344700d3141170111a9b77db100f6961cc54a2988d964d34f7e1ca57aa42aa2a

General

Target

WaveInstaller (1).exe
Size

1.5MB
MD5

c822ab5332b11c9185765b157d0b6e17
SHA1

7fe909d73a24ddd87171896079cceb8b03663ad4
SHA256

344700d3141170111a9b77db100f6961cc54a2988d964d34f7e1ca57aa42aa2a
SHA512

a8612836fb4714b939d03f7fe08391bbc635ca83ab853fc677159e5db6b00f76b9b586bdae9c19d2406d9a2713d1caf614132cb6c14e1dddc6ac45e47f7e5a5d
SSDEEP

24576:9viinbT3ipyqwPx4x3RyFoBkkAd04wJAAh/jV1gJcPNZI6fntX3HOt2pbs81ind2:EinbT3ipTD0anywJAaD/3U2pb7indT

Score

8^/10

Malware Config

Signatures

Downloads MZ/PE file

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

WaveInstaller (1).exeWaveBootstrapper.exeWaveWindows.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-661257284-3186977026-4220467887-1000\Control Panel\International\Geo\Nation	WaveInstaller (1).exe
Key value queried	\REGISTRY\USER\S-1-5-21-661257284-3186977026-4220467887-1000\Control Panel\International\Geo\Nation	WaveBootstrapper.exe
Key value queried	\REGISTRY\USER\S-1-5-21-661257284-3186977026-4220467887-1000\Control Panel\International\Geo\Nation	WaveWindows.exe

Executes dropped EXE 3 IoCs

Processes:

WaveBootstrapper.exeWaveWindows.exenode.exe

pid process

1200 WaveBootstrapper.exe
2912 WaveWindows.exe
532 node.exe
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service
T1102

Processes:

flow ioc

39 raw.githubusercontent.com
40 raw.githubusercontent.com
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

WaveWindows.exe

pid process

2912 WaveWindows.exe

pid	process
1200	WaveBootstrapper.exe
2912	WaveWindows.exe
532	node.exe

flow	ioc
39	raw.githubusercontent.com
40	raw.githubusercontent.com

pid	process
2912	WaveWindows.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

WaveInstaller (1).exeWaveBootstrapper.exeWaveWindows.exe

description	pid	process
Token: SeDebugPrivilege	4056	WaveInstaller (1).exe
Token: SeDebugPrivilege	1200	WaveBootstrapper.exe
Token: SeDebugPrivilege	2912	WaveWindows.exe

Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

WaveInstaller (1).exeWaveWindows.exe

pid process

4056 WaveInstaller (1).exe
2912 WaveWindows.exe

pid	process
4056	WaveInstaller (1).exe
2912	WaveWindows.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

WaveInstaller (1).exeWaveBootstrapper.exeWaveWindows.exe

description	pid	process	target process
PID 4056 wrote to memory of 1200	4056	WaveInstaller (1).exe	WaveBootstrapper.exe
PID 4056 wrote to memory of 1200	4056	WaveInstaller (1).exe	WaveBootstrapper.exe
PID 4056 wrote to memory of 1200	4056	WaveInstaller (1).exe	WaveBootstrapper.exe
PID 1200 wrote to memory of 2912	1200	WaveBootstrapper.exe	WaveWindows.exe
PID 1200 wrote to memory of 2912	1200	WaveBootstrapper.exe	WaveWindows.exe
PID 1200 wrote to memory of 2912	1200	WaveBootstrapper.exe	WaveWindows.exe
PID 2912 wrote to memory of 532	2912	WaveWindows.exe	node.exe
PID 2912 wrote to memory of 532	2912	WaveWindows.exe	node.exe

C:\Users\Admin\AppData\Local\Temp\WaveInstaller (1).exe
"C:\Users\Admin\AppData\Local\Temp\WaveInstaller (1).exe"
1⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:4056

C:\Users\Admin\AppData\Local\Wave\WaveBootstrapper.exe
"C:\Users\Admin\AppData\Local\Wave\WaveBootstrapper.exe"
2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1200

C:\Users\Admin\AppData\Local\Wave\WaveWindows.exe
"C:\Users\Admin\AppData\Local\Wave\WaveWindows.exe"
3⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:2912

C:\Users\Admin\AppData\Local\Luau Language Server\node.exe
"C:\Users\Admin\AppData\Local\Luau Language Server\node.exe" server --process-id=2912
4⤵
- Executes dropped EXE
PID:532

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4032,i,3409420486566309625,12100452682816721435,262144 --variations-seed-version --mojo-platform-channel-handle=3812 /prefetch:8
1⤵
PID:1440

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Web Service

1

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Luau Language Server\server\index.js

Filesize
6.1MB

MD5
6b1cad741d0b6374435f7e1faa93b5e7

SHA1
7b1957e63c10f4422421245e4dc64074455fd62a

SHA256
6f17add2a8c8c2d9f592adb65d88e08558e25c15cedd82e3f013c8146b5d840f

SHA512
a662fc83536eff797b8d59e2fb4a2fb7cd903be8fc4137de8470b341312534326383bb3af58991628f15f93e3bdd57621622d9d9b634fb5e6e03d4aa06977253

Download Submit
C:\Users\Admin\AppData\Local\Wave\WaveBootstrapper.exe

Filesize
949KB

MD5
8fb51b92d496c6765f7ba44e6d4a8990

SHA1
d3e5a8465622cd5adae05babeb7e34b2b5c777d7

SHA256
ab49d6166a285b747e5f279620ab9cea12f33f7656d732aa75900fcb981a5394

SHA512
20de93a52fff7b092cb9d77bd26944abed5f5cb67146e6d2d70be6a431283b6de52eb37a0e13dc8bc57dcf8be2d5a95b9c11b3b030a3e2f03dd6e4efc23527a6

Download Submit
C:\Users\Admin\AppData\Local\Wave\WaveWindows.exe

Filesize
8.0MB

MD5
c0563fdf381a1f1274c8b2729254f19c

SHA1
f053b238515f9b8cc4f763f8bc6bf321f160a499

SHA256
b625a539e7d439938f6864564cbcf00a610e9f29415cde7b1ebac45318cdc371

SHA512
c8abf1aabd44aff41472d2bb595c5a6c5e0c4b5dd9f2809d9ad625431fc6d12b8122bbf394e0cf0e4a71998136791942142d4a461c477981601e3c0dfd513bb5

Download Submit
memory/1200-250-0x00000000752D0000-0x0000000075A80000-memory.dmp

Filesize
7.7MB

Download
memory/1200-242-0x0000000009250000-0x0000000009354000-memory.dmp

Filesize
1.0MB

Download
memory/1200-246-0x000000000A190000-0x000000000A1AE000-memory.dmp

Filesize
120KB

Download
memory/1200-245-0x000000000A130000-0x000000000A138000-memory.dmp

Filesize
32KB

Download
memory/1200-239-0x00000000752D0000-0x0000000075A80000-memory.dmp

Filesize
7.7MB

Download
memory/1200-244-0x000000000A0F0000-0x000000000A0FA000-memory.dmp

Filesize
40KB

Download
memory/1200-243-0x000000000A0B0000-0x000000000A0C6000-memory.dmp

Filesize
88KB

Download
memory/1200-238-0x00000000752D0000-0x0000000075A80000-memory.dmp

Filesize
7.7MB

Download
memory/1200-237-0x0000000000AC0000-0x0000000000BB2000-memory.dmp

Filesize
968KB

Download
memory/2912-251-0x0000000000DE0000-0x00000000015E2000-memory.dmp

Filesize
8.0MB

Download
memory/2912-252-0x0000000005F80000-0x0000000006032000-memory.dmp

Filesize
712KB

Download
memory/2912-263-0x000000000B120000-0x000000000B13E000-memory.dmp

Filesize
120KB

Download
memory/2912-262-0x000000000AA00000-0x000000000AA76000-memory.dmp

Filesize
472KB

Download
memory/2912-260-0x000000000A7E0000-0x000000000A812000-memory.dmp

Filesize
200KB

Download
memory/2912-259-0x000000000A710000-0x000000000A786000-memory.dmp

Filesize
472KB

Download
memory/2912-254-0x00000000060F0000-0x00000000060F8000-memory.dmp

Filesize
32KB

Download
memory/2912-253-0x0000000006030000-0x00000000060D0000-memory.dmp

Filesize
640KB

Download
memory/4056-7-0x00000000752DE000-0x00000000752DF000-memory.dmp

Filesize
4KB

Download
memory/4056-16-0x000000000BB70000-0x000000000BC06000-memory.dmp

Filesize
600KB

Download
memory/4056-9-0x00000000752D0000-0x0000000075A80000-memory.dmp

Filesize
7.7MB

Download
memory/4056-8-0x00000000752D0000-0x0000000075A80000-memory.dmp

Filesize
7.7MB

Download
memory/4056-4-0x000000000A000000-0x000000000A038000-memory.dmp

Filesize
224KB

Download
memory/4056-5-0x0000000009FE0000-0x0000000009FEE000-memory.dmp

Filesize
56KB

Download
memory/4056-2-0x00000000752D0000-0x0000000075A80000-memory.dmp

Filesize
7.7MB

Download
memory/4056-0-0x00000000752DE000-0x00000000752DF000-memory.dmp

Filesize
4KB

Download
memory/4056-6-0x00000000752D0000-0x0000000075A80000-memory.dmp

Filesize
7.7MB

Download
memory/4056-18-0x000000000BA30000-0x000000000BA38000-memory.dmp

Filesize
32KB

Download
memory/4056-20-0x0000000001300000-0x0000000001372000-memory.dmp

Filesize
456KB

Download
memory/4056-241-0x00000000752D0000-0x0000000075A80000-memory.dmp

Filesize
7.7MB

Download
memory/4056-1-0x0000000000D80000-0x0000000000F12000-memory.dmp

Filesize
1.6MB

Download
memory/4056-17-0x000000000B180000-0x000000000B1A6000-memory.dmp

Filesize
152KB

Download
memory/4056-3-0x00000000752D0000-0x0000000075A80000-memory.dmp

Filesize
7.7MB

Download
memory/4056-22-0x0000000001590000-0x000000000159A000-memory.dmp

Filesize
40KB

Download
memory/4056-21-0x0000000001580000-0x000000000158A000-memory.dmp

Filesize
40KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads