344700d3141170111a9b77db100f6961cc54a2988d964d34f7e1ca57aa42aa2a

General

Target

WaveInstaller.exe
Size

1.5MB
MD5

c822ab5332b11c9185765b157d0b6e17
SHA1

7fe909d73a24ddd87171896079cceb8b03663ad4
SHA256

344700d3141170111a9b77db100f6961cc54a2988d964d34f7e1ca57aa42aa2a
SHA512

a8612836fb4714b939d03f7fe08391bbc635ca83ab853fc677159e5db6b00f76b9b586bdae9c19d2406d9a2713d1caf614132cb6c14e1dddc6ac45e47f7e5a5d
SSDEEP

24576:9viinbT3ipyqwPx4x3RyFoBkkAd04wJAAh/jV1gJcPNZI6fntX3HOt2pbs81ind2:EinbT3ipTD0anywJAaD/3U2pb7indT

Score

8^/10

discovery

Malware Config

Signatures

Downloads MZ/PE file

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

WaveInstaller.exeWaveBootstrapper.exeWaveWindows.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation	WaveInstaller.exe
Key value queried	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation	WaveBootstrapper.exe
Key value queried	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation	WaveWindows.exe

Executes dropped EXE 3 IoCs

Processes:

WaveBootstrapper.exeWaveWindows.exenode.exe

pid process

1584 WaveBootstrapper.exe
4688 WaveWindows.exe
1608 node.exe

pid	process
1584	WaveBootstrapper.exe
4688	WaveWindows.exe
1608	node.exe

Checks for any installed AV software in registry 1 TTPs 4 IoCs

Security Software Discovery

T1518.001

Processes:

WaveWindows.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Software\KasperskyLab	WaveWindows.exe
Key created	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Software\KasperskyLab	WaveWindows.exe
Key value queried	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\SOFTWARE\KasperskyLab\LastUsername	WaveWindows.exe
Key value queried	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\SOFTWARE\KasperskyLab\Session	WaveWindows.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 6 IoCs

Web Service

T1102

Processes:

flow	ioc
28	raw.githubusercontent.com
29	raw.githubusercontent.com
45	raw.githubusercontent.com
46	raw.githubusercontent.com
47	raw.githubusercontent.com
48	raw.githubusercontent.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

WaveInstaller.exeWaveBootstrapper.exeWaveWindows.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WaveInstaller.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WaveBootstrapper.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WaveWindows.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

WaveWindows.exe

pid process

4688 WaveWindows.exe
4688 WaveWindows.exe

pid	process
4688	WaveWindows.exe
4688	WaveWindows.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

WaveInstaller.exeWaveBootstrapper.exeWaveWindows.exe

description	pid	process
Token: SeDebugPrivilege	4076	WaveInstaller.exe
Token: SeDebugPrivilege	1584	WaveBootstrapper.exe
Token: SeDebugPrivilege	4688	WaveWindows.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

WaveInstaller.exeWaveBootstrapper.exeWaveWindows.exe

description	pid	process	target process
PID 4076 wrote to memory of 1584	4076	WaveInstaller.exe	WaveBootstrapper.exe
PID 4076 wrote to memory of 1584	4076	WaveInstaller.exe	WaveBootstrapper.exe
PID 4076 wrote to memory of 1584	4076	WaveInstaller.exe	WaveBootstrapper.exe
PID 1584 wrote to memory of 4688	1584	WaveBootstrapper.exe	WaveWindows.exe
PID 1584 wrote to memory of 4688	1584	WaveBootstrapper.exe	WaveWindows.exe
PID 1584 wrote to memory of 4688	1584	WaveBootstrapper.exe	WaveWindows.exe
PID 4688 wrote to memory of 1608	4688	WaveWindows.exe	node.exe
PID 4688 wrote to memory of 1608	4688	WaveWindows.exe	node.exe

C:\Users\Admin\AppData\Local\Temp\WaveInstaller.exe
"C:\Users\Admin\AppData\Local\Temp\WaveInstaller.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4076

C:\Users\Admin\AppData\Local\Wave\WaveBootstrapper.exe
"C:\Users\Admin\AppData\Local\Wave\WaveBootstrapper.exe"
2⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1584

C:\Users\Admin\AppData\Local\Wave\WaveWindows.exe
"C:\Users\Admin\AppData\Local\Wave\WaveWindows.exe"
3⤵
- Checks computer location settings
- Executes dropped EXE
- Checks for any installed AV software in registry
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4688

C:\Users\Admin\AppData\Local\Luau Language Server\node.exe
"C:\Users\Admin\AppData\Local\Luau Language Server\node.exe" server --process-id=4688
4⤵
- Executes dropped EXE
PID:1608

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Software Discovery

1

T1518

Security Software Discovery

1

T1518.001

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Exfiltration

Command and Control

Web Service

1

T1102

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Luau Language Server\server\index.js
Filesize
6.1MB

MD5
6b1cad741d0b6374435f7e1faa93b5e7

SHA1
7b1957e63c10f4422421245e4dc64074455fd62a

SHA256
6f17add2a8c8c2d9f592adb65d88e08558e25c15cedd82e3f013c8146b5d840f

SHA512
a662fc83536eff797b8d59e2fb4a2fb7cd903be8fc4137de8470b341312534326383bb3af58991628f15f93e3bdd57621622d9d9b634fb5e6e03d4aa06977253

