Overview

overview

9

Static

static

7

wave_bypass.exe

windows11-21h2-x64

9

Resubmissions

11/08/2024, 11:35

240811-npz15sxenn 9

Analysis

  • max time kernel
    147s
  • max time network
    151s
  • platform
    windows11-21h2_x64
  • resource
    win11-20240802-en
  • resource tags

    arch:x64arch:x86image:win11-20240802-enlocale:en-usos:windows11-21h2-x64system
  • submitted
    11/08/2024, 11:35

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    wave_bypass.exe

  • Size

    25.6MB

  • MD5

    bb86d90e6f8a455a3de78ab876f915d1

  • SHA1

    6e216c2c17c066831c3a663d2c194cccc8799795

  • SHA256

    3251be108d2d1034710276af57fa4dd96692cd3cf9f0b3e9045528a4f32cb775

  • SHA512

    2be3bf5270a7a8516af9f3836eb82f5b74b82da52be581cf122f4d3f35bebee32c0782001f3e4475452f3f47c140cd8dd3f355be24d59cf50fb98049d6f8e757

  • SSDEEP

    393216:HitBxmzN05GC7NSSjMKKBe7gpEgc/s0WVGwGAd4G+JH5GE5p3BmGHgsh+SwlcxV1:mBFjxjHgrZjzdKHcEtb7MJt8r

Score
9/10
evasionthemidatrojan

Malware Config

Signatures

  • Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
    evasion
  • Checks BIOS information in registry 2 TTPs 2 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Loads dropped DLL 6 IoCs
  • Themida packer 6 IoCs

    Detects Themida, an advanced Windows software protection system.

    themida
  • Checks whether UAC is enabled 1 TTPs 1 IoCs
    evasiontrojan
  • Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
  • Modifies registry key 1 TTPs 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 42 IoCs
  • Suspicious use of WriteProcessMemory 20 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\wave_bypass.exe
    "C:\Users\Admin\AppData\Local\Temp\wave_bypass.exe"
    1⤵
    • Identifies VirtualBox via ACPI registry values (likely anti-VM)
    • Checks BIOS information in registry
    • Loads dropped DLL
    • Checks whether UAC is enabled
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • Suspicious use of WriteProcessMemory
    PID:3620
    • C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c reg add HKCU\Console\%%Startup /v DelegationConsole /t REG_SZ /d {B23D10C0-E52E-411E-9D5B-C09FDF709C7D} /f > nul
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:3520
      • C:\Windows\system32\reg.exe
        reg add HKCU\Console\%%Startup /v DelegationConsole /t REG_SZ /d {B23D10C0-E52E-411E-9D5B-C09FDF709C7D} /f
        3⤵
        • Modifies registry key
        PID:3388
    • C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c reg add HKCU\Console\%%Startup /v DelegationTerminal /t REG_SZ /d {B23D10C0-E52E-411E-9D5B-C09FDF709C7D} /f > nul
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:3432
      • C:\Windows\system32\reg.exe
        reg add HKCU\Console\%%Startup /v DelegationTerminal /t REG_SZ /d {B23D10C0-E52E-411E-9D5B-C09FDF709C7D} /f
        3⤵
        • Modifies registry key
        PID:2076
    • C:\Windows\System32\Wbem\wmic.exe
      wmic csproduct get uuid
      2⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:1652
    • C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c cls
      2⤵
        PID:4344
      • C:\Windows\system32\cmd.exe
        C:\Windows\system32\cmd.exe /c mode con: cols=99 lines=33
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:4836
        • C:\Windows\system32\mode.com
          mode con: cols=99 lines=33
          3⤵
            PID:556
        • C:\Windows\system32\cmd.exe
          C:\Windows\system32\cmd.exe /c color 09
          2⤵
            PID:3932
          • C:\Windows\system32\cmd.exe
            C:\Windows\system32\cmd.exe /c title WAVE BYPASS
            2⤵
              PID:5012

          Network

                MITRE ATT&CK Enterprise v15

                Replay Monitor

                Loading Replay Monitor...

                Downloads

                • C:\Users\Admin\AppData\Local\Temp\31840d97.dll
                  Filesize

                  10KB

                  MD5

                  68c9742fd2d25e0eee1be7da6362adc0

                  SHA1

                  fd494a53bbca9b3b3016370608fa8e9fa3d73715

                  SHA256

                  0df39782cc8d7b3629c7cd33887d059268d806edede579a8d5da0252c142ebb6

                  SHA512

                  6aa7115444e4a6e5c0e52d5892fa2ce63d72864c56798e5abaf030270d9ef810f2da886b3a0e7a96549c1fb3dd754facb63025032179eef605d36a40d961a84e

                  Download Submit

                • C:\Users\Admin\AppData\Local\Temp\31840d98.dll
                  Filesize

                  10KB

                  MD5

                  d0b0669374e69be483c04e0bc7c18caf

                  SHA1

                  33dd016fe5ba76ae45c1444a6defa1f5afbd0556

                  SHA256

                  c9e3daa7fe44f7599826c93286956b10c452ae5344264b2c751efbd5698f32f5

                  SHA512

                  13695a52101da7858acbf2bc26e8d711105e0bcc83f9f8787622a134427ace971f93cae4801b2c7e875b5272795b987cdc9bde06e4b59822dda9e8febab6c529

                  Download Submit

                • C:\Users\Admin\AppData\Local\Temp\libcrypto-3.dll
                  Filesize

                  5.0MB

                  MD5

                  e547cf6d296a88f5b1c352c116df7c0c

                  SHA1

                  cafa14e0367f7c13ad140fd556f10f320a039783

                  SHA256

                  05fe080eab7fc535c51e10c1bd76a2f3e6217f9c91a25034774588881c3f99de

                  SHA512

                  9f42edf04c7af350a00fa4fdf92b8e2e6f47ab9d2d41491985b20cd0adde4f694253399f6a88f4bdd765c4f49792f25fb01e84ec03fd5d0be8bb61773d77d74d

