Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
300s -
max time network
277s -
platform
windows10-2004_x64 -
resource
win10v2004-20240709-en -
resource tags
arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system -
submitted
25/07/2024, 11:12
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
wave-server.exe
Resource
win10v2004-20240709-en
windows10-2004-x64
10 signatures
300 seconds
General
-
Target
wave-server.exe
-
Size
8.8MB
-
MD5
a227c8183df069184a11a03607fb382e
-
SHA1
c3fe442f17f23dfef81cc588c7d39cb2424b2f10
-
SHA256
aace88c7fb32eb62e10a709eacd2baf7e341f124f4370b870aeaf09f9584ad12
-
SHA512
05c909850aab0a02fe20cf77adca595c74d0426fed388075c131539eb44c28287edbcd27a9226dbc0cec11b0131865f9759bcb4b45fd458b6ad32981ca6bc282
-
SSDEEP
49152:poPUiCJMn2ZJPi89zCD8O26i29S4WhVVGjq4GrA3356Kw4CjWu5Ey35C8Q2djKSd:nJiBqwjnWhnMGr0h6ER8zP8rg6CVQmT
Score
8/10
Malware Config
Signatures
-
Drops file in Drivers directory 1 IoCs
description ioc Process File opened for modification C:\Windows\System32\drivers\etc\hosts wave-server.exe -
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 taskmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A taskmgr.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName taskmgr.exe -
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000_Classes\Local Settings OpenWith.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 3772 taskmgr.exe 3772 taskmgr.exe 3772 taskmgr.exe 3772 taskmgr.exe 3772 taskmgr.exe 3772 taskmgr.exe 3772 taskmgr.exe 3772 taskmgr.exe 3772 taskmgr.exe 3772 taskmgr.exe 3772 taskmgr.exe 3772 taskmgr.exe 3772 taskmgr.exe 3772 taskmgr.exe 3772 taskmgr.exe 3772 taskmgr.exe 3772 taskmgr.exe 3772 taskmgr.exe 3772 taskmgr.exe 3772 taskmgr.exe 3772 taskmgr.exe 3772 taskmgr.exe 3772 taskmgr.exe 3772 taskmgr.exe 3772 taskmgr.exe 3772 taskmgr.exe 3772 taskmgr.exe 3772 taskmgr.exe 3772 taskmgr.exe 3772 taskmgr.exe 3772 taskmgr.exe 3772 taskmgr.exe 3772 taskmgr.exe 3772 taskmgr.exe 3772 taskmgr.exe 3772 taskmgr.exe 3772 taskmgr.exe 3772 taskmgr.exe 3772 taskmgr.exe 3772 taskmgr.exe 3772 taskmgr.exe 3772 taskmgr.exe 3772 taskmgr.exe 3772 taskmgr.exe 3772 taskmgr.exe 3772 taskmgr.exe 3772 taskmgr.exe 3772 taskmgr.exe 3772 taskmgr.exe 3772 taskmgr.exe 3772 taskmgr.exe 3772 taskmgr.exe 3772 taskmgr.exe 3772 taskmgr.exe 3772 taskmgr.exe 3772 taskmgr.exe 3772 taskmgr.exe 3772 taskmgr.exe 3772 taskmgr.exe 3772 taskmgr.exe 3772 taskmgr.exe 3772 taskmgr.exe 3772 taskmgr.exe 3772 taskmgr.exe -
Suspicious behavior: GetForegroundWindowSpam 2 IoCs
pid Process 1880 OpenWith.exe 3772 taskmgr.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeDebugPrivilege 3772 taskmgr.exe Token: SeSystemProfilePrivilege 3772 taskmgr.exe Token: SeCreateGlobalPrivilege 3772 taskmgr.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
