General
-
Target
wave-server.zip
-
Size
13.9MB
-
Sample
240727-gtwqys1cpp
-
MD5
e4187032eb451d978aa212cef7de8830
-
SHA1
4b5e44c25a50205ad03aa3181cfba9bc24890b92
-
SHA256
833da3f86493023256fc3b26aa0f36a34ccc8e41ad382df60784aebf80ed7d85
-
SHA512
42a557f175b2a2767f98b224b8a9ea246cf15edf8ca4462ff35ce18038bd41f0ddae331dc4295bb4ee95134495a0e0d26f25ddef945a9c5a6c402a36c0676feb
-
SSDEEP
393216:DVhyG3Wi7rElW5GMW7aZB1P7U7R1y04mJB:DVQGdP6W5G76P7U7XHtz
Malware Config
Targets
-
-
Target
wave-server.exe
-
Size
14.2MB
-
MD5
06f44ba8e49cbf6a98646c109c3c5049
-
SHA1
6df6ba404339bfe42dbc2815158220a2ff6cb367
-
SHA256
fda1c7587f6efe2852db21624c121b0fe8c0ed5f39bedb84255c5365b4283442
-
SHA512
ebf56affa222ce585ffbf332b118e4aa37c54df2ed3b24e737f5587834712f2290462a4e663f902473b4e60be6397f125476ae6af4baa36ab6da16316ea4be26
-
SSDEEP
196608:tQ0sKYu/PaQAIf7ZBhQxEEYXU3b01Kpn3V+uq+Vvp9CsXDjDyf5Zk4CSETMBeCr:MQNlBhQpL01+l+uq+VvbCEDqZk4/
Score10/10-
UAC bypass
-
Event Triggered Execution: Image File Execution Options Injection
-
Modifies Windows Firewall
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Loads dropped DLL
-
Adds Run key to start application
-
Checks whether UAC is enabled
-
Legitimate hosting services abused for malware hosting/C2
-
Writes to the Master Boot Record (MBR)
Bootkits write to the MBR to gain persistence at a level below the operating system.
-
Drops file in System32 directory
-
Enumerates processes with tasklist
-
Hide Artifacts: Hidden Files and Directories
-
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Event Triggered Execution
2Image File Execution Options Injection
1Netsh Helper DLL
1Pre-OS Boot
1Bootkit
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Event Triggered Execution
2Image File Execution Options Injection
1Netsh Helper DLL
1Scheduled Task/Job
1Scheduled Task
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Hide Artifacts
2Hidden Files and Directories
2Impair Defenses
2Disable or Modify System Firewall
1Disable or Modify Tools
1Modify Registry
3Pre-OS Boot
1Bootkit
1