344700d3141170111a9b77db100f6961cc54a2988d964d34f7e1ca57aa42aa2a

General

Target

WaveInstaller (1).exe
Size

1.5MB
MD5

c822ab5332b11c9185765b157d0b6e17
SHA1

7fe909d73a24ddd87171896079cceb8b03663ad4
SHA256

344700d3141170111a9b77db100f6961cc54a2988d964d34f7e1ca57aa42aa2a
SHA512

a8612836fb4714b939d03f7fe08391bbc635ca83ab853fc677159e5db6b00f76b9b586bdae9c19d2406d9a2713d1caf614132cb6c14e1dddc6ac45e47f7e5a5d
SSDEEP

24576:9viinbT3ipyqwPx4x3RyFoBkkAd04wJAAh/jV1gJcPNZI6fntX3HOt2pbs81ind2:EinbT3ipTD0anywJAaD/3U2pb7indT

Score

3^/10

discovery

Malware Config

Signatures

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
discovery

System Language Discovery
T1614.001

Processes:

WaveInstaller (1).exe

description ioc process

Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WaveInstaller (1).exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WaveInstaller (1).exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

chrome.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

chrome.exe

pid process

3496 chrome.exe
3496 chrome.exe
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 4 IoCs

Processes:

chrome.exe

pid process

3496 chrome.exe
3496 chrome.exe
3496 chrome.exe
3496 chrome.exe

Suspicious use of AdjustPrivilegeToken 17 IoCs

Processes:

WaveInstaller (1).exechrome.exe

description	pid	process
Token: SeDebugPrivilege	3044	WaveInstaller (1).exe
Token: SeShutdownPrivilege	3496	chrome.exe
Token: SeCreatePagefilePrivilege	3496	chrome.exe
Token: SeShutdownPrivilege	3496	chrome.exe
Token: SeCreatePagefilePrivilege	3496	chrome.exe
Token: SeShutdownPrivilege	3496	chrome.exe
Token: SeCreatePagefilePrivilege	3496	chrome.exe
Token: SeShutdownPrivilege	3496	chrome.exe
Token: SeCreatePagefilePrivilege	3496	chrome.exe
Token: SeShutdownPrivilege	3496	chrome.exe
Token: SeCreatePagefilePrivilege	3496	chrome.exe
Token: SeShutdownPrivilege	3496	chrome.exe
Token: SeCreatePagefilePrivilege	3496	chrome.exe
Token: SeShutdownPrivilege	3496	chrome.exe
Token: SeCreatePagefilePrivilege	3496	chrome.exe
Token: SeShutdownPrivilege	3496	chrome.exe
Token: SeCreatePagefilePrivilege	3496	chrome.exe

Suspicious use of FindShellTrayWindow 27 IoCs

Processes:

chrome.exe

pid	process
3496	chrome.exe
3496	chrome.exe
3496	chrome.exe
3496	chrome.exe
3496	chrome.exe
3496	chrome.exe
3496	chrome.exe
3496	chrome.exe
3496	chrome.exe
3496	chrome.exe
3496	chrome.exe
3496	chrome.exe
3496	chrome.exe
3496	chrome.exe
3496	chrome.exe
3496	chrome.exe
3496	chrome.exe
3496	chrome.exe
3496	chrome.exe
3496	chrome.exe
3496	chrome.exe
3496	chrome.exe
3496	chrome.exe
3496	chrome.exe
3496	chrome.exe
3496	chrome.exe
3496	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

Processes:

chrome.exe

pid	process
3496	chrome.exe
3496	chrome.exe
3496	chrome.exe
3496	chrome.exe
3496	chrome.exe
3496	chrome.exe
3496	chrome.exe
3496	chrome.exe
3496	chrome.exe
3496	chrome.exe
3496	chrome.exe
3496	chrome.exe
3496	chrome.exe
3496	chrome.exe
3496	chrome.exe
3496	chrome.exe
3496	chrome.exe
3496	chrome.exe
3496	chrome.exe
3496	chrome.exe
3496	chrome.exe
3496	chrome.exe
3496	chrome.exe
3496	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

chrome.exe

description	pid	process	target process
PID 3496 wrote to memory of 4036	3496	chrome.exe	chrome.exe
PID 3496 wrote to memory of 4036	3496	chrome.exe	chrome.exe
PID 3496 wrote to memory of 2172	3496	chrome.exe	chrome.exe
PID 3496 wrote to memory of 2172	3496	chrome.exe	chrome.exe
PID 3496 wrote to memory of 2172	3496	chrome.exe	chrome.exe
PID 3496 wrote to memory of 2172	3496	chrome.exe	chrome.exe
PID 3496 wrote to memory of 2172	3496	chrome.exe	chrome.exe
PID 3496 wrote to memory of 2172	3496	chrome.exe	chrome.exe
PID 3496 wrote to memory of 2172	3496	chrome.exe	chrome.exe
PID 3496 wrote to memory of 2172	3496	chrome.exe	chrome.exe
PID 3496 wrote to memory of 2172	3496	chrome.exe	chrome.exe
PID 3496 wrote to memory of 2172	3496	chrome.exe	chrome.exe
PID 3496 wrote to memory of 2172	3496	chrome.exe	chrome.exe
PID 3496 wrote to memory of 2172	3496	chrome.exe	chrome.exe
PID 3496 wrote to memory of 2172	3496	chrome.exe	chrome.exe
PID 3496 wrote to memory of 2172	3496	chrome.exe	chrome.exe
PID 3496 wrote to memory of 2172	3496	chrome.exe	chrome.exe
PID 3496 wrote to memory of 2172	3496	chrome.exe	chrome.exe
PID 3496 wrote to memory of 2172	3496	chrome.exe	chrome.exe
PID 3496 wrote to memory of 2172	3496	chrome.exe	chrome.exe
PID 3496 wrote to memory of 2172	3496	chrome.exe	chrome.exe
PID 3496 wrote to memory of 2172	3496	chrome.exe	chrome.exe
PID 3496 wrote to memory of 2172	3496	chrome.exe	chrome.exe
PID 3496 wrote to memory of 2172	3496	chrome.exe	chrome.exe
PID 3496 wrote to memory of 2172	3496	chrome.exe	chrome.exe
PID 3496 wrote to memory of 2172	3496	chrome.exe	chrome.exe
PID 3496 wrote to memory of 2172	3496	chrome.exe	chrome.exe
PID 3496 wrote to memory of 2172	3496	chrome.exe	chrome.exe
PID 3496 wrote to memory of 2172	3496	chrome.exe	chrome.exe
PID 3496 wrote to memory of 2172	3496	chrome.exe	chrome.exe
PID 3496 wrote to memory of 2172	3496	chrome.exe	chrome.exe
PID 3496 wrote to memory of 2172	3496	chrome.exe	chrome.exe
PID 3496 wrote to memory of 4480	3496	chrome.exe	chrome.exe
PID 3496 wrote to memory of 4480	3496	chrome.exe	chrome.exe
PID 3496 wrote to memory of 924	3496	chrome.exe	chrome.exe
PID 3496 wrote to memory of 924	3496	chrome.exe	chrome.exe
PID 3496 wrote to memory of 924	3496	chrome.exe	chrome.exe
PID 3496 wrote to memory of 924	3496	chrome.exe	chrome.exe
PID 3496 wrote to memory of 924	3496	chrome.exe	chrome.exe
PID 3496 wrote to memory of 924	3496	chrome.exe	chrome.exe
PID 3496 wrote to memory of 924	3496	chrome.exe	chrome.exe
PID 3496 wrote to memory of 924	3496	chrome.exe	chrome.exe
PID 3496 wrote to memory of 924	3496	chrome.exe	chrome.exe
PID 3496 wrote to memory of 924	3496	chrome.exe	chrome.exe
PID 3496 wrote to memory of 924	3496	chrome.exe	chrome.exe
PID 3496 wrote to memory of 924	3496	chrome.exe	chrome.exe
PID 3496 wrote to memory of 924	3496	chrome.exe	chrome.exe
PID 3496 wrote to memory of 924	3496	chrome.exe	chrome.exe
PID 3496 wrote to memory of 924	3496	chrome.exe	chrome.exe
PID 3496 wrote to memory of 924	3496	chrome.exe	chrome.exe
PID 3496 wrote to memory of 924	3496	chrome.exe	chrome.exe
PID 3496 wrote to memory of 924	3496	chrome.exe	chrome.exe
PID 3496 wrote to memory of 924	3496	chrome.exe	chrome.exe
PID 3496 wrote to memory of 924	3496	chrome.exe	chrome.exe
PID 3496 wrote to memory of 924	3496	chrome.exe	chrome.exe
PID 3496 wrote to memory of 924	3496	chrome.exe	chrome.exe
PID 3496 wrote to memory of 924	3496	chrome.exe	chrome.exe
PID 3496 wrote to memory of 924	3496	chrome.exe	chrome.exe
PID 3496 wrote to memory of 924	3496	chrome.exe	chrome.exe
PID 3496 wrote to memory of 924	3496	chrome.exe	chrome.exe
PID 3496 wrote to memory of 924	3496	chrome.exe	chrome.exe
PID 3496 wrote to memory of 924	3496	chrome.exe	chrome.exe
PID 3496 wrote to memory of 924	3496	chrome.exe	chrome.exe
PID 3496 wrote to memory of 924	3496	chrome.exe	chrome.exe

C:\Users\Admin\AppData\Local\Temp\WaveInstaller (1).exe
"C:\Users\Admin\AppData\Local\Temp\WaveInstaller (1).exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:3044

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3496

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x118,0x11c,0x120,0xfc,0x124,0x7ffdd8bfcc40,0x7ffdd8bfcc4c,0x7ffdd8bfcc58
2⤵
PID:4036