Download Submit
C:\Users\Admin\AppData\Local\Wave\WaveBootstrapper.exe
Filesize
949KB

MD5
8fb51b92d496c6765f7ba44e6d4a8990

SHA1
d3e5a8465622cd5adae05babeb7e34b2b5c777d7

SHA256
ab49d6166a285b747e5f279620ab9cea12f33f7656d732aa75900fcb981a5394

SHA512
20de93a52fff7b092cb9d77bd26944abed5f5cb67146e6d2d70be6a431283b6de52eb37a0e13dc8bc57dcf8be2d5a95b9c11b3b030a3e2f03dd6e4efc23527a6

Download Submit
C:\Users\Admin\AppData\Local\Wave\WaveWindows.exe
Filesize
8.0MB

MD5
b8631bbd78d3935042e47b672c19ccc3

SHA1
cd0ea137f1544a31d2a62aaed157486dce3ecebe

SHA256
9cfda541d595dc20a55df5422001dfb58debd401df3abff21b1eee8ede28451c

SHA512
0c51d6247e39f7851538a5916b24972e845abfe429f0abdc7b532f654b4afe73dc6e1936f1b062da63bfc90273d3cbc297bf6c802e615f3711d0f180c070aa26

Download Submit
memory/1584-245-0x0000000009B80000-0x0000000009B88000-memory.dmp

Filesize
32KB

Download
memory/1584-242-0x0000000008DD0000-0x0000000008ED4000-memory.dmp

Filesize
1.0MB

Download
memory/1584-237-0x00000000750E0000-0x0000000075890000-memory.dmp

Filesize
7.7MB

Download
memory/1584-238-0x0000000000670000-0x0000000000762000-memory.dmp

Filesize
968KB

Download
memory/1584-250-0x00000000750E0000-0x0000000075890000-memory.dmp

Filesize
7.7MB

Download
memory/1584-246-0x0000000009BE0000-0x0000000009BFE000-memory.dmp

Filesize
120KB

Download
memory/1584-244-0x0000000009B40000-0x0000000009B4A000-memory.dmp

Filesize
40KB

Download
memory/1584-243-0x0000000009B00000-0x0000000009B16000-memory.dmp

Filesize
88KB

Download
memory/1584-240-0x00000000750E0000-0x0000000075890000-memory.dmp

Filesize
7.7MB

Download
memory/4076-17-0x0000000005500000-0x0000000005526000-memory.dmp

Filesize
152KB

Download
memory/4076-18-0x00000000056B0000-0x00000000056B8000-memory.dmp

Filesize
32KB

Download
memory/4076-21-0x00000000056D0000-0x00000000056DA000-memory.dmp

Filesize
40KB

Download
memory/4076-22-0x00000000056E0000-0x00000000056EA000-memory.dmp

Filesize
40KB

Download
memory/4076-3-0x00000000750E0000-0x0000000075890000-memory.dmp

Filesize
7.7MB

Download
memory/4076-5-0x00000000098D0000-0x0000000009908000-memory.dmp

Filesize
224KB

Download
memory/4076-20-0x000000000BCE0000-0x000000000BD52000-memory.dmp

Filesize
456KB

Download
memory/4076-4-0x00000000750E0000-0x0000000075890000-memory.dmp

Filesize
7.7MB

Download
memory/4076-241-0x00000000750E0000-0x0000000075890000-memory.dmp

Filesize
7.7MB

Download
memory/4076-1-0x0000000000860000-0x00000000009F2000-memory.dmp

Filesize
1.6MB

Download
memory/4076-16-0x00000000055D0000-0x0000000005666000-memory.dmp

Filesize
600KB

Download
memory/4076-9-0x00000000750E0000-0x0000000075890000-memory.dmp

Filesize
7.7MB

Download
memory/4076-0-0x00000000750EE000-0x00000000750EF000-memory.dmp

Filesize
4KB

Download
memory/4076-8-0x00000000750E0000-0x0000000075890000-memory.dmp

Filesize
7.7MB

Download
memory/4076-2-0x00000000750E0000-0x0000000075890000-memory.dmp

Filesize
7.7MB

Download
memory/4076-7-0x00000000750EE000-0x00000000750EF000-memory.dmp

Filesize
4KB

Download
memory/4076-6-0x00000000098A0000-0x00000000098AE000-memory.dmp

Filesize
56KB

Download
memory/4688-259-0x000000000AA30000-0x000000000AAE2000-memory.dmp

Filesize
712KB

Download
memory/4688-253-0x0000000006110000-0x00000000061B0000-memory.dmp

Filesize
640KB

Download
memory/4688-254-0x00000000061C0000-0x00000000061C8000-memory.dmp

Filesize
32KB

Download
memory/4688-252-0x0000000006020000-0x00000000060D2000-memory.dmp

Filesize
712KB

Download
memory/4688-251-0x0000000000EC0000-0x00000000016C2000-memory.dmp

Filesize
8.0MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads