Analysis
-
max time kernel
148s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240709-en -
resource tags
arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system -
submitted
11-07-2024 03:12
Static task
static1
Behavioral task
behavioral1
Sample
WaveInstaller.dll
Resource
win7-20240705-en
Behavioral task
behavioral2
Sample
WaveInstaller.dll
Resource
win10v2004-20240709-en
Behavioral task
behavioral3
Sample
WaveInstaller.exe
Resource
win7-20240705-en
General
-
Target
WaveInstaller.exe
-
Size
629KB
-
MD5
535de7c69bf1dcb0da75019378d1013c
-
SHA1
86431b08e2aa7d894b24b63d79c7a0528c4aafe9
-
SHA256
3a8885e171cf29f974602ae3bd8b6af640977748b131c3aaa317712884c46b4c
-
SHA512
7ca6f5689fc298ea94eef82f7b21a0c51ed6d74cf5dd0d7fc3a042ed9c421f1002dd2fbeea09ff199b9d2c932d4d54d43b4b885a57107383ac090d6001ec0086
-
SSDEEP
12288:qbhEv/GoncquZUEn4scjlgW9AbOFQZxuZwgOIU+At0++xs06MS6Vo1dAu/FPbACe:qbh8fcqTy45lgb
Malware Config
Extracted
lumma
https://bitchsafettyudjwu.shop/api
https://bouncedgowp.shop/api
https://bannngwko.shop/api
https://bargainnykwo.shop/api
https://affecthorsedpo.shop/api
https://radiationnopp.shop/api
https://answerrsdo.shop/api
https://publicitttyps.shop/api
https://benchillppwo.shop/api
https://reinforcedirectorywd.shop/api
Signatures
-
Loads dropped DLL 1 IoCs
Processes:
WaveInstaller.exepid Process 4524 WaveInstaller.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
WaveInstaller.exedescription pid Process procid_target PID 4524 set thread context of 1516 4524 WaveInstaller.exe 87 -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
WaveInstaller.exedescription pid Process procid_target PID 4524 wrote to memory of 1516 4524 WaveInstaller.exe 87 PID 4524 wrote to memory of 1516 4524 WaveInstaller.exe 87 PID 4524 wrote to memory of 1516 4524 WaveInstaller.exe 87 PID 4524 wrote to memory of 1516 4524 WaveInstaller.exe 87 PID 4524 wrote to memory of 1516 4524 WaveInstaller.exe 87 PID 4524 wrote to memory of 1516 4524 WaveInstaller.exe 87 PID 4524 wrote to memory of 1516 4524 WaveInstaller.exe 87 PID 4524 wrote to memory of 1516 4524 WaveInstaller.exe 87 PID 4524 wrote to memory of 1516 4524 WaveInstaller.exe 87
Processes
-
C:\Users\Admin\AppData\Local\Temp\WaveInstaller.exe"C:\Users\Admin\AppData\Local\Temp\WaveInstaller.exe"1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4524 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe"2⤵PID:1516
-
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
448KB
MD5c01368e41af011545cca4b8f3f59a46a
SHA1b5009a2442141707ac2cabbf19bd9835edfb5888
SHA256b8fb3e8a2714129132235bec00d968a2ef8ea27b529d365bfe707418a8135914
SHA5124960b0fe4b8b5746bfb99fb6f2ba0b7e4dc83eb93eca5c3a87c39d3f9f56f5e1fcb3a039f19a995e1effb6a1e39f9c440c31cbc864fc83f6ef04154ec48d7c83