344700d3141170111a9b77db100f6961cc54a2988d964d34f7e1ca57aa42aa2a

Analysis

max time kernel
149s
max time network
124s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
17-07-2024 03:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

WaveInstaller Official.exe
Size

1.5MB
MD5

c822ab5332b11c9185765b157d0b6e17
SHA1

7fe909d73a24ddd87171896079cceb8b03663ad4
SHA256

344700d3141170111a9b77db100f6961cc54a2988d964d34f7e1ca57aa42aa2a
SHA512

a8612836fb4714b939d03f7fe08391bbc635ca83ab853fc677159e5db6b00f76b9b586bdae9c19d2406d9a2713d1caf614132cb6c14e1dddc6ac45e47f7e5a5d
SSDEEP

24576:9viinbT3ipyqwPx4x3RyFoBkkAd04wJAAh/jV1gJcPNZI6fntX3HOt2pbs81ind2:EinbT3ipTD0anywJAaD/3U2pb7indT

Score

8^/10

Malware Config

Signatures

Downloads MZ/PE file

Checks computer location settings 2 TTPs 9 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

WaveWindows.exeWaveInstaller Official.exeWaveBootstrapper.exeWaveBootstrapper.exeBloxstrap.exeWaveBootstrapper.exeWaveBootstrapper.exeWaveWindows.exeWaveBootstrapper.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2650514177-1034912467-4025611726-1000\Control Panel\International\Geo\Nation	WaveWindows.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2650514177-1034912467-4025611726-1000\Control Panel\International\Geo\Nation	WaveInstaller Official.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2650514177-1034912467-4025611726-1000\Control Panel\International\Geo\Nation	WaveBootstrapper.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2650514177-1034912467-4025611726-1000\Control Panel\International\Geo\Nation	WaveBootstrapper.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2650514177-1034912467-4025611726-1000\Control Panel\International\Geo\Nation	Bloxstrap.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2650514177-1034912467-4025611726-1000\Control Panel\International\Geo\Nation	WaveBootstrapper.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2650514177-1034912467-4025611726-1000\Control Panel\International\Geo\Nation	WaveBootstrapper.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2650514177-1034912467-4025611726-1000\Control Panel\International\Geo\Nation	WaveWindows.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2650514177-1034912467-4025611726-1000\Control Panel\International\Geo\Nation	WaveBootstrapper.exe

Executes dropped EXE 13 IoCs

Processes:

WaveBootstrapper.exeWaveBootstrapper.exeWaveBootstrapper.exeWaveWindows.exeWaveWindows.exeWaveWindows.exeWaveBootstrapper.exeWaveWindows.exenode.exeBloxstrap.exeWaveBootstrapper.exeWaveWindows.exenode.exe

pid	process
3780	WaveBootstrapper.exe
3648	WaveBootstrapper.exe
2024	WaveBootstrapper.exe
208	WaveWindows.exe
1216	WaveWindows.exe
5048	WaveWindows.exe
620	WaveBootstrapper.exe
4848	WaveWindows.exe
2092	node.exe
1844	Bloxstrap.exe
2000	WaveBootstrapper.exe
2728	WaveWindows.exe
3512	node.exe

Checks for any installed AV software in registry 1 TTPs 10 IoCs

Security Software Discovery

T1518.001

Processes:

WaveWindows.exeWaveWindows.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2650514177-1034912467-4025611726-1000\SOFTWARE\KasperskyLab\Session	WaveWindows.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2650514177-1034912467-4025611726-1000\SOFTWARE\KasperskyLab\Session	WaveWindows.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2650514177-1034912467-4025611726-1000\SOFTWARE\KasperskyLab\LastUsername = "buttnut"	WaveWindows.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2650514177-1034912467-4025611726-1000\SOFTWARE\KasperskyLab\Session = "Bearer 5d724b1c-b5ad-44ea-bca5-358dd1e16adf"	WaveWindows.exe
Key opened	\REGISTRY\USER\S-1-5-21-2650514177-1034912467-4025611726-1000\Software\KasperskyLab	WaveWindows.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2650514177-1034912467-4025611726-1000\SOFTWARE\KasperskyLab\LastUsername	WaveWindows.exe
Key opened	\REGISTRY\USER\S-1-5-21-2650514177-1034912467-4025611726-1000\Software\KasperskyLab	WaveWindows.exe
Key created	\REGISTRY\USER\S-1-5-21-2650514177-1034912467-4025611726-1000\Software\KasperskyLab	WaveWindows.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2650514177-1034912467-4025611726-1000\SOFTWARE\KasperskyLab\LastUsername	WaveWindows.exe
Key queried	\REGISTRY\USER\S-1-5-21-2650514177-1034912467-4025611726-1000\SOFTWARE\KasperskyLab	WaveWindows.exe

