344700d3141170111a9b77db100f6961cc54a2988d964d34f7e1ca57aa42aa2a

General

Target

WaveInstaller.exe
Size

1.5MB
MD5

c822ab5332b11c9185765b157d0b6e17
SHA1

7fe909d73a24ddd87171896079cceb8b03663ad4
SHA256

344700d3141170111a9b77db100f6961cc54a2988d964d34f7e1ca57aa42aa2a
SHA512

a8612836fb4714b939d03f7fe08391bbc635ca83ab853fc677159e5db6b00f76b9b586bdae9c19d2406d9a2713d1caf614132cb6c14e1dddc6ac45e47f7e5a5d
SSDEEP

24576:9viinbT3ipyqwPx4x3RyFoBkkAd04wJAAh/jV1gJcPNZI6fntX3HOt2pbs81ind2:EinbT3ipTD0anywJAaD/3U2pb7indT

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 6 IoCs

Processes:

WaveBootstrapper.exeWaveWindows.exenode.exeWaveBootstrapper.exeWaveWindows.exenode.exe

pid process

2936 WaveBootstrapper.exe
1864 WaveWindows.exe
3512 node.exe
4000 WaveBootstrapper.exe
3168 WaveWindows.exe
2176 node.exe
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service
T1102

Processes:

flow ioc

2 raw.githubusercontent.com
7 raw.githubusercontent.com
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

WaveWindows.exeWaveWindows.exe

pid process

1864 WaveWindows.exe
3168 WaveWindows.exe

pid	process
2936	WaveBootstrapper.exe
1864	WaveWindows.exe
3512	node.exe
4000	WaveBootstrapper.exe
3168	WaveWindows.exe
2176	node.exe

flow	ioc
2	raw.githubusercontent.com
7	raw.githubusercontent.com

pid	process
1864	WaveWindows.exe
3168	WaveWindows.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

Processes:

WaveInstaller.exeWaveBootstrapper.exeWaveWindows.exeWaveBootstrapper.exeWaveWindows.exe

description	pid	process
Token: SeDebugPrivilege	3808	WaveInstaller.exe
Token: SeDebugPrivilege	2936	WaveBootstrapper.exe
Token: SeDebugPrivilege	1864	WaveWindows.exe
Token: SeDebugPrivilege	4000	WaveBootstrapper.exe
Token: SeDebugPrivilege	3168	WaveWindows.exe

Suspicious use of WriteProcessMemory 13 IoCs

Processes:

WaveInstaller.exeWaveBootstrapper.exeWaveWindows.exeWaveBootstrapper.exeWaveWindows.exe

description	pid	process	target process
PID 3808 wrote to memory of 2936	3808	WaveInstaller.exe	WaveBootstrapper.exe
PID 3808 wrote to memory of 2936	3808	WaveInstaller.exe	WaveBootstrapper.exe
PID 3808 wrote to memory of 2936	3808	WaveInstaller.exe	WaveBootstrapper.exe
PID 2936 wrote to memory of 1864	2936	WaveBootstrapper.exe	WaveWindows.exe
PID 2936 wrote to memory of 1864	2936	WaveBootstrapper.exe	WaveWindows.exe
PID 2936 wrote to memory of 1864	2936	WaveBootstrapper.exe	WaveWindows.exe
PID 1864 wrote to memory of 3512	1864	WaveWindows.exe	node.exe
PID 1864 wrote to memory of 3512	1864	WaveWindows.exe	node.exe
PID 4000 wrote to memory of 3168	4000	WaveBootstrapper.exe	WaveWindows.exe
PID 4000 wrote to memory of 3168	4000	WaveBootstrapper.exe	WaveWindows.exe
PID 4000 wrote to memory of 3168	4000	WaveBootstrapper.exe	WaveWindows.exe
PID 3168 wrote to memory of 2176	3168	WaveWindows.exe	node.exe
PID 3168 wrote to memory of 2176	3168	WaveWindows.exe	node.exe

C:\Users\Admin\AppData\Local\Temp\WaveInstaller.exe
"C:\Users\Admin\AppData\Local\Temp\WaveInstaller.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3808