                  Download Submit

                • C:\Users\Admin\AppData\Local\Temp\libssl-3.dll
                  Filesize

                  768KB

                  MD5

                  19a2aba25456181d5fb572d88ac0e73e

                  SHA1

                  656ca8cdfc9c3a6379536e2027e93408851483db

                  SHA256

                  2e9fbcd8f7fdc13a5179533239811456554f2b3aa2fb10e1b17be0df81c79006

                  SHA512

                  df17dc8a882363a6c5a1b78ba3cf448437d1118ccc4a6275cc7681551b13c1a4e0f94e30ffb94c3530b688b62bff1c03e57c2c185a7df2bf3e5737a06e114337

                  Download Submit

                • C:\Users\Admin\AppData\Local\Temp\vcruntime140.dll
                  Filesize

                  116KB

                  MD5

                  be8dbe2dc77ebe7f88f910c61aec691a

                  SHA1

                  a19f08bb2b1c1de5bb61daf9f2304531321e0e40

                  SHA256

                  4d292623516f65c80482081e62d5dadb759dc16e851de5db24c3cbb57b87db83

                  SHA512

                  0da644472b374f1da449a06623983d0477405b5229e386accadb154b43b8b083ee89f07c3f04d2c0c7501ead99ad95aecaa5873ff34c5eeb833285b598d5a655

                  Download Submit

                • C:\Users\Admin\AppData\Local\Temp\vcruntime140_1.dll
                  Filesize

                  48KB

                  MD5

                  f8dfa78045620cf8a732e67d1b1eb53d

                  SHA1

                  ff9a604d8c99405bfdbbf4295825d3fcbc792704

                  SHA256

                  a113f192195f245f17389e6ecbed8005990bcb2476ddad33f7c4c6c86327afe5

                  SHA512

                  ba7f8b7ab0deb7a7113124c28092b543e216ca08d1cf158d9f40a326fb69f4a2511a41a59ea8482a10c9ec4ec8ac69b70dfe9ca65e525097d93b819d498da371

                  Download Submit

                • memory/3620-13-0x0000000140000000-0x0000000144B43000-memory.dmp

                  Filesize

                  75.3MB

                  Download

                • memory/3620-52-0x0000000004200000-0x0000000004209000-memory.dmp

                  Filesize

                  36KB

                  Download

                • memory/3620-12-0x0000000140000000-0x0000000144B43000-memory.dmp

                  Filesize

                  75.3MB

                  Download

                • memory/3620-14-0x0000000140000000-0x0000000144B43000-memory.dmp

                  Filesize

                  75.3MB

                  Download

                • memory/3620-29-0x0000000003FE0000-0x0000000003FF1000-memory.dmp

                  Filesize

                  68KB

                  Download

                • memory/3620-39-0x0000000003FD0000-0x0000000003FD8000-memory.dmp

                  Filesize

                  32KB

                  Download

                • memory/3620-38-0x0000000003FD0000-0x0000000003FD8000-memory.dmp

                  Filesize

                  32KB

                  Download

                • memory/3620-45-0x0000000004220000-0x0000000004236000-memory.dmp

                  Filesize

                  88KB

                  Download

                • memory/3620-11-0x0000000140000000-0x0000000144B43000-memory.dmp

                  Filesize

                  75.3MB

                  Download

                • memory/3620-32-0x0000000003FE0000-0x0000000003FF1000-memory.dmp

                  Filesize

                  68KB

                  Download

                • memory/3620-15-0x0000000180000000-0x00000001806A7000-memory.dmp

                  Filesize

                  6.7MB

                  Download

                • memory/3620-59-0x0000000004270000-0x000000000429D000-memory.dmp

                  Filesize

                  180KB

                  Download

                • memory/3620-53-0x0000000004200000-0x0000000004209000-memory.dmp

                  Filesize

                  36KB

                  Download

                • memory/3620-0-0x0000000140000000-0x0000000144B43000-memory.dmp

                  Filesize

                  75.3MB

                  Download

                • memory/3620-46-0x0000000004220000-0x0000000004236000-memory.dmp

                  Filesize

                  88KB

                  Download

                • memory/3620-62-0x0000000004270000-0x000000000429D000-memory.dmp

                  Filesize

                  180KB

                  Download

                • memory/3620-2-0x00007FFD7D150000-0x00007FFD7D20D000-memory.dmp

                  Filesize

                  756KB

                  Download

                • memory/3620-71-0x0000000004210000-0x000000000421B000-memory.dmp

                  Filesize

                  44KB

                  Download

                • memory/3620-77-0x00000000068D0000-0x0000000006953000-memory.dmp

                  Filesize

                  524KB

                  Download

                • memory/3620-78-0x00000000068D0000-0x0000000006953000-memory.dmp

                  Filesize

                  524KB

                  Download

                • memory/3620-84-0x00000000042A0000-0x00000000042A9000-memory.dmp

                  Filesize

                  36KB

                  Download

                • memory/3620-85-0x00000000042A0000-0x00000000042A9000-memory.dmp

                  Filesize

                  36KB

                  Download

                • memory/3620-1-0x00007FFD7D16A000-0x00007FFD7D16B000-memory.dmp

                  Filesize

                  4KB

                  Download

                • memory/3620-150-0x0000000140000000-0x0000000144B43000-memory.dmp

                  Filesize

                  75.3MB

                  Download

                • memory/3620-151-0x00007FFD7D150000-0x