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

WaveWindows.exeWaveWindows.exe

description	ioc	process
File opened (read-only)	\??\P:	WaveWindows.exe
File opened (read-only)	\??\A:	WaveWindows.exe
File opened (read-only)	\??\P:	WaveWindows.exe
File opened (read-only)	\??\K:	WaveWindows.exe
File opened (read-only)	\??\A:	WaveWindows.exe
File opened (read-only)	\??\I:	WaveWindows.exe
File opened (read-only)	\??\Y:	WaveWindows.exe
File opened (read-only)	\??\G:	WaveWindows.exe
File opened (read-only)	\??\M:	WaveWindows.exe
File opened (read-only)	\??\T:	WaveWindows.exe
File opened (read-only)	\??\Y:	WaveWindows.exe
File opened (read-only)	\??\W:	WaveWindows.exe
File opened (read-only)	\??\J:	WaveWindows.exe
File opened (read-only)	\??\N:	WaveWindows.exe
File opened (read-only)	\??\R:	WaveWindows.exe
File opened (read-only)	\??\G:	WaveWindows.exe
File opened (read-only)	\??\N:	WaveWindows.exe
File opened (read-only)	\??\U:	WaveWindows.exe
File opened (read-only)	\??\Z:	WaveWindows.exe
File opened (read-only)	\??\S:	WaveWindows.exe
File opened (read-only)	\??\W:	WaveWindows.exe
File opened (read-only)	\??\E:	WaveWindows.exe
File opened (read-only)	\??\L:	WaveWindows.exe
File opened (read-only)	\??\M:	WaveWindows.exe
File opened (read-only)	\??\T:	WaveWindows.exe
File opened (read-only)	\??\E:	WaveWindows.exe
File opened (read-only)	\??\K:	WaveWindows.exe
File opened (read-only)	\??\X:	WaveWindows.exe
File opened (read-only)	\??\Z:	WaveWindows.exe
File opened (read-only)	\??\B:	WaveWindows.exe
File opened (read-only)	\??\J:	WaveWindows.exe
File opened (read-only)	\??\O:	WaveWindows.exe
File opened (read-only)	\??\I:	WaveWindows.exe
File opened (read-only)	\??\L:	WaveWindows.exe
File opened (read-only)	\??\V:	WaveWindows.exe
File opened (read-only)	\??\R:	WaveWindows.exe
File opened (read-only)	\??\S:	WaveWindows.exe
File opened (read-only)	\??\H:	WaveWindows.exe
File opened (read-only)	\??\O:	WaveWindows.exe
File opened (read-only)	\??\Q:	WaveWindows.exe
File opened (read-only)	\??\Q:	WaveWindows.exe
File opened (read-only)	\??\V:	WaveWindows.exe
File opened (read-only)	\??\X:	WaveWindows.exe
File opened (read-only)	\??\B:	WaveWindows.exe
File opened (read-only)	\??\U:	WaveWindows.exe
File opened (read-only)	\??\H:	WaveWindows.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 6 IoCs

Web Service

T1102

Processes:

flow	ioc
84	raw.githubusercontent.com
85	raw.githubusercontent.com
53	raw.githubusercontent.com
54	raw.githubusercontent.com
82	raw.githubusercontent.com
83	raw.githubusercontent.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 5 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid	pid_target	process	target process
1232	5048	WerFault.exe	WaveWindows.exe
1656	1216	WerFault.exe	WaveWindows.exe
1464	208	WerFault.exe	WaveWindows.exe
4372	4848	WerFault.exe	WaveWindows.exe
3064	2728	WerFault.exe	WaveWindows.exe

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

taskmgr.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	taskmgr.exe

Modifies registry class 2 IoCs

Processes:

WaveWindows.exeWaveWindows.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-2650514177-1034912467-4025611726-1000\{49EA8B1D-E152-4C7E-AECE-89F419BBD37C}	WaveWindows.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-2650514177-1034912467-4025611726-1000\{D99F6D40-D920-4548-A92D-77B5E4AB8BCE}	WaveWindows.exe

Suspicious behavior: EnumeratesProcesses 17 IoCs

Processes:

WaveWindows.exeWaveWindows.exeWaveWindows.exeWaveWindows.exeWaveWindows.exetaskmgr.exe

pid	process
1216	WaveWindows.exe
208	WaveWindows.exe
5048	WaveWindows.exe
4848	WaveWindows.exe
4848	WaveWindows.exe
2728	WaveWindows.exe
2748	taskmgr.exe
2748	taskmgr.exe
2748	taskmgr.exe
2748	taskmgr.exe
2748	taskmgr.exe
2748	taskmgr.exe
2748	taskmgr.exe
2748	taskmgr.exe
2748	taskmgr.exe
2748	taskmgr.exe
2748	taskmgr.exe

Suspicious use of AdjustPrivilegeToken 38 IoCs

Processes:

WaveInstaller Official.exeWaveBootstrapper.exeWaveBootstrapper.exeWaveBootstrapper.exeWaveWindows.exeWaveWindows.exeWaveWindows.exeWaveBootstrapper.exeWaveWindows.exeAUDIODG.EXEWaveBootstrapper.exeWaveWindows.exetaskmgr.exe

description	pid	process
Token: SeDebugPrivilege	4632	WaveInstaller Official.exe
Token: SeDebugPrivilege	3780	WaveBootstrapper.exe
Token: SeDebugPrivilege	3648	WaveBootstrapper.exe
Token: SeDebugPrivilege	2024	WaveBootstrapper.exe
Token: SeDebugPrivilege	208	WaveWindows.exe
Token: SeDebugPrivilege	1216	WaveWindows.exe
Token: SeDebugPrivilege	5048	WaveWindows.exe
Token: SeDebugPrivilege	620	WaveBootstrapper.exe
Token: SeDebugPrivilege	4848	WaveWindows.exe
Token: SeShutdownPrivilege	4848	WaveWindows.exe
Token: SeCreatePagefilePrivilege	4848	WaveWindows.exe
Token: SeShutdownPrivilege	4848	WaveWindows.exe
Token: SeCreatePagefilePrivilege	4848	WaveWindows.exe
Token: 33	1576	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	1576	AUDIODG.EXE
Token: 33	4848	WaveWindows.exe
Token: SeIncBasePriorityPrivilege	4848	WaveWindows.exe
Token: SeShutdownPrivilege	4848	WaveWindows.exe
Token: SeCreatePagefilePrivilege	4848	WaveWindows.exe
Token: SeDebugPrivilege	2000	WaveBootstrapper.exe
Token: SeDebugPrivilege	2728	WaveWindows.exe
Token: SeShutdownPrivilege	2728	WaveWindows.exe
Token: SeCreatePagefilePrivilege	2728	WaveWindows.exe
Token: SeShutdownPrivilege	2728	WaveWindows.exe
Token: SeCreatePagefilePrivilege	2728	WaveWindows.exe
Token: 33	2728	WaveWindows.exe
Token: SeIncBasePriorityPrivilege	2728	WaveWindows.exe
Token: SeShutdownPrivilege	2728	WaveWindows.exe
Token: SeCreatePagefilePrivilege	2728	WaveWindows.exe
Token: SeShutdownPrivilege	2728	WaveWindows.exe
Token: SeCreatePagefilePrivilege	2728	WaveWindows.exe
Token: SeShutdownPrivilege	2728	WaveWindows.exe
Token: SeCreatePagefilePrivilege	2728	WaveWindows.exe
Token: SeShutdownPrivilege	2728	WaveWindows.exe
Token: SeCreatePagefilePrivilege	2728	WaveWindows.exe
Token: SeDebugPrivilege	2748	taskmgr.exe
Token: SeSystemProfilePrivilege	2748	taskmgr.exe
Token: SeCreateGlobalPrivilege	2748	taskmgr.exe

Suspicious use of FindShellTrayWindow 24 IoCs

Processes:

Bloxstrap.exetaskmgr.exe

pid	process
1844	Bloxstrap.exe
2748	taskmgr.exe
2748	taskmgr.exe
2748	taskmgr.exe
2748	taskmgr.exe
2748	taskmgr.exe
2748	taskmgr.exe
2748	taskmgr.exe
2748	taskmgr.exe
2748	taskmgr.exe
2748	taskmgr.exe
2748	taskmgr.exe
2748	taskmgr.exe
2748	taskmgr.exe
2748	taskmgr.exe
2748	taskmgr.exe
2748	taskmgr.exe
2748	taskmgr.exe
2748	taskmgr.exe
2748	taskmgr.exe
2748	taskmgr.exe
2748	taskmgr.exe
2748	taskmgr.exe
2748	taskmgr.exe

Suspicious use of SendNotifyMessage 23 IoCs

Processes:

taskmgr.exe

pid	process
2748	taskmgr.exe
2748	taskmgr.exe
2748	taskmgr.exe
2748	taskmgr.exe
2748	taskmgr.exe
2748	taskmgr.exe
2748	taskmgr.exe
2748	taskmgr.exe
2748	taskmgr.exe
2748	taskmgr.exe
2748	taskmgr.exe
2748	taskmgr.exe
2748	taskmgr.exe
2748	taskmgr.exe
2748	taskmgr.exe
2748	taskmgr.exe
2748	taskmgr.exe
2748	taskmgr.exe
2748	taskmgr.exe
2748	taskmgr.exe
2748	taskmgr.exe
2748	taskmgr.exe
2748	taskmgr.exe

Suspicious use of SetWindowsHookEx 3 IoCs

Processes:

node.exeBloxstrap.exenode.exe

pid process

2092 node.exe
1844 Bloxstrap.exe
3512 node.exe

pid	process
2092	node.exe
1844	Bloxstrap.exe
3512	node.exe

Suspicious use of WriteProcessMemory 30 IoCs

Processes:

