8581823244a50bbed9709d09f3eba29dd9989681d96bff2b6c19245053069feb

General

Target

WaveInstaller.exe
Size

1.5MB
MD5

b075f4320e46d0d5e78a649e8ee011cc
SHA1

b0dd50171323f0f83dbea0340e9ed8cf44bea38e
SHA256

8581823244a50bbed9709d09f3eba29dd9989681d96bff2b6c19245053069feb
SHA512

e08024b5fa50dc344ca18413a6c21e0f20490c22c90c565d6f663014f1673643da1d5d748e0cefca8a7cbae91a62470289803ad588d3aa5cf3dc6292d7393d47
SSDEEP

24576:VviinbT3ipyqwPx4x3RyFoBkkAd04wJAAh/jV1gJcPNZI6fntX3HOt2pq081ind2:MinbT3ipTD0anywJAaD/3U2pqjindT

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\Control Panel\International\Geo\Nation	WaveInstaller.exe

Executes dropped EXE 1 IoCs

pid	Process
3108	WaveWindows.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
54	raw.githubusercontent.com
55	raw.githubusercontent.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2668	WaveInstaller.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 2668 wrote to memory of 3108	2668	WaveInstaller.exe	99
PID 2668 wrote to memory of 3108	2668	WaveInstaller.exe	99
PID 2668 wrote to memory of 3108	2668	WaveInstaller.exe	99

C:\Users\Admin\AppData\Local\Temp\WaveInstaller.exe
"C:\Users\Admin\AppData\Local\Temp\WaveInstaller.exe"
1⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2668
- C:\Users\Admin\AppData\Local\Wave\WaveWindows.exe
  "C:\Users\Admin\AppData\Local\Wave\WaveWindows.exe"
  2⤵
  - Executes dropped EXE
  PID:3108

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Web Service

1

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\CefSharp\chrome_100_percent.pak

Filesize
667KB

MD5
ae195e80859781a20414cf5faa52db06

SHA1
b18ecb5ec141415e3a210880e2b3d37470636485

SHA256
9957802c0792e621f76bbdb1c630fbad519922743b5d193294804164babda552

SHA512
c6fef84615fe20d1760ca496c98629feb4e533556724e9631d4282622748e7601225cf19dfb8351f4b540ae3f83785c1bcea6fe8c246cf70388e527654097c1c

Download Submit
C:\Users\Admin\AppData\Local\CefSharp\chrome_200_percent.pak

Filesize
1.0MB

MD5
1abf6bad0c39d59e541f04162e744224

SHA1
db93c38253338a0b85e431bd4194d9e7bddb22c6

SHA256
01cb663a75f18bb2d0d800640a114f153a34bd8a5f2aa0ed7daa9b32967dc29e

SHA512
945d519221d626421094316f13b818766826b3bedddab0165c041540dddadc93136e32784c0562d26a420cb29479d04d2aa317b8d605cd242e5152bf05af197e

Download Submit
C:\Users\Admin\AppData\Local\CefSharp\chrome_elf.dll

Filesize
1020KB

MD5
7191d97ce7886a1a93a013e90868db96

SHA1
52dd736cb589dd1def87130893d6b9449a6a36e3

SHA256
32f925f833aa59e3f05322549fc3c326ac6fc604358f4efbf94c59d5c08b8dc6

SHA512
38ebb62c34d466935eabb157197c7c364d4345f22aa3b2641b636196ca1aeaa2152ac75d613ff90817cb94825189612ddd12fb96df29469511a46a7d9620e724

Download Submit
C:\Users\Admin\AppData\Local\CefSharp\icudtl.dat

Filesize
10.2MB

MD5
74bded81ce10a426df54da39cfa132ff

SHA1
eb26bcc7d24be42bd8cfbded53bd62d605989bbf

SHA256
7bf96c193befbf23514401f8f6568076450ade52dd1595b85e4dfcf3de5f6fb9

SHA512
bd7b7b52d31803b2d4b1fd8cb76481931ed8abb98d779b893d3965231177bdd33386461e1a820b384712013904da094e3cd15ee24a679ddc766132677a8be54a

Download Submit
C:\Users\Admin\AppData\Local\CefSharp\locales\en-US.pak

Filesize
456KB

MD5
4430b1833d56bc8eb1f7dc82bb7f4bc9

SHA1
dc15e6306625f155683326e859d83f846153c547

SHA256
b44ddcfac9df4934007e6c55a3c7f5e7f14c7e5e29f35c81de917fc3b22aabbc

SHA512
faf93bf371b2a88c1b874a5e2c54e4487fd152ad19c2a406a46f55ae75ecd421a779888c2e4c170857b16bfb5d8744bc1815a4732ed50b064b3cbd0c5ffad889

Download Submit
C:\Users\Admin\AppData\Local\CefSharp\resources.pak

Filesize
8.0MB

MD5
4933d92c99afa246fc59eef010d5c858

SHA1
98d443654e93c73dd317f9f847f71fba3d5b3135

SHA256
62f4674daa15245ee081920b8ee191e72f36ca8fe24f6b986a832f45676915b2

SHA512
a3a69523c8e7310716daeebc06c2ba4fce673eccd1958e824ff179b82f4502d0ec095190179bbb387342e4150f952ea7533182fb6ba90377d17dafba8f4da623

Download Submit
C:\Users\Admin\AppData\Local\Wave\CefSharp.Core.Runtime.dll

Filesize
1.3MB

MD5
09cba584aa0aae9fc600745567393ef6

SHA1
bbd1f93cb0db9cf9e01071b3bed1b4afd6e31279

SHA256
0babd84d4e7dc2713e7265d5ac25a3c28d412e705870cded6f5c7c550a5bf8d5

SHA512
5f914fa33a63a6d4b46f39c7279687f313728fd5f8437ec592369a2da3256ccff6f325f78ace0e6d3a2c37da1f681058556f7603da13c45b03f2808f779d2aa1

Download Submit
C:\Users\Admin\AppData\Local\Wave\WaveWindows.exe

Filesize
7.5MB

MD5
cd34bf9c69f229818a4c9301e51435eb

SHA1
bfb95a5dc5d777e2b5940f354da271fed397adb2

SHA256
3b217daf815ced5cf1087d1f408fc3833c9d80a1e3e25b3f9041698b9e34216f

SHA512
2c68b211a4c8c144713cbe99214e8dc33d3ef6c1f244af4a313ff5ab93d946a4281d404b02c5f66ef5652071279649082877eaa728912a0e769c2c848e0a8e6b

Download Submit
memory/2668-0-0x000000007492E000-0x000000007492F000-memory.dmp

Filesize
4KB

Download
memory/2668-239-0x0000000074920000-0x00000000750D0000-memory.dmp

Filesize
7.7MB

Download
memory/2668-15-0x000000000A5D0000-0x000000000A666000-memory.dmp

Filesize
600KB

Download
memory/2668-16-0x0000000009160000-0x0000000009186000-memory.dmp

Filesize
152KB

Download
memory/2668-17-0x00000000091C0000-0x00000000091C8000-memory.dmp

Filesize
32KB

Download
memory/2668-19-0x000000000BDA0000-0x000000000BE12000-memory.dmp

Filesize
456KB

Download
memory/2668-21-0x000000000A540000-0x000000000A54A000-memory.dmp

Filesize
40KB

Download
memory/2668-20-0x000000000A520000-0x000000000A52A000-memory.dmp

Filesize
40KB

Download
memory/2668-9-0x0000000074920000-0x00000000750D0000-memory.dmp

Filesize
7.7MB

Download
memory/2668-1-0x0000000000180000-0x0000000000312000-memory.dmp

Filesize
1.6MB

Download
memory/2668-5-0x0000000009580000-0x00000000095B8000-memory.dmp

Filesize
224KB

Download
memory/2668-2-0x0000000074920000-0x00000000750D0000-memory.dmp

Filesize
7.7MB

Download
memory/2668-8-0x0000000074920000-0x00000000750D0000-memory.dmp

Filesize
7.7MB

Download
memory/2668-3-0x0000000074920000-0x00000000750D0000-memory.dmp

Filesize
7.7MB

Download
memory/2668-4-0x0000000074920000-0x00000000750D0000-memory.dmp

Filesize
7.7MB

Download
memory/2668-6-0x0000000009560000-0x000000000956E000-memory.dmp

Filesize
56KB

Download
memory/2668-7-0x000000007492E000-0x000000007492F000-memory.dmp

Filesize
4KB

Download
memory/3108-242-0x0000000074920000-0x00000000750D0000-memory.dmp

Filesize
7.7MB

Download
memory/3108-253-0x0000000006500000-0x000000000665B000-memory.dmp

Filesize
1.4MB

Download
memory/3108-245-0x00000000061A0000-0x0000000006286000-memory.dmp

Filesize
920KB

Download
memory/3108-244-0x0000000003440000-0x0000000003464000-memory.dmp

Filesize
144KB

Download
memory/3108-243-0x0000000005A70000-0x0000000005ABA000-memory.dmp

Filesize
296KB

Download
memory/3108-241-0x0000000000A20000-0x00000000011AC000-memory.dmp

Filesize
7.5MB

Download
memory/3108-240-0x0000000074920000-0x00000000750D0000-memory.dmp

Filesize
7.7MB

Download

Analysis

Sharing