C:\Users\Admin\AppData\Local\Wave\WaveBootstrapper.exe
"C:\Users\Admin\AppData\Local\Wave\WaveBootstrapper.exe"
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2936

C:\Users\Admin\AppData\Local\Wave\WaveWindows.exe
"C:\Users\Admin\AppData\Local\Wave\WaveWindows.exe"
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1864

C:\Users\Admin\AppData\Local\Luau Language Server\node.exe
"C:\Users\Admin\AppData\Local\Luau Language Server\node.exe" server --process-id=1864
4⤵
- Executes dropped EXE
PID:3512

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s NPSMSvc
1⤵
PID:1296

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x00000000000004D8 0x00000000000004E0
1⤵
PID:4552

C:\Users\Admin\AppData\Local\Wave\WaveBootstrapper.exe
"C:\Users\Admin\AppData\Local\Wave\WaveBootstrapper.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4000

C:\Users\Admin\AppData\Local\Wave\WaveWindows.exe
"C:\Users\Admin\AppData\Local\Wave\WaveWindows.exe"
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3168

C:\Users\Admin\AppData\Local\Luau Language Server\node.exe
"C:\Users\Admin\AppData\Local\Luau Language Server\node.exe" server --process-id=3168
3⤵
- Executes dropped EXE
PID:2176

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Web Service

1

T1102

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Luau Language Server\server\index.js
Filesize
6.1MB

MD5
6b1cad741d0b6374435f7e1faa93b5e7

SHA1
7b1957e63c10f4422421245e4dc64074455fd62a

SHA256
6f17add2a8c8c2d9f592adb65d88e08558e25c15cedd82e3f013c8146b5d840f

SHA512
a662fc83536eff797b8d59e2fb4a2fb7cd903be8fc4137de8470b341312534326383bb3af58991628f15f93e3bdd57621622d9d9b634fb5e6e03d4aa06977253

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\WaveBootstrapper.exe.log
Filesize
2KB

MD5
42e80ac3d4f421f5e920dacdd3ba048d

SHA1
fef20b38c04b51c2e0e32c3cb5237f7b04a916ed

SHA256
2ac4fcd93273523ded3ad821492c8ea58d54ff60d45b9c9431d77b0ae346e98a

SHA512
b66d76fd6b072d047c068fb02cd36d0ccffd285143c199b59d86b1453b178fc2f11fdafa24eedd318e72ef079c8cb5576654c87d42f1a06b7a630c095635abaa

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\WaveWindows.exe.log
Filesize
2KB

MD5
c2f9116c559e4083cb99b5586dfd7294

SHA1
f7af406d5abab1fd5c009256bf2e81f8e9eabef1

SHA256
1183124e254b51ad3ce3dd6cb350c52e0a57f3c7143b600ae62bf32b425e8c2d

SHA512
c674ddf0cb1defd5e34bd0dcf27b69040957cd29bf2c7cac96e31ddec29168947573f667e4c073aef6530981c9c63d43f1fa2bc11bab4d5e864aec71c9e29995

Download Submit
C:\Users\Admin\AppData\Local\Sentry\565BEE8550E2E5F1B7BAFF132ECD72B7217F6160\.installation
Filesize
36B

MD5
796e0879b18122d35deddadfca8f1826

SHA1
94d8be032b5e8dd2719af6ffa0b63df4439685c0

SHA256
bff00ab4519de7399d50084cfd9c69c7632ac11889989e44338a271b8e5e0ff6

SHA512
299cf99b1b1425cd0187f087e724709ac2dd622c9a35230d134bb7657e1694cb43ffd800ba19cc50199173e82134a4d3aa542020c13757b1fec9260aca363875

Download Submit
C:\Users\Admin\AppData\Local\Wave\WaveBootstrapper.exe
Filesize
949KB

MD5
8fb51b92d496c6765f7ba44e6d4a8990

SHA1
d3e5a8465622cd5adae05babeb7e34b2b5c777d7

SHA256
ab49d6166a285b747e5f279620ab9cea12f33f7656d732aa75900fcb981a5394

SHA512
20de93a52fff7b092cb9d77bd26944abed5f5cb67146e6d2d70be6a431283b6de52eb37a0e13dc8bc57dcf8be2d5a95b9c11b3b030a3e2f03dd6e4efc23527a6