WaveInstaller Official.exeWaveBootstrapper.exeWaveBootstrapper.exeWaveBootstrapper.exeWaveBootstrapper.exeWaveWindows.exeWaveBootstrapper.exeWaveWindows.exe

description	pid	process	target process
PID 4632 wrote to memory of 3780	4632	WaveInstaller Official.exe	WaveBootstrapper.exe
PID 4632 wrote to memory of 3780	4632	WaveInstaller Official.exe	WaveBootstrapper.exe
PID 4632 wrote to memory of 3780	4632	WaveInstaller Official.exe	WaveBootstrapper.exe
PID 4632 wrote to memory of 3648	4632	WaveInstaller Official.exe	WaveBootstrapper.exe
PID 4632 wrote to memory of 3648	4632	WaveInstaller Official.exe	WaveBootstrapper.exe
PID 4632 wrote to memory of 3648	4632	WaveInstaller Official.exe	WaveBootstrapper.exe
PID 4632 wrote to memory of 2024	4632	WaveInstaller Official.exe	WaveBootstrapper.exe
PID 4632 wrote to memory of 2024	4632	WaveInstaller Official.exe	WaveBootstrapper.exe
PID 4632 wrote to memory of 2024	4632	WaveInstaller Official.exe	WaveBootstrapper.exe
PID 3648 wrote to memory of 208	3648	WaveBootstrapper.exe	WaveWindows.exe
PID 3648 wrote to memory of 208	3648	WaveBootstrapper.exe	WaveWindows.exe
PID 3648 wrote to memory of 208	3648	WaveBootstrapper.exe	WaveWindows.exe
PID 3780 wrote to memory of 1216	3780	WaveBootstrapper.exe	WaveWindows.exe
PID 3780 wrote to memory of 1216	3780	WaveBootstrapper.exe	WaveWindows.exe
PID 3780 wrote to memory of 1216	3780	WaveBootstrapper.exe	WaveWindows.exe
PID 2024 wrote to memory of 5048	2024	WaveBootstrapper.exe	WaveWindows.exe
PID 2024 wrote to memory of 5048	2024	WaveBootstrapper.exe	WaveWindows.exe
PID 2024 wrote to memory of 5048	2024	WaveBootstrapper.exe	WaveWindows.exe
PID 620 wrote to memory of 4848	620	WaveBootstrapper.exe	WaveWindows.exe
PID 620 wrote to memory of 4848	620	WaveBootstrapper.exe	WaveWindows.exe
PID 620 wrote to memory of 4848	620	WaveBootstrapper.exe	WaveWindows.exe
PID 4848 wrote to memory of 2092	4848	WaveWindows.exe	node.exe
PID 4848 wrote to memory of 2092	4848	WaveWindows.exe	node.exe
PID 4848 wrote to memory of 1844	4848	WaveWindows.exe	Bloxstrap.exe
PID 4848 wrote to memory of 1844	4848	WaveWindows.exe	Bloxstrap.exe
PID 2000 wrote to memory of 2728	2000	WaveBootstrapper.exe	WaveWindows.exe
PID 2000 wrote to memory of 2728	2000	WaveBootstrapper.exe	WaveWindows.exe
PID 2000 wrote to memory of 2728	2000	WaveBootstrapper.exe	WaveWindows.exe
PID 2728 wrote to memory of 3512	2728	WaveWindows.exe	node.exe
PID 2728 wrote to memory of 3512	2728	WaveWindows.exe	node.exe

C:\Users\Admin\AppData\Local\Temp\WaveInstaller Official.exe
"C:\Users\Admin\AppData\Local\Temp\WaveInstaller Official.exe"
1⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4632

C:\Users\Admin\AppData\Local\Wave\WaveBootstrapper.exe
"C:\Users\Admin\AppData\Local\Wave\WaveBootstrapper.exe"
2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3780

C:\Users\Admin\AppData\Local\Wave\WaveWindows.exe
"C:\Users\Admin\AppData\Local\Wave\WaveWindows.exe"
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1216

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1216 -s 1224
4⤵
- Program crash
PID:1656

C:\Users\Admin\AppData\Local\Wave\WaveBootstrapper.exe
"C:\Users\Admin\AppData\Local\Wave\WaveBootstrapper.exe"
2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3648

C:\Users\Admin\AppData\Local\Wave\WaveWindows.exe
"C:\Users\Admin\AppData\Local\Wave\WaveWindows.exe"
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:208

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 208 -s 1524
4⤵
- Program crash
PID:1464

C:\Users\Admin\AppData\Local\Wave\WaveBootstrapper.exe
"C:\Users\Admin\AppData\Local\Wave\WaveBootstrapper.exe"
2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2024

C:\Users\Admin\AppData\Local\Wave\WaveWindows.exe
"C:\Users\Admin\AppData\Local\Wave\WaveWindows.exe"
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5048

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5048 -s 1412
4⤵
- Program crash
PID:1232

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 496 -p 5048 -ip 5048
1⤵
PID:1964

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 1216 -ip 1216
1⤵
PID:4832

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 500 -p 208 -ip 208
1⤵
PID:1516

C:\Users\Admin\AppData\Local\Wave\WaveBootstrapper.exe
"C:\Users\Admin\AppData\Local\Wave\WaveBootstrapper.exe"
1⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:620

C:\Users\Admin\AppData\Local\Wave\WaveWindows.exe
"C:\Users\Admin\AppData\Local\Wave\WaveWindows.exe"
2⤵
- Checks computer location settings
- Executes dropped EXE
- Checks for any installed AV software in registry
- Enumerates connected drives
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4848

C:\Users\Admin\AppData\Local\Luau Language Server\node.exe
"C:\Users\Admin\AppData\Local\Luau Language Server\node.exe" server --process-id=4848
3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2092

C:\Users\Admin\AppData\Local\Bloxstrap\Bloxstrap.exe
"C:\Users\Admin\AppData\Local\Bloxstrap\Bloxstrap.exe"
3⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:1844

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4848 -s 6116
3⤵
- Program crash
PID:4372

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x424 0x2f4
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1576

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 4848 -ip 4848
1⤵
PID:1648

C:\Users\Admin\AppData\Local\Wave\WaveBootstrapper.exe
"C:\Users\Admin\AppData\Local\Wave\WaveBootstrapper.exe"
1⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2000

C:\Users\Admin\AppData\Local\Wave\WaveWindows.exe
"C:\Users\Admin\AppData\Local\Wave\WaveWindows.exe"
2⤵
- Checks computer location settings
- Executes dropped EXE
- Checks for any installed AV software in registry
- Enumerates connected drives
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2728

C:\Users\Admin\AppData\Local\Luau Language Server\node.exe
"C:\Users\Admin\AppData\Local\Luau Language Server\node.exe" server --process-id=2728
3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:3512

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2728 -s 5636
3⤵
- Program crash
PID:3064

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 2728 -ip 2728
1⤵
PID:2452

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /7
1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2748

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Software Discovery

T1518

Security Software Discovery

T1518.001

Peripheral Device Discovery

T1120

Lateral Movement

Collection

Exfiltration

Command and Control

Web Service

T1102

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Bloxstrap\Bloxstrap.dll
Filesize
4.3MB

MD5
6546ceb273f079342df5e828a60f551b

SHA1
ede41c27df51c39cd731797c340fcb8feda51ea3

SHA256
e440da74de73212d80da3f27661fcb9436d03d9e8dbbb44c9c148aaf38071ca5

SHA512
f0ea83bf836e93ff7b58582329a05ba183a25c92705fab36f576ec0c20cf687ce16a68e483698bda4215d441dec5916ffbdfa1763fb357e14ab5e0f1ffcaf824

Download Submit
C:\Users\Admin\AppData\Local\Bloxstrap\Bloxstrap.exe
Filesize
249KB

MD5
772c9fecbd0397f6cfb3d866cf3a5d7d

SHA1
6de3355d866d0627a756d0d4e29318e67650dacf

SHA256
2f88ea7e1183d320fb2b7483de2e860da13dc0c0caaf58f41a888528d78c809f

SHA512
82048bd6e50d38a863379a623b8cfda2d1553d8141923acf13f990c7245c833082523633eaa830362a12bfff300da61b3d8b3cccbe038ce2375fdfbd20dbca31

Download Submit
C:\Users\Admin\AppData\Local\Bloxstrap\Bloxstrap.runtimeconfig.json
Filesize
372B

MD5
d94cf983fba9ab1bb8a6cb3ad4a48f50

SHA1
04855d8b7a76b7ec74633043ef9986d4500ca63c

SHA256
1eca0f0c70070aa83bb609e4b749b26dcb4409784326032726394722224a098a

SHA512
09a9667d4f4622817116c8bc27d3d481d5d160380a2e19b8944bdd1271a83f718415ce5e6d66e82e36819e575ec1b55f19c45213e0013b877b8d61e6feb9d998

Download Submit
C:\Users\Admin\AppData\Local\Luau Language Server\server\index.js
Filesize
6.1MB

MD5
6b1cad741d0b6374435f7e1faa93b5e7

SHA1
7b1957e63c10f4422421245e4dc64074455fd62a

SHA256
6f17add2a8c8c2d9f592adb65d88e08558e25c15cedd82e3f013c8146b5d840f

SHA512
a662fc83536eff797b8d59e2fb4a2fb7cd903be8fc4137de8470b341312534326383bb3af58991628f15f93e3bdd57621622d9d9b634fb5e6e03d4aa06977253

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\WaveBootstrapper.exe.log
Filesize
2KB

MD5
ebb67c89c3d4eb103fff16a4e76ea76e

SHA1
f9c7d4633305b971bd774e22c9b8885870c41b45

SHA256
4dea672914bb09196c2e33d23e412dfaf1411c9f699591950ce164e360ddd0e6

SHA512
822aa9517f78c240c118dd0381e0fe95c584317c5b3b06d093578c718e6436da41c3c47795bd513d1cfa90a7192e8c4e91b1b8a4dba0faf5d3b22e3f4b122bdd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Media Player\CurrentDatabase_400.wmdb
Filesize
896KB

MD5
13dd1346a1ae0e6958bde8e5762db76a

SHA1
4b23adbb61d89c8052586dc5d2550f2356bcee74

SHA256
0cabb6fee70ae7c7caa9f197c3f87dae31e78a7e0cec8d90d59d9aea810b56ef

SHA512
365069c7be7fe865ce642ea573010f6c8bac90a66bb7ecaa976b6639ca04744a3125d4622c8100a00280b389104641544d239175131df4d0ea2a8a663e5355c2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Media Player\CurrentDatabase_400.wmdb
Filesize
896KB

MD5
50c09f2694e2b571c60486cfdfd372e9

SHA1
0953b665ee3eba86cec45fdb81124148bcfbbaa1

SHA256
31f766c92ddc5473412316d09d7bea0297392e33f2acdeec7f53d1a4b7f690b2

SHA512
ddd3a0e8032547cb835e831b9f4d7259d5211d72b2ecb724b4fb7c91db35995e2488d8e60500a76a6fc47e789145cfa60452891835e9289c1e0fa35a0956be27

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows Media\12.0\WMSDKNS.XML
Filesize
9KB

MD5
7050d5ae8acfbe560fa11073fef8185d

SHA1
5bc38e77ff06785fe0aec5a345c4ccd15752560e

SHA256
cb87767c4a384c24e4a0f88455f59101b1ae7b4fb8de8a5adb4136c5f7ee545b

SHA512
a7a295ac8921bb3dde58d4bcde9372ed59def61d4b7699057274960fa8c1d1a1daff834a93f7a0698e9e5c16db43af05e9fd2d6d7c9232f7d26ffcff5fc5900b

Download Submit
C:\Users\Admin\AppData\Local\Sentry\565BEE8550E2E5F1B7BAFF132ECD72B7217F6160\.installation
Filesize
36B

MD5
a5b2e62f09c8860cf049087b977f8c83

SHA1
270bc3cca0ebc4a9cf8a45244eed0c5e57a13743

SHA256
198028c569e110b15c32333c0b6a3bd496f13cfb31cfeb173c5e5d0c350dd01b

SHA512
12c0b86870253219ec10b7248018dd6255ff02f2063588559300bfa28b60c8652b0bde91fcca3b919e9be7d62dbd47593893aa7e8e93bab5223bce2af0c8bba1

Download Submit
C:\Users\Admin\AppData\Local\Wave\WaveBootstrapper.exe
Filesize
949KB

MD5
8fb51b92d496c6765f7ba44e6d4a8990

SHA1
d3e5a8465622cd5adae05babeb7e34b2b5c777d7

SHA256
ab49d6166a285b747e5f279620ab9cea12f33f7656d732aa75900fcb981a5394

SHA512
20de93a52fff7b092cb9d77bd26944abed5f5cb67146e6d2d70be6a431283b6de52eb37a0e13dc8bc57dcf8be2d5a95b9c11b3b030a3e2f03dd6e4efc23527a6

Download Submit
C:\Users\Admin\AppData\Local\Wave\WaveWindows.exe
Filesize
8.0MB

MD5
b8631bbd78d3935042e47b672c19ccc3

SHA1
cd0ea137f1544a31d2a62aaed157486dce3ecebe

SHA256
9cfda541d595dc20a55df5422001dfb58debd401df3abff21b1eee8ede28451c

SHA512
0c51d6247e39f7851538a5916b24972e845abfe429f0abdc7b532f654b4afe73dc6e1936f1b062da63bfc90273d3cbc297bf6c802e615f3711d0f180c070aa26

Download Submit
C:\Users\Admin\AppData\Local\Wave\bin\Background.mp4
Filesize
4.6MB

MD5
9782180eb68f73030fe24ef6a1735932

SHA1
589827fe098ba048c9f871a28db8eae3e3537ff4

SHA256
3a1cbb800f8f25c2ab703ba8bfdb01e938e4143c3bc0fea8ca734fb5ba779ba7

SHA512
dc768638bae2d6d47d8910252ae64a656d8a6fd88efdf24165ddce51b7afdb4acb3fddd41dfe788737a2cab4fab66174db2f0d2f48bc8669af76d1656bca8be1

Download Submit
memory/208-263-0x0000000006760000-0x0000000006792000-memory.dmp

Filesize
200KB

Download
memory/208-259-0x0000000005D70000-0x0000000005E22000-memory.dmp

Filesize
712KB

Download
memory/208-261-0x0000000005E20000-0x0000000005E28000-memory.dmp

Filesize
32KB

Download
memory/208-260-0x0000000005CC0000-0x0000000005D60000-memory.dmp

Filesize
640KB

Download
memory/208-262-0x00000000066B0000-0x0000000006726000-memory.dmp

Filesize
472KB

Download
memory/208-266-0x0000000006AB0000-0x0000000006B26000-memory.dmp

Filesize
472KB

Download
memory/208-256-0x0000000000B10000-0x0000000001312000-memory.dmp

Filesize
8.0MB

Download
memory/2728-351-0x000000000B5B0000-0x000000000B5C0000-memory.dmp

Filesize
64KB

Download
memory/2728-353-0x000000000B5B0000-0x000000000B5C0000-memory.dmp

Filesize
64KB

Download
memory/2728-352-0x000000000B5B0000-0x000000000B5C0000-memory.dmp

Filesize
64KB

Download
memory/2728-350-0x000000000B5B0000-0x000000000B5C0000-memory.dmp

Filesize
64KB

Download
memory/2728-354-0x000000000B630000-0x000000000B640000-memory.dmp

Filesize
64KB

Download
memory/2728-355-0x000000000B640000-0x000000000B650000-memory.dmp

Filesize
64KB

Download
memory/2728-356-0x000000000B640000-0x000000000B650000-memory.dmp

Filesize
64KB

Download
memory/2728-359-0x000000000B5B0000-0x000000000B5C0000-memory.dmp

Filesize
64KB

Download
memory/2728-360-0x000000000B5B0000-0x000000000B5C0000-memory.dmp

Filesize
64KB

Download
memory/2728-358-0x000000000B5B0000-0x000000000B5C0000-memory.dmp

Filesize
64KB

Download
memory/2728-357-0x000000000B5B0000-0x000000000B5C0000-memory.dmp

Filesize
64KB

Download
memory/2728-362-0x000000000B5B0000-0x000000000B5C0000-memory.dmp

Filesize
64KB

Download
memory/2728-363-0x000000000B640000-0x000000000B650000-memory.dmp

Filesize
64KB

Download
memory/2728-361-0x000000000B5B0000-0x000000000B5C0000-memory.dmp

Filesize
64KB

Download
memory/2728-364-0x000000000B630000-0x000000000B640000-memory.dmp

Filesize
64KB

Download
memory/2728-365-0x000000000B640000-0x000000000B650000-memory.dmp

Filesize
64KB

Download
memory/2728-366-0x000000000B640000-0x000000000B650000-memory.dmp

Filesize
64KB

Download
memory/2728-368-0x000000000B5B0000-0x000000000B5C0000-memory.dmp

Filesize
64KB

Download
memory/2728-369-0x000000000B640000-0x000000000B650000-memory.dmp

Filesize
64KB

Download
memory/2728-367-0x000000000B5B0000-0x000000000B5C0000-memory.dmp

Filesize
64KB

Download
memory/2728-371-0x000000001AA70000-0x000000001ADC4000-memory.dmp

Filesize
3.3MB

Download
memory/2748-382-0x00000133AD470000-0x00000133AD471000-memory.dmp

Filesize
4KB

Download
memory/2748-384-0x00000133AD470000-0x00000133AD471000-memory.dmp

Filesize
4KB

Download
memory/2748-379-0x00000133AD470000-0x00000133AD471000-memory.dmp

Filesize
4KB

Download
memory/2748-372-0x00000133AD470000-0x00000133AD471000-memory.dmp

Filesize
4KB

Download
memory/2748-374-0x00000133AD470000-0x00000133AD471000-memory.dmp

Filesize
4KB

Download
memory/2748-373-0x00000133AD470000-0x00000133AD471000-memory.dmp

Filesize
4KB

Download
memory/2748-380-0x00000133AD470000-0x00000133AD471000-memory.dmp

Filesize
4KB

Download
memory/2748-381-0x00000133AD470000-0x00000133AD471000-memory.dmp

Filesize
4KB

Download
memory/2748-378-0x00000133AD470000-0x00000133AD471000-memory.dmp

Filesize
4KB

Download
memory/2748-383-0x00000133AD470000-0x00000133AD471000-memory.dmp

Filesize
4KB

Download
memory/3648-239-0x0000000000310000-0x0000000000402000-memory.dmp

Filesize
968KB

Download
memory/3648-240-0x0000000074790000-0x0000000074F40000-memory.dmp

Filesize
7.7MB

Download
memory/3648-249-0x0000000009090000-0x00000000090AE000-memory.dmp

Filesize
120KB

Download
memory/3648-241-0x0000000074790000-0x0000000074F40000-memory.dmp

Filesize
7.7MB

Download
memory/3648-255-0x0000000074790000-0x0000000074F40000-memory.dmp

Filesize
7.7MB

Download
memory/3780-245-0x0000000008190000-0x0000000008294000-memory.dmp

Filesize
1.0MB

Download
memory/3780-248-0x0000000008F40000-0x0000000008F48000-memory.dmp

Filesize
32KB

Download
memory/3780-247-0x0000000008F00000-0x0000000008F0A000-memory.dmp

Filesize
40KB

Download
memory/3780-246-0x0000000008EC0000-0x0000000008ED6000-memory.dmp

Filesize
88KB

Download
memory/3780-238-0x0000000074790000-0x0000000074F40000-memory.dmp

Filesize
7.7MB

Download
memory/3780-257-0x0000000074790000-0x0000000074F40000-memory.dmp

Filesize
7.7MB

Download
memory/4632-1-0x00000000004F0000-0x0000000000682000-memory.dmp

Filesize
1.6MB

Download
memory/4632-8-0x0000000074790000-0x0000000074F40000-memory.dmp

Filesize
7.7MB

Download
memory/4632-21-0x0000000001120000-0x000000000112A000-memory.dmp

Filesize
40KB

Download
memory/4632-22-0x0000000001130000-0x000000000113A000-memory.dmp

Filesize
40KB

Download
memory/4632-18-0x0000000000DA0000-0x0000000000DA8000-memory.dmp

Filesize
32KB

Download
memory/4632-17-0x0000000009110000-0x0000000009136000-memory.dmp

Filesize
152KB

Download
memory/4632-16-0x000000000B5D0000-0x000000000B666000-memory.dmp

Filesize
600KB

Download
memory/4632-9-0x0000000074790000-0x0000000074F40000-memory.dmp

Filesize
7.7MB

Download
memory/4632-3-0x0000000074790000-0x0000000074F40000-memory.dmp

Filesize
7.7MB

Download
memory/4632-20-0x000000000B6E0000-0x000000000B752000-memory.dmp

Filesize
456KB

Download
memory/4632-7-0x000000007479E000-0x000000007479F000-memory.dmp

Filesize
4KB

Download
memory/4632-6-0x0000000074790000-0x0000000074F40000-memory.dmp

Filesize
7.7MB

Download
memory/4632-4-0x0000000009400000-0x0000000009438000-memory.dmp

Filesize
224KB

Download
memory/4632-5-0x00000000093D0000-0x00000000093DE000-memory.dmp

Filesize
56KB

Download
memory/4632-0-0x000000007479E000-0x000000007479F000-memory.dmp

Filesize
4KB

Download
memory/4632-243-0x0000000074790000-0x0000000074F40000-memory.dmp

Filesize
7.7MB

Download
memory/4632-2-0x0000000074790000-0x0000000074F40000-memory.dmp

Filesize
7.7MB

Download
memory/4848-278-0x000000000AFD0000-0x000000000AFF2000-memory.dmp

Filesize
136KB

Download
memory/4848-345-0x000000001CD50000-0x000000001CEAB000-memory.dmp

Filesize
1.4MB

Download
memory/4848-326-0x00000000116C0000-0x00000000116D0000-memory.dmp

Filesize
64KB

Download
memory/4848-327-0x000000000DFF0000-0x000000000E000000-memory.dmp

Filesize
64KB

Download
memory/4848-328-0x000000000DFF0000-0x000000000E000000-memory.dmp

Filesize
64KB

Download
memory/4848-332-0x000000000DFF0000-0x000000000E000000-memory.dmp

Filesize
64KB

Download
memory/4848-329-0x000000000E090000-0x000000000E0A0000-memory.dmp

Filesize
64KB

Download
memory/4848-330-0x000000000E090000-0x000000000E0A0000-memory.dmp

Filesize
64KB

Download
memory/4848-331-0x000000000DFF0000-0x000000000E000000-memory.dmp

Filesize
64KB

Download
memory/4848-315-0x000000000DFF0000-0x000000000E000000-memory.dmp

Filesize
64KB

Download
memory/4848-316-0x000000000DFF0000-0x000000000E000000-memory.dmp

Filesize
64KB

Download
memory/4848-325-0x0000000008CB0000-0x0000000008D96000-memory.dmp

Filesize
920KB

Download
memory/4848-317-0x000000000E090000-0x000000000E0A0000-memory.dmp

Filesize
64KB

Download
memory/4848-318-0x000000000E090000-0x000000000E0A0000-memory.dmp

Filesize
64KB

Download
memory/4848-319-0x000000000E090000-0x000000000E0A0000-memory.dmp

Filesize
64KB

Download
memory/4848-324-0x0000000008DD0000-0x0000000008E1A000-memory.dmp

Filesize
296KB

Download
memory/4848-320-0x000000000E090000-0x000000000E0A0000-memory.dmp

Filesize
64KB

Download
memory/4848-321-0x000000000E090000-0x000000000E0A0000-memory.dmp

Filesize
64KB

Download
memory/4848-322-0x000000000E090000-0x000000000E0A0000-memory.dmp

Filesize
64KB

Download
memory/4848-323-0x0000000008C90000-0x0000000008CB4000-memory.dmp

Filesize
144KB

Download
memory/4848-314-0x00000000116C0000-0x00000000116D0000-memory.dmp

Filesize
64KB

Download
memory/4848-313-0x0000000011700000-0x0000000011886000-memory.dmp

Filesize
1.5MB

Download
memory/4848-310-0x000000000E090000-0x000000000E0A0000-memory.dmp

Filesize
64KB

Download
memory/4848-309-0x000000000E090000-0x000000000E0A0000-memory.dmp

Filesize
64KB

Download
memory/4848-311-0x000000000E090000-0x000000000E0A0000-memory.dmp

Filesize
64KB

Download
memory/4848-312-0x000000000E090000-0x000000000E0A0000-memory.dmp

Filesize
64KB

Download
memory/4848-297-0x000000000B650000-0x000000000B658000-memory.dmp

Filesize
32KB

Download
memory/4848-296-0x000000000BD80000-0x000000000BDE6000-memory.dmp

Filesize
408KB

Download
memory/4848-295-0x000000000B4B0000-0x000000000B4EE000-memory.dmp

Filesize
248KB

Download
memory/4848-294-0x000000000D710000-0x000000000DC3C000-memory.dmp

Filesize
5.2MB

Download
memory/4848-293-0x000000000AF00000-0x000000000AF38000-memory.dmp

Filesize
224KB

Download
memory/4848-279-0x000000000B890000-0x000000000BBE4000-memory.dmp

Filesize
3.3MB

Download
memory/4848-273-0x0000000009F40000-0x0000000009FF2000-memory.dmp

Filesize
712KB

Download