/2024, 16:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

WaveTrial/Wave.exe.config
Size

4KB
MD5

ae882f91fe4dc052fabd06774b2d30aa
SHA1

92cbe5c66373ea3682116fab8068534920d281d7
SHA256

50bd62b7fa97cb9564c4b418034138f30af993f84988b085e2b16d39aa74d79f
SHA512

3fe7174259817beae8101e2ab7be068b9030bccff00a1f5aee13cfab3585037fdb1f9b470feea212351f85ec96f31da63289e4574d69e4ef413fce3fda3c6c78
SSDEEP

96:wrwvxwDbDPwxOuzhrifBUXAUFUkUYUvUAc:wrw2DIxOEriJXejNGbc

Score

3^/10

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000_Classes\Local Settings	cmd.exe

Suspicious behavior: CmdExeWriteProcessMemorySpam 1 IoCs

pid	Process
828	AcroRd32.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
828	AcroRd32.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
828	AcroRd32.exe
828	AcroRd32.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 868 wrote to memory of 828	868	cmd.exe	29
PID 868 wrote to memory of 828	868	cmd.exe	29
PID 868 wrote to memory of 828	868	cmd.exe	29
PID 868 wrote to memory of 828	868	cmd.exe	29

C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\WaveTrial\Wave.exe.config
1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:868
- C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
  "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\WaveTrial\Wave.exe.config"
  2⤵
  - Suspicious behavior: CmdExeWriteProcessMemorySpam
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of SetWindowsHookEx
  PID:828

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents

Filesize
3KB

MD5
93b4f06f50063e1ca68e346bd461c14f

SHA1
ca02221b2e8df689495b4a2d3c628b906d614614

SHA256
2bbe4018ee81025af5e1f4817933b966a30ac8ee895631a73434d5834fe09b9f

SHA512
3ebd27b924338b36f765f42ea4375e84a19de06e2eb3b192f2b018300ccf7b881e740c9910a77f5ee9118ca12698b7f28b4e61fc0ddf2b1eae396b5a9344e863

Download Submit
memory/868-140-0x00000000022D0000-0x00000000023D0000-memory.dmp

Filesize
1024KB

Download
memory/868-150-0x00000000022D0000-0x00000000023D0000-memory.dmp

Filesize
1024KB

Download
memory/868-147-0x00000000022D0000-0x00000000023D0000-memory.dmp

Filesize
1024KB

Download
memory/868-143-0x00000000022D0000-0x00000000023D0000-memory.dmp

Filesize
1024KB

Download
memory/868-142-0x00000000022D0000-0x00000000023D0000-memory.dmp

Filesize
1024KB

Download
memory/868-139-0x00000000022D0000-0x00000000023D0000-memory.dmp

Filesize
1024KB

Download
memory/868-138-0x00000000022D0000-0x00000000023D0000-memory.dmp

Filesize
1024KB

Download