Download Submit
C:\Users\Admin\AppData\Local\Wave\WaveWindows.exe
Filesize
8.0MB

MD5
c0563fdf381a1f1274c8b2729254f19c

SHA1
f053b238515f9b8cc4f763f8bc6bf321f160a499

SHA256
b625a539e7d439938f6864564cbcf00a610e9f29415cde7b1ebac45318cdc371

SHA512
c8abf1aabd44aff41472d2bb595c5a6c5e0c4b5dd9f2809d9ad625431fc6d12b8122bbf394e0cf0e4a71998136791942142d4a461c477981601e3c0dfd513bb5

Download Submit
memory/1864-256-0x0000000009310000-0x0000000009342000-memory.dmp

Filesize
200KB

Download
memory/1864-255-0x0000000009240000-0x00000000092B6000-memory.dmp

Filesize
472KB

Download
memory/1864-258-0x00000000097E0000-0x0000000009856000-memory.dmp

Filesize
472KB

Download
memory/1864-250-0x0000000005690000-0x0000000005698000-memory.dmp

Filesize
32KB

Download
memory/1864-249-0x00000000055D0000-0x0000000005670000-memory.dmp

Filesize
640KB

Download
memory/1864-248-0x0000000005520000-0x00000000055D2000-memory.dmp

Filesize
712KB

Download
memory/1864-247-0x00000000002D0000-0x0000000000AD2000-memory.dmp

Filesize
8.0MB

Download
memory/1864-259-0x000000000A2B0000-0x000000000A2CE000-memory.dmp

Filesize
120KB

Download
memory/2936-239-0x0000000008B30000-0x0000000008C34000-memory.dmp

Filesize
1.0MB

Download
memory/2936-241-0x0000000009890000-0x000000000989A000-memory.dmp

Filesize
40KB

Download
memory/2936-236-0x0000000000A80000-0x0000000000B72000-memory.dmp

Filesize
968KB

Download
memory/2936-243-0x0000000009930000-0x000000000994E000-memory.dmp

Filesize
120KB

Download
memory/2936-242-0x00000000098D0000-0x00000000098D8000-memory.dmp

Filesize
32KB

Download
memory/2936-240-0x0000000009850000-0x0000000009866000-memory.dmp

Filesize
88KB

Download
memory/3808-17-0x000000000A270000-0x000000000A278000-memory.dmp

Filesize
32KB

Download
memory/3808-15-0x000000000AF70000-0x000000000B006000-memory.dmp

Filesize
600KB

Download
memory/3808-238-0x0000000075120000-0x00000000758D1000-memory.dmp

Filesize
7.7MB

Download
memory/3808-21-0x000000000A2A0000-0x000000000A2AA000-memory.dmp

Filesize
40KB

Download
memory/3808-19-0x000000000B3B0000-0x000000000B422000-memory.dmp

Filesize
456KB

Download
memory/3808-20-0x000000000A290000-0x000000000A29A000-memory.dmp

Filesize
40KB

Download
memory/3808-16-0x0000000005E20000-0x0000000005E46000-memory.dmp

Filesize
152KB

Download
memory/3808-0-0x000000007512E000-0x000000007512F000-memory.dmp

Filesize
4KB

Download
memory/3808-8-0x0000000075120000-0x00000000758D1000-memory.dmp

Filesize
7.7MB

Download
memory/3808-7-0x0000000075120000-0x00000000758D1000-memory.dmp

Filesize
7.7MB

Download
memory/3808-6-0x000000007512E000-0x000000007512F000-memory.dmp

Filesize
4KB

Download
memory/3808-5-0x0000000009980000-0x000000000998E000-memory.dmp

Filesize
56KB

Download
memory/3808-4-0x00000000099B0000-0x00000000099E8000-memory.dmp

Filesize
224KB

Download
memory/3808-3-0x0000000075120000-0x00000000758D1000-memory.dmp

Filesize
7.7MB

Download
memory/3808-2-0x0000000075120000-0x00000000758D1000-memory.dmp

Filesize
7.7MB

Download
memory/3808-1-0x0000000000590000-0x0000000000722000-memory.dmp

Filesize
1.6MB

Download

Resubmissions

Analysis

Sharing