Overview

overview

5

Static

static

3

WaveInstaller (1).exe

windows7-x64

5

WaveInstaller (1).exe

windows10-2004-x64

3

Analysis

  • max time kernel
    150s
  • max time network
    93s
  • platform
    windows7_x64
  • resource
    win7-20240704-en
  • resource tags

    arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
  • submitted
    10-08-2024 01:36

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    WaveInstaller (1).exe

  • Size

    1.5MB

  • MD5

    c822ab5332b11c9185765b157d0b6e17

  • SHA1

    7fe909d73a24ddd87171896079cceb8b03663ad4

  • SHA256

    344700d3141170111a9b77db100f6961cc54a2988d964d34f7e1ca57aa42aa2a

  • SHA512

    a8612836fb4714b939d03f7fe08391bbc635ca83ab853fc677159e5db6b00f76b9b586bdae9c19d2406d9a2713d1caf614132cb6c14e1dddc6ac45e47f7e5a5d

  • SSDEEP

    24576:9viinbT3ipyqwPx4x3RyFoBkkAd04wJAAh/jV1gJcPNZI6fntX3HOt2pbs81ind2:EinbT3ipTD0anywJAaD/3U2pb7indT

Score
5/10
discovery

Malware Config

Signatures

  • Drops file in System32 directory 1 IoCs
  • Program crash 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies data under HKEY_USERS 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 8 IoCs
  • Suspicious use of SetWindowsHookEx 19 IoCs
  • Suspicious use of WriteProcessMemory 13 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\WaveInstaller (1).exe
    "C:\Users\Admin\AppData\Local\Temp\WaveInstaller (1).exe"
    1⤵
    • System Location Discovery: System Language Discovery
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2552
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2552 -s 1584
      2⤵
      • Program crash
      PID:2096
  • C:\Windows\explorer.exe
    "C:\Windows\explorer.exe"
    1⤵
      PID:2760
    • C:\Windows\system32\AUDIODG.EXE
      C:\Windows\system32\AUDIODG.EXE 0x4a4
      1⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:2856
    • C:\Windows\system32\SearchIndexer.exe
      C:\Windows\system32\SearchIndexer.exe /Embedding
      1⤵
      • Modifies data under HKEY_USERS
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1364
      • C:\Windows\system32\SearchProtocolHost.exe
        "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe_S-1-5-21-2212144002-1172735686-1556890956-10001_ Global\UsGthrCtrlFltPipeMssGthrPipe_S-1-5-21-2212144002-1172735686-1556890956-10001 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon" "1"
        2⤵
        • Suspicious use of SetWindowsHookEx
        PID:2448
      • C:\Windows\system32\SearchFilterHost.exe
        "C:\Windows\system32\SearchFilterHost.exe" 0 512 516 524 65536 520
        2⤵
        • Modifies data under HKEY_USERS
        PID:2452
      • C:\Windows\system32\SearchProtocolHost.exe
        "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe2_ Global\UsGthrCtrlFltPipeMssGthrPipe2 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
        2⤵
        • Drops file in System32 directory
        • Modifies data under HKEY_USERS
        • Suspicious use of SetWindowsHookEx
        PID:1536

    Network

    MITRE ATT&CK Matrix ATT&CK v13

    Initial Access

    Execution

    Persistence

    Privilege Escalation

    Defense Evasion

    Credential Access

    Discovery

    System Location Discovery

    1
    T1614

    System Language Discovery

    1
    T1614.001

    Lateral Movement

    Collection

    Exfiltration

    Command and Control

    Impact

    Resource Development

    Reconnaissance

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\ProgramData\Microsoft\Search\Data\Applications\Windows\MSS.log
      Filesize

      1024KB

      MD5

      d10c27f59dfdc972c4de635687df4614

      SHA1

      3ebd0ac94d845bca26c36a05e3a70f75561fe3e4

      SHA256

      71636872ba48e12fbf90eec49168337910ef98ad0ee00cda106f2904c83f8f65

      SHA512

      4c649ed28619302cbad9f1a2455bd4f2970b05f59740d642c4691f073df9e195bd6fcbcda107ffe7ad7b095bcff68c1882744e86fb374c4224f804850010bf4c

      Download Submit
    • memory/1364-53-0x0000000002BD0000-0x0000000002BD1000-memory.dmp
      Filesize

      4KB

      Download
    • memory/1364-8-0x0000000001690000-0x00000000016A0000-memory.dmp
      Filesize

      64KB

      Download
    • memory/1364-25-0x00000000017A0000-0x00000000017B0000-memory.dmp
      Filesize

      64KB

      Download
    • memory/1364-80-0x00000000033C0000-0x00000000033C1000-memory.dmp
      Filesize

      4KB

      Download
    • memory/1364-76-0x00000000031E0000-0x00000000031E8000-memory.dmp
      Filesize

      32KB

      Download
    • memory/1364-70-0x0000000002B90000-0x0000000002B98000-memory.dmp
      Filesize

      32KB

      Download
    • memory/1364-61-0x0000000002AE0000-0x0000000002AE1000-memory.dmp
      Filesize

      4KB

      Download
    • memory/1364-47-0x0000000002B30000-0x0000000002B38000-memory.dmp
      Filesize

      32KB

      Download
    • memory/1364-59-0x0000000002B30000-0x0000000002B38000-memory.dmp
      Filesize

      32KB

      Download
    • memory/2552-6-0x00000000748E0000-0x0000000074FCE000-memory.dmp
      Filesize

      6.9MB

      Download
    • memory/2552-5-0x00000000748E0000-0x0000000074FCE000-memory.dmp
      Filesize

      6.9MB

      Download
    • memory/2552-0-0x00000000748EE000-0x00000000748EF000-memory.dmp
      Filesize

      4KB

      Download
    • memory/2552-4-0x00000000001E0000-0x00000000001EA000-memory.dmp
      Filesize

      40KB

      Download
    • memory/2552-7-0x00000000748E0000-0x0000000074FCE000-memory.dmp
      Filesize

      6.9MB

      Download
    • memory/2552-2-0x00000000748E0000-0x0000000074FCE000-memory.dmp
      Filesize

      6.9MB

      Download
    • memory/2552-1-0x0000000001270000-0x0000000001402000-memory.dmp
      Filesize

      1.6MB

      Download
    • memory/2552-3-0x00000000001E0000-0x00000000001EA000-memory.dmp
      Filesize

      40KB

      Download