Analysis
-
max time kernel
111s -
max time network
139s -
platform
windows10-2004_x64 -
resource
win10v2004-20240709-en -
resource tags
arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system -
submitted
28-07-2024 17:31
Behavioral task
behavioral1
Sample
Wave.exe
Resource
win7-20240708-en
General
-
Target
Wave.exe
-
Size
3.0MB
-
MD5
df016abe8bfe2653c1dca38309260358
-
SHA1
253c95a2b7f13d39b9a03ba9a52785258e439340
-
SHA256
328b42682ffc73069ed31d0a9360aaf75e756cc2e51a280ef9849b9e836a990d
-
SHA512
3fcb697b369444ff62c84dd7b562f685b035e87ed9beab9c603bb2c35d03d57db7f28d1ccc8ed2ffaf606802fc6e3a4e1535f627d9fe8e0a68514f27219762ec
-
SSDEEP
49152:B1HS7p1EZKMnkmWg8LX5prviYDyKS5AypQxbRQAo9JnCmpbu/nRFfjI7L0qb:BUHTPJg8z1mKnypSbRxo9JCm
Malware Config
Extracted
orcus
Wave
31.44.184.52:15288
sudo_76v3ne68zd8b3j6xeaptqbdkmamvwu08
-
autostart_method
Disable
-
enable_keylogger
false
-
install_path
%appdata%\securedatalifeasync\universal_.exe
-
reconnect_delay
10000
-
registry_keyname
Sudik
-
taskscheduler_taskname
sudik
-
watchdog_path
AppData\aga.exe
Signatures
-
Orcus main payload 1 IoCs
Processes:
resource yara_rule behavioral2/files/0x0009000000023497-13.dat family_orcus -
Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
-
Orcurs Rat Executable 2 IoCs
Processes:
resource yara_rule behavioral2/memory/3356-1-0x00000000007B0000-0x0000000000AB2000-memory.dmp orcus behavioral2/files/0x0009000000023497-13.dat orcus -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
Wave.exeregasm.exedescription ioc Process Key value queried \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\Control Panel\International\Geo\Nation Wave.exe Key value queried \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\Control Panel\International\Geo\Nation regasm.exe -
Executes dropped EXE 3 IoCs
Processes:
universal_.exeuniversal_.exeuniversal_.exepid Process 5080 universal_.exe 2244 universal_.exe 1612 universal_.exe -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Suspicious use of SetThreadContext 2 IoCs
Processes:
universal_.exeuniversal_.exedescription pid Process procid_target PID 5080 set thread context of 2880 5080 universal_.exe 95 PID 2244 set thread context of 1064 2244 universal_.exe 97 -
Drops file in Windows directory 1 IoCs
Processes:
regasm.exedescription ioc Process File opened for modification C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe regasm.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 12 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
universal_.exeuniversal_.execmd.execmd.execmd.exeWave.exeregasm.exeuniversal_.exeinstallutil.execmd.exePING.EXEcmd.exedescription ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language universal_.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language universal_.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Wave.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language regasm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language universal_.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language installutil.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language PING.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe -
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs
Adversaries may check for Internet connectivity on compromised systems.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 9 IoCs
Processes:
Wave.exeuniversal_.exeuniversal_.exeregasm.exepid Process 3356 Wave.exe 5080 universal_.exe 5080 universal_.exe 5080 universal_.exe 5080 universal_.exe 2244 universal_.exe 2244 universal_.exe 2880 regasm.exe 2880 regasm.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
Processes:
Wave.exeuniversal_.exeuniversal_.exeregasm.exedescription pid Process Token: SeDebugPrivilege 3356 Wave.exe Token: SeDebugPrivilege 5080 universal_.exe Token: SeDebugPrivilege 2244 universal_.exe Token: SeDebugPrivilege 2880 regasm.exe -
Suspicious use of WriteProcessMemory 40 IoCs
Processes:
Wave.exeuniversal_.exeuniversal_.exeregasm.execmd.exedescription pid Process procid_target PID 3356 wrote to memory of 5080 3356 Wave.exe 90 PID 3356 wrote to memory of 5080 3356 Wave.exe 90 PID 3356 wrote to memory of 5080 3356 Wave.exe 90 PID 5080 wrote to memory of 4920 5080 universal_.exe 94 PID 5080 wrote to memory of 4920 5080 universal_.exe 94 PID 5080 wrote to memory of 4920 5080 universal_.exe 94 PID 5080 wrote to memory of 2880 5080 universal_.exe 95 PID 5080 wrote to memory of 2880 5080 universal_.exe 95 PID 5080 wrote to memory of 2880 5080 universal_.exe 95 PID 5080 wrote to memory of 2880 5080 universal_.exe 95 PID 5080 wrote to memory of 2880 5080 universal_.exe 95 PID 5080 wrote to memory of 2880 5080 universal_.exe 95 PID 5080 wrote to memory of 2880 5080 universal_.exe 95 PID 5080 wrote to memory of 2880 5080 universal_.exe 95 PID 2244 wrote to memory of 1064 2244 universal_.exe 97 PID 2244 wrote to memory of 1064 2244 universal_.exe 97 PID 2244 wrote to memory of 1064 2244 universal_.exe 97 PID 2244 wrote to memory of 1064 2244 universal_.exe 97 PID 2244 wrote to memory of 1064 2244 universal_.exe 97 PID 2244 wrote to memory of 1064 2244 universal_.exe 97 PID 2244 wrote to memory of 1064 2244 universal_.exe 97 PID 2244 wrote to memory of 1064 2244 universal_.exe 97 PID 2880 wrote to memory of 2368 2880 regasm.exe 108 PID 2880 wrote to memory of 2368 2880 regasm.exe 108 PID 2880 wrote to memory of 2368 2880 regasm.exe 108 PID 2368 wrote to memory of 2500 2368 cmd.exe 110 PID 2368 wrote to memory of 2500 2368 cmd.exe 110 PID 2368 wrote to memory of 2500 2368 cmd.exe 110 PID 2368 wrote to memory of 752 2368 cmd.exe 111 PID 2368 wrote to memory of 752 2368 cmd.exe 111 PID 2368 wrote to memory of 752 2368 cmd.exe 111 PID 2368 wrote to memory of 960 2368 cmd.exe 112 PID 2368 wrote to memory of 960 2368 cmd.exe 112 PID 2368 wrote to memory of 960 2368 cmd.exe 112 PID 2368 wrote to memory of 4344 2368 cmd.exe 113 PID 2368 wrote to memory of 4344 2368 cmd.exe 113 PID 2368 wrote to memory of 4344 2368 cmd.exe 113 PID 2368 wrote to memory of 4192 2368 cmd.exe 114 PID 2368 wrote to memory of 4192 2368 cmd.exe 114 PID 2368 wrote to memory of 4192 2368 cmd.exe 114
Processes
-
C:\Users\Admin\AppData\Local\Temp\Wave.exe"C:\Users\Admin\AppData\Local\Temp\Wave.exe"1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3356 -
C:\Users\Admin\AppData\Roaming\securedatalifeasync\universal_.exe"C:\Users\Admin\AppData\Roaming\securedatalifeasync\universal_.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5080 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe"3⤵PID:4920
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe"3⤵
- Checks computer location settings
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2880 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\{b9dce45c-bd12-422c-932b-e6ddab9e9309}.bat" "4⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2368 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.15⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2500
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo j "5⤵
- System Location Discovery: System Language Discovery
PID:752
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" del "C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe""5⤵
- System Location Discovery: System Language Discovery
PID:960
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo j "5⤵
- System Location Discovery: System Language Discovery
PID:4344
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" del C:\Users\Admin\AppData\Local\Temp\{b9dce45c-bd12-422c-932b-e6ddab9e9309}.bat"5⤵
- System Location Discovery: System Language Discovery
PID:4192
-
-
-
-
-
C:\Users\Admin\AppData\Roaming\securedatalifeasync\universal_.exeC:\Users\Admin\AppData\Roaming\securedatalifeasync\universal_.exe1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2244 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe"2⤵
- System Location Discovery: System Language Discovery
PID:1064
-
-
C:\Users\Admin\AppData\Roaming\securedatalifeasync\universal_.exeC:\Users\Admin\AppData\Roaming\securedatalifeasync\universal_.exe1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1612
Network
MITRE ATT&CK Enterprise v15
Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
3Credentials In Files
2Credentials in Registry
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD5663b8d5469caa4489d463aa9bc18124f
SHA1e57123a7d969115853ea631a3b33826335025d28
SHA2567b4fa505452f0b8ac74bb31f5a03b13342836318018fb18d224ae2ff11b1a7e8
SHA51245e373295125a629fcc0b19609608d969c9106514918bfac5d6b8e340e407434577b825741b8fa6a043c8f3f5c1a030ba8857da5f4e8ef15a551ce3c5fe03b55
-
Filesize
195B
MD553659d38a149822e8b5108240f1f4f28
SHA10cfc03162b97fb0b225159463568df903665e3c1
SHA256f06714618bc94bc1ea676aa45ddadd9bc62997ea2dbcf0d4389e9de040a7c0b0
SHA512df14fd5340c969be07965f551bdd350fd77b297dbb903a4c040e362b9fa702b02455e27fff6c3828ac2d323544618f8debbf00bd2088d095a83a350031313d6e
-
Filesize
3.0MB
MD5df016abe8bfe2653c1dca38309260358
SHA1253c95a2b7f13d39b9a03ba9a52785258e439340
SHA256328b42682ffc73069ed31d0a9360aaf75e756cc2e51a280ef9849b9e836a990d
SHA5123fcb697b369444ff62c84dd7b562f685b035e87ed9beab9c603bb2c35d03d57db7f28d1ccc8ed2ffaf606802fc6e3a4e1535f627d9fe8e0a68514f27219762ec
-
Filesize
357B
MD5a2b76cea3a59fa9af5ea21ff68139c98
SHA135d76475e6a54c168f536e30206578babff58274
SHA256f99ef5bf79a7c43701877f0bb0b890591885bb0a3d605762647cc8ffbf10c839
SHA512b52608b45153c489419228864ecbcb92be24c644d470818dfe15f8c7e661a7bcd034ea13ef401f2b84ad5c29a41c9b4c7d161cc33ae3ef71659bc2bca1a8c4ad