pid Process 3772 taskmgr.exe 3772 taskmgr.exe 3772 taskmgr.exe 3772 taskmgr.exe 3772 taskmgr.exe 3772 taskmgr.exe 3772 taskmgr.exe 3772 taskmgr.exe 3772 taskmgr.exe 3772 taskmgr.exe 3772 taskmgr.exe 3772 taskmgr.exe 3772 taskmgr.exe 3772 taskmgr.exe 3772 taskmgr.exe 3772 taskmgr.exe 3772 taskmgr.exe 3772 taskmgr.exe 3772 taskmgr.exe 3772 taskmgr.exe 3772 taskmgr.exe 3772 taskmgr.exe 3772 taskmgr.exe 3772 taskmgr.exe 3772 taskmgr.exe 3772 taskmgr.exe 3772 taskmgr.exe 3772 taskmgr.exe 3772 taskmgr.exe 3772 taskmgr.exe 3772 taskmgr.exe 3772 taskmgr.exe 3772 taskmgr.exe 3772 taskmgr.exe 3772 taskmgr.exe 3772 taskmgr.exe 3772 taskmgr.exe 3772 taskmgr.exe 3772 taskmgr.exe 3772 taskmgr.exe 3772 taskmgr.exe 3772 taskmgr.exe 3772 taskmgr.exe 3772 taskmgr.exe 3772 taskmgr.exe 3772 taskmgr.exe 3772 taskmgr.exe 3772 taskmgr.exe 3772 taskmgr.exe 3772 taskmgr.exe 3772 taskmgr.exe 3772 taskmgr.exe 3772 taskmgr.exe 3772 taskmgr.exe 3772 taskmgr.exe 3772 taskmgr.exe 3772 taskmgr.exe 3772 taskmgr.exe 3772 taskmgr.exe 3772 taskmgr.exe 3772 taskmgr.exe 3772 taskmgr.exe 3772 taskmgr.exe 3772 taskmgr.exe -
Suspicious use of SendNotifyMessage 64 IoCs
pid Process 3772 taskmgr.exe 3772 taskmgr.exe 3772 taskmgr.exe 3772 taskmgr.exe 3772 taskmgr.exe 3772 taskmgr.exe 3772 taskmgr.exe 3772 taskmgr.exe 3772 taskmgr.exe 3772 taskmgr.exe 3772 taskmgr.exe 3772 taskmgr.exe 3772 taskmgr.exe 3772 taskmgr.exe 3772 taskmgr.exe 3772 taskmgr.exe 3772 taskmgr.exe 3772 taskmgr.exe 3772 taskmgr.exe 3772 taskmgr.exe 3772 taskmgr.exe 3772 taskmgr.exe 3772 taskmgr.exe 3772 taskmgr.exe 3772 taskmgr.exe 3772 taskmgr.exe 3772 taskmgr.exe 3772 taskmgr.exe 3772 taskmgr.exe 3772 taskmgr.exe 3772 taskmgr.exe 3772 taskmgr.exe 3772 taskmgr.exe 3772 taskmgr.exe 3772 taskmgr.exe 3772 taskmgr.exe 3772 taskmgr.exe 3772 taskmgr.exe 3772 taskmgr.exe 3772 taskmgr.exe 3772 taskmgr.exe 3772 taskmgr.exe 3772 taskmgr.exe 3772 taskmgr.exe 3772 taskmgr.exe 3772 taskmgr.exe 3772 taskmgr.exe 3772 taskmgr.exe 3772 taskmgr.exe 3772 taskmgr.exe 3772 taskmgr.exe 3772 taskmgr.exe 3772 taskmgr.exe 3772 taskmgr.exe 3772 taskmgr.exe 3772 taskmgr.exe 3772 taskmgr.exe 3772 taskmgr.exe 3772 taskmgr.exe 3772 taskmgr.exe 3772 taskmgr.exe 3772 taskmgr.exe 3772 taskmgr.exe 3772 taskmgr.exe -
Suspicious use of SetWindowsHookEx 25 IoCs
pid Process 1880 OpenWith.exe 1880 OpenWith.exe 1880 OpenWith.exe 1880 OpenWith.exe 1880 OpenWith.exe 1880 OpenWith.exe 1880 OpenWith.exe 1880 OpenWith.exe 1880 OpenWith.exe 1880 OpenWith.exe 1880 OpenWith.exe 1880 OpenWith.exe 1880 OpenWith.exe 1880 OpenWith.exe 1880 OpenWith.exe 1880 OpenWith.exe 1880 OpenWith.exe 1880 OpenWith.exe 1880 OpenWith.exe 1880 OpenWith.exe 1880 OpenWith.exe 1880 OpenWith.exe 1880 OpenWith.exe 1880 OpenWith.exe 1880 OpenWith.exe -
Suspicious use of WriteProcessMemory 2 IoCs
description pid Process procid_target PID 1880 wrote to memory of 4932 1880 OpenWith.exe 103 PID 1880 wrote to memory of 4932 1880 OpenWith.exe 103
Processes
-
C:\Users\Admin\AppData\Local\Temp\wave-server.exe"C:\Users\Admin\AppData\Local\Temp\wave-server.exe"1⤵
- Drops file in Drivers directory
PID:1584
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /41⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3772
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:2028
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1880 -
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Windows\System32\drivers\etc\hosts2⤵PID:4932
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
80B
MD5dda0b27bf75fba273b6f404196f74684
SHA1b1e7cabde59c2812fdcb425c01bb6c2c586bee17
SHA2564af14863bc0bf48fc14baf59b0dcfdf0a2db4e94bced60f080ec4879e5aab6a6
SHA512eb68a24138f70a14fcb228f1995846579234beb3bfe47f4bba44e32322555cc62b627cd7a9f7dfe6a3abf195cfcc59555cdc791e4930242a9b9f132632fc2d4c