Analysis
-
max time kernel
62s -
max time network
147s -
platform
windows7_x64 -
resource
win7-20240704-en -
resource tags
arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system -
submitted
19-07-2024 13:20
Behavioral task
behavioral1
Sample
WaveInstaller (2).exe
Resource
win7-20240704-en
windows7-x64
Behavioral task
behavioral2
Sample
WaveInstaller (2).exe
Resource
win10v2004-20240709-en
windows10-2004-x64
Behavioral task
behavioral3
Sample
Stub.pyc
Resource
win7-20240708-en
windows7-x64
Behavioral task
behavioral4
Sample
Stub.pyc
Resource
win10v2004-20240709-en
windows10-2004-x64
General
-
Target
WaveInstaller (2).exe
-
Size
10.4MB
-
MD5
56a4d33799e01d75bf5e8f740f83e897
-
SHA1
ea5f93334629059aeb46244112a93753310f3634
-
SHA256
f11256d219127c83f602f1063c935c75a0289f2511a0ddd0bdf2f9a9a651c157
-
SHA512
16262b4b75ed0fe80c7a871d4f49f3bc8c813e20b97fdc95e2f36533eb8c8320a0b1cc2ca24f205bfe930ac3fbd906c491b5b553839b4a0ceb9bbb26ca750fac
-
SSDEEP
196608:c11Eoq7n0jc/bPeNrYFJMIDJ+gsAGK0X/O2xR4QgESjfygWZz2:Zb7n0jcw8Fqy+gs1Nntir
Malware Config
Signatures
-
Loads dropped DLL 7 IoCs
pid Process 2736 WaveInstaller (2).exe 2736 WaveInstaller (2).exe 2736 WaveInstaller (2).exe 2736 WaveInstaller (2).exe 2736 WaveInstaller (2).exe 2736 WaveInstaller (2).exe 2736 WaveInstaller (2).exe -
resource yara_rule behavioral1/files/0x000500000001a43a-98.dat upx -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer chrome.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 568 chrome.exe 568 chrome.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeShutdownPrivilege 568 chrome.exe Token: SeShutdownPrivilege 568 chrome.exe Token: SeShutdownPrivilege 568 chrome.exe Token: SeShutdownPrivilege 568 chrome.exe Token: SeShutdownPrivilege 568 chrome.exe Token: SeShutdownPrivilege 568 chrome.exe Token: SeShutdownPrivilege 568 chrome.exe Token: SeShutdownPrivilege 568 chrome.exe Token: SeShutdownPrivilege 568 chrome.exe Token: SeShutdownPrivilege 568 chrome.exe Token: SeShutdownPrivilege 568 chrome.exe Token: SeShutdownPrivilege 568 chrome.exe Token: SeShutdownPrivilege 568 chrome.exe Token: SeShutdownPrivilege 568 chrome.exe Token: SeShutdownPrivilege 568 chrome.exe Token: SeShutdownPrivilege 568 chrome.exe Token: SeShutdownPrivilege 568 chrome.exe Token: SeShutdownPrivilege 568 chrome.exe Token: SeShutdownPrivilege 568 chrome.exe Token: SeShutdownPrivilege 568 chrome.exe Token: SeShutdownPrivilege 568 chrome.exe Token: SeShutdownPrivilege 568 chrome.exe Token: SeShutdownPrivilege 568 chrome.exe Token: SeShutdownPrivilege 568 chrome.exe Token: SeShutdownPrivilege 568 chrome.exe Token: SeShutdownPrivilege 568 chrome.exe Token: SeShutdownPrivilege 568 chrome.exe Token: SeShutdownPrivilege 568 chrome.exe Token: SeShutdownPrivilege 568 chrome.exe Token: SeShutdownPrivilege 568 chrome.exe Token: SeShutdownPrivilege 568 chrome.exe Token: SeShutdownPrivilege 568 chrome.exe Token: SeShutdownPrivilege 568 chrome.exe Token: SeShutdownPrivilege 568 chrome.exe Token: SeShutdownPrivilege 568 chrome.exe Token: SeShutdownPrivilege 568 chrome.exe Token: SeShutdownPrivilege 568 chrome.exe Token: SeShutdownPrivilege 568 chrome.exe Token: SeShutdownPrivilege 568 chrome.exe Token: SeShutdownPrivilege 568 chrome.exe Token: SeShutdownPrivilege 568 chrome.exe Token: SeShutdownPrivilege 568 chrome.exe Token: SeShutdownPrivilege 568 chrome.exe Token: SeShutdownPrivilege 568 chrome.exe Token: SeShutdownPrivilege 568 chrome.exe Token: SeShutdownPrivilege 568 chrome.exe Token: SeShutdownPrivilege 568 chrome.exe Token: SeShutdownPrivilege 568 chrome.exe Token: SeShutdownPrivilege 568 chrome.exe Token: SeShutdownPrivilege 568 chrome.exe Token: SeShutdownPrivilege 568 chrome.exe Token: SeShutdownPrivilege 568 chrome.exe Token: SeShutdownPrivilege 568 chrome.exe Token: SeShutdownPrivilege 568 chrome.exe Token: SeShutdownPrivilege 568 chrome.exe Token: SeShutdownPrivilege 568 chrome.exe Token: SeShutdownPrivilege 568 chrome.exe Token: SeShutdownPrivilege 568 chrome.exe Token: SeShutdownPrivilege 568 chrome.exe Token: SeShutdownPrivilege 568 chrome.exe Token: SeShutdownPrivilege 568 chrome.exe Token: SeShutdownPrivilege 568 chrome.exe Token: SeShutdownPrivilege 568 chrome.exe Token: SeShutdownPrivilege 568 chrome.exe -
Suspicious use of FindShellTrayWindow 34 IoCs
pid Process 568 chrome.exe 568 chrome.exe 568 chrome.exe 568 chrome.exe 568 chrome.exe 568 chrome.exe 568 chrome.exe 568 chrome.exe 568 chrome.exe 568 chrome.exe 568 chrome.exe 568 chrome.exe 568 chrome.exe 568 chrome.exe 568 chrome.exe 568 chrome.exe 568 chrome.exe 568 chrome.exe 568 chrome.exe 568 chrome.exe 568 chrome.exe 568 chrome.exe 568 chrome.exe 568 chrome.exe 568 chrome.exe 568 chrome.exe 568 chrome.exe 568 chrome.exe 568 chrome.exe 568 chrome.exe 568 chrome.exe 568 chrome.exe 568 chrome.exe 568 chrome.exe -
Suspicious use of SendNotifyMessage 32 IoCs
pid Process 568 chrome.exe 568 chrome.exe 568 chrome.exe 568 chrome.exe 568 chrome.exe 568 chrome.exe 568 chrome.exe 568 chrome.exe 568 chrome.exe 568 chrome.exe 568 chrome.exe 568 chrome.exe 568 chrome.exe 568 chrome.exe 568 chrome.exe 568 chrome.exe 568 chrome.exe 568 chrome.exe 568 chrome.exe 568 chrome.exe 568 chrome.exe 568 chrome.exe 568 chrome.exe 568 chrome.exe 568 chrome.exe 568 chrome.exe 568 chrome.exe 568 chrome.exe 568 chrome.exe 568 chrome.exe 568 chrome.exe 568 chrome.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2276 wrote to memory of 2736 2276 WaveInstaller (2).exe 28 PID 2276 wrote to memory of 2736 2276 WaveInstaller (2).exe 28 PID 2276 wrote to memory of 2736 2276 WaveInstaller (2).exe 28 PID 568 wrote to memory of 524 568 chrome.exe 34 PID 568 wrote to memory of 524 568 chrome.exe 34 PID 568 wrote to memory of 524 568 chrome.exe 34 PID 568 wrote to memory of 1976 568 chrome.exe 36 PID 568 wrote to memory of 1976 568 chrome.exe 36 PID 568 wrote to memory of 1976 568 chrome.exe 36 PID 568 wrote to memory of 1976 568 chrome.exe 36 PID 568 wrote to memory of 1976 568 chrome.exe 36 PID 568 wrote to memory of 1976 568 chrome.exe 36 PID 568 wrote to memory of 1976 568 chrome.exe 36 PID 568 wrote to memory of 1976 568 chrome.exe 36 PID 568 wrote to memory of 1976 568 chrome.exe 36 PID 568 wrote to memory of 1976 568 chrome.exe 36 PID 568 wrote to memory of 1976 568 chrome.exe 36 PID 568 wrote to memory of 1976 568 chrome.exe 36 PID 568 wrote to memory of 1976 568 chrome.exe 36 PID 568 wrote to memory of 1976 568 chrome.exe 36 PID 568 wrote to memory of 1976 568 chrome.exe 36 PID 568 wrote to memory of 1976 568 chrome.exe 36 PID 568 wrote to memory of 1976 568 chrome.exe 36 PID 568 wrote to memory of 1976 568 chrome.exe 36 PID 568 wrote to memory of 1976 568 chrome.exe 36 PID 568 wrote to memory of 1976 568 chrome.exe 36 PID 568 wrote to memory of 1976 568 chrome.exe 36 PID 568 wrote to memory of 1976 568 chrome.exe 36 PID 568 wrote to memory of 1976 568 chrome.exe 36 PID 568 wrote to memory of 1976 568 chrome.exe 36 PID 568 wrote to memory of 1976 568 chrome.exe 36 PID 568 wrote to memory of 1976 568 chrome.exe 36 PID 568 wrote to memory of 1976 568 chrome.exe 36 PID 568 wrote to memory of 1976 568 chrome.exe 36 PID 568 wrote to memory of 1976 568 chrome.exe 36 PID 568 wrote to memory of 1976 568 chrome.exe 36 PID 568 wrote to memory of 1976 568 chrome.exe 36 PID 568 wrote to memory of 1976 568 chrome.exe 36 PID 568 wrote to memory of 1976 568 chrome.exe 36 PID 568 wrote to memory of 1976 568 chrome.exe 36 PID 568 wrote to memory of 1976 568 chrome.exe 36 PID 568 wrote to memory of 1976 568 chrome.exe 36 PID 568 wrote to memory of 1976 568 chrome.exe 36 PID 568 wrote to memory of 1976 568 chrome.exe 36 PID 568 wrote to memory of 1976 568 chrome.exe 36 PID 568 wrote to memory of 2216 568 chrome.exe 37 PID 568 wrote to memory of 2216 568 chrome.exe 37 PID 568 wrote to memory of 2216 568 chrome.exe 37 PID 568 wrote to memory of 840 568 chrome.exe 38 PID 568 wrote to memory of 840 568 chrome.exe 38 PID 568 wrote to memory of 840 568 chrome.exe 38 PID 568 wrote to memory of 840 568 chrome.exe 38 PID 568 wrote to memory of 840 568 chrome.exe 38 PID 568 wrote to memory of 840 568 chrome.exe 38 PID 568 wrote to memory of 840 568 chrome.exe 38 PID 568 wrote to memory of 840 568 chrome.exe 38 PID 568 wrote to memory of 840 568 chrome.exe 38 PID 568 wrote to memory of 840 568 chrome.exe 38 PID 568 wrote to memory of 840 568 chrome.exe 38 PID 568 wrote to memory of 840 568 chrome.exe 38 PID 568 wrote to memory of 840 568 chrome.exe 38 PID 568 wrote to memory of 840 568 chrome.exe 38 PID 568 wrote to memory of 840 568 chrome.exe 38 PID 568 wrote to memory of 840 568 chrome.exe 38
Processes
-
C:\Users\Admin\AppData\Local\Temp\WaveInstaller (2).exe"C:\Users\Admin\AppData\Local\Temp\WaveInstaller (2).exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2276 -
C:\Users\Admin\AppData\Local\Temp\WaveInstaller (2).exe"C:\Users\Admin\AppData\Local\Temp\WaveInstaller (2).exe"2⤵
- Loads dropped DLL
PID:2736
-
-
C:\Windows\explorer.exe"C:\Windows\explorer.exe"1⤵PID:1328
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe"1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:568 -
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xc0,0xc4,0xc8,0x94,0xcc,0x7fef5aa9758,0x7fef5aa9768,0x7fef5aa97782⤵PID:524
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1136 --field-trial-handle=1368,i,4456969041643174689,12976251156301285174,131072 /prefetch:22⤵PID:1976
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1504 --field-trial-handle=1368,i,4456969041643174689,12976251156301285174,131072 /prefetch:82⤵PID:2216
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1612 --field-trial-handle=1368,i,4456969041643174689,12976251156301285174,131072 /prefetch:82⤵PID:840
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=1500 --field-trial-handle=1368,i,4456969041643174689,12976251156301285174,131072 /prefetch:12⤵PID:1616
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2296 --field-trial-handle=1368,i,4456969041643174689,12976251156301285174,131072 /prefetch:12⤵PID:2164
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=angle --use-angle=swiftshader-webgl --mojo-platform-channel-handle=1228 --field-trial-handle=1368,i,4456969041643174689,12976251156301285174,131072 /prefetch:22⤵PID:2600
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=3204 --field-trial-handle=1368,i,4456969041643174689,12976251156301285174,131072 /prefetch:12⤵PID:2832
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3644 --field-trial-handle=1368,i,4456969041643174689,12976251156301285174,131072 /prefetch:82⤵PID:1144
-
-
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"1⤵PID:2428
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
16B
MD5aefd77f47fb84fae5ea194496b44c67a
SHA1dcfbb6a5b8d05662c4858664f81693bb7f803b82
SHA2564166bf17b2da789b0d0cc5c74203041d98005f5d4ef88c27e8281e00148cd611
SHA512b733d502138821948267a8b27401d7c0751e590e1298fda1428e663ccd02f55d0d2446ff4bc265bdcdc61f952d13c01524a5341bc86afc3c2cde1d8589b2e1c3
-
Filesize
264KB
MD5f50f89a0a91564d0b8a211f8921aa7de
SHA1112403a17dd69d5b9018b8cede023cb3b54eab7d
SHA256b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec
SHA512bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58
-
Filesize
5KB
MD5f04aad2677dd704149695018dd89d832
SHA1521fe3047fa6eaaac68c1dea6adbbe49c86b0cd7
SHA256b7ba29713a6baa650d93599dc3ade29cd84dfdb7963abe72415c8955e78160b0
SHA5129d859455014b853d7883df98d6bf53281fec2c52f921311199caceb9488af92844f7d8f4a91f3c8bf88091e33d994bf1fe237ca572e81365ea0c37df92b46d46
-
Filesize
5KB
MD53ca67667087a2345e495f936c9d69337
SHA1c0c66a344cf5a8a02d81131b70e596ca76cfdc73
SHA2569a50c7a5ea07d07e9ee3fe633518205921780fe780d1bba9a1acc9d3270a7410
SHA5124e5ce58cf634d26d9e7d2714f97e724e1525b1286c0166ae59e38edf63c293ad1063ea089c01663c67d0d36a6377f9b111946e04c7a58065050c060730a6c13d
-
Filesize
16B
MD518e723571b00fb1694a3bad6c78e4054
SHA1afcc0ef32d46fe59e0483f9a3c891d3034d12f32
SHA2568af72f43857550b01eab1019335772b367a17a9884a7a759fdf4fe6f272b90aa
SHA51243bb0af7d3984012d2d67ca6b71f0201e5b948e6fe26a899641c4c6f066c59906d468ddf7f1df5ea5fa33c2bc5ea8219c0f2c82e0a5c365ad7581b898a8859e2
-
Filesize
22KB
MD5852904535068e569e2b157f3bca0c08f
SHA1c79b4d109178f4ab8c19ab549286eee4edf6eddb
SHA256202b77cd363fce7c09d9a59b5779f701767c8734cc17bbe8b9ece5a0619f2225
SHA5123e814678c7aa0d3d3a637ce3048e3b472dbb01b2e2a5932e5b257aa76bf8de8117a38e2a352daff66939a73c1b971b302f5635ea1d826b8a3afa49f9b543a541
-
Filesize
22KB
MD5cdfc83e189bda0ac9eab447671754e87
SHA1cf597ee626366738d0ea1a1d8be245f26abbea72
SHA256f4811f251c49c9ae75f9fe25890bacede852e4f1bfdc6685f49096253a43f007
SHA512659ee46e210fcad6c778988a164ce3f69a137d05fb2699ff662540cbb281b38719017f1049d5189fafdae06c07a48d3d29dd98e11c1cae5d47768c243af37fe9
-
Filesize
22KB
MD5f1d0595773886d101e684e772118d1ef
SHA1290276053a75cbeb794441965284b18311ab355d
SHA256040e1572da9a980392184b1315f27ebcdaf07a0d94ddf49cbd0d499f7cdb099a
SHA512db57f4ae78f7062cfe392d6829c5975be91d0062ff06725c45c06a74e04ade8bcaf709cfebeba8146fb4396206141aa49572968ea240aa1cba909e43985dc3ee
-
Filesize
22KB
MD5e26a5e364a76bf00feaab920c535adbb
SHA1411eaf1ca1d8f1aebcd816d93933561c927f2754
SHA256b3c0356f64e583c8aca3b1284c6133540a8a12f94b74568fb78ddc36eac6ab15
SHA512333e42eeea07a46db46f222e27429facaaf2ce8a433f0c39f5d5c72e67d894c813d3cf77880434f6373e0d8fffa3ef96d5f37e38dd4775491f3da2b569e9df59
-
Filesize
22KB
MD5566232dabd645dcd37961d7ec8fde687
SHA188a7a8c777709ae4b6d47bed6678d0192eb3bc3f
SHA2561290d332718c47961052ebc97a3a71db2c746a55c035a32b72e5ff00eb422f96
SHA512e5d549c461859445006a4083763ce855adbb72cf9a0bcb8958daa99e20b1ca8a82dec12e1062787e2ae8aee94224b0c92171a4d99ed348b94eab921ede205220
-
Filesize
1.4MB
MD5196deb9a74e6e9e242f04008ea80f7d3
SHA1a54373ebad306f3e6f585bcdf1544fbdcf9c0386
SHA25620b004bfe69166c4961fee93163e795746df39fb31dc67399c0fde57f551eb75
SHA5128c226d3ef21f3ddeee14a098c60ef030fa78590e9505d015ce63ea5e5bbcea2e105ff818e94653df1bddc9ba6ed3b376a1dff5c19266b623fa22cd75ac263b68
-
Filesize
1.1MB
MD5a9f5b06fae677c9eb5be8b37d5fb1cb9
SHA15c37b880a1479445dd583f85c58a8790584f595d
SHA2564e9e93fd6486571e1b5dce381fa536fb6c5593584d3330368ccd47ee6107bf52
SHA5125d7664716fa52f407d56771862262317ac7f4a03f31f209333c3eea7f1c8cf3d5dbafc1942122948d19208d023df220407014f47e57694e70480a878822b779a