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1804,i,11536194444951083507,9275605623358564160,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=1764 /prefetch:2
2⤵
PID:2172

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2044,i,11536194444951083507,9275605623358564160,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=2096 /prefetch:3
2⤵
PID:4480

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2288,i,11536194444951083507,9275605623358564160,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=2300 /prefetch:8
2⤵
PID:924

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3140,i,11536194444951083507,9275605623358564160,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=3160 /prefetch:1
2⤵
PID:1648

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3252,i,11536194444951083507,9275605623358564160,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=3412 /prefetch:1
2⤵
PID:2384

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4576,i,11536194444951083507,9275605623358564160,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=4556 /prefetch:1
2⤵
PID:1580

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --field-trial-handle=4744,i,11536194444951083507,9275605623358564160,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=3688 /prefetch:1
2⤵
PID:3172

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:1480

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

1

T1217

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize
144B

MD5
cf452588d298cfd2fb283b9ba5f4cedb

SHA1
f58a9c8b8dea6d93b7c56bff946d4a7889b757e4

SHA256
e63a52c4f044b52ed6266485a07181521221c5b1da78611adc92582ac911d25e

SHA512
311c5bd47838fea327670d3a26d2d25f9fa727f091176aa092e261fd6761fbe902daef6b3b6839a012bcb4f8ebae596221954acddcc022c2621b5f4407196a95

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State
Filesize
1KB

MD5
f433e3e3402d5d4a212ed7f2976ffeea

SHA1
06e73e25878b23658ec9929fb108e6285d5e0c00

SHA256
e52b15af0ea46bd821808af7d0ba9313a267ef185e1acbf3e35e2f323a39f951

SHA512
218a79b36f124ea6951884518a2ac41fa64aa02a67aee1008fd7e77b045c757d877922e913386b25ee58453b20d90ea5ae3689cef632f5e4aaf7105e4d2a571f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports
Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
Filesize
354B

MD5
c8a87bb068c9655a336588780d665a20

SHA1
082f57f0c65c1fee4c1e4307b737b0db6ca996bf

SHA256
e73418c9dc2e97b8595e45d7855374fdbe0d8e63d67b318d461c43b36c8e9087

SHA512
683b81de668d60562f7387d7d74ea2bbf259666b4d1b785f96106a9e2836ee9f05e1fb19c9bc95ef3434b144ffda0ecb8275a563b3e52f935ba0e0f0aed52eca

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
9KB

MD5
e98f2d7fa137a93005a4fe66db37f6f1

SHA1
b41d14d36c45f014dbf15be942a5ae30942bee4e

SHA256
282da18948fc5d4232280e8a3f13ae3e86334417958c322740631509d37c8064

SHA512
f04a1ad8c42c31200bbfc87d0da5fae9845d00f39803a2a00330de587a949475cd6892c20aad3c03c3fa5efdff2953a630e8cf0646ff2c8a25473306a26c4ae0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
Filesize
100KB

MD5
6f3420b7f46c1fb4207ad8d50ee0ce62

SHA1
f47e5797a1b74e913fc548fbf49f4a33c44dc10c

SHA256
7a55c92595588419a684807e9f80fb7ca9365b820bf1b48935f0cc763b74cd21

SHA512
58607b224d1bde74c2341cf089094f9914e93ccd2345fe1fefb958de121caa89f5c6be5bb17987cc365be906406aa28370f8a4cf46c0ceb81c88bd09398d7474

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\ShaderCache\data_1
Filesize
264KB

MD5
f50f89a0a91564d0b8a211f8921aa7de

SHA1
112403a17dd69d5b9018b8cede023cb3b54eab7d

SHA256
b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

SHA512
bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

Download Submit
\??\pipe\crashpad_3496_GWBRZTGLKOOPYSCO
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/3044-4-0x0000000074780000-0x0000000074F30000-memory.dmp

Filesize
7.7MB

Download
memory/3044-8-0x0000000074780000-0x0000000074F30000-memory.dmp

Filesize
7.7MB

Download
memory/3044-7-0x000000007478E000-0x000000007478F000-memory.dmp

Filesize
4KB

Download
memory/3044-6-0x00000000095F0000-0x00000000095FE000-memory.dmp

Filesize
56KB

Download
memory/3044-5-0x0000000009610000-0x0000000009648000-memory.dmp

Filesize
224KB

Download
memory/3044-0-0x000000007478E000-0x000000007478F000-memory.dmp

Filesize
4KB

Download
memory/3044-3-0x0000000074780000-0x0000000074F30000-memory.dmp

Filesize
7.7MB

Download
memory/3044-2-0x0000000074780000-0x0000000074F30000-memory.dmp

Filesize
7.7MB

Download
memory/3044-1-0x0000000000380000-0x0000000000512000-memory.dmp

Filesize
1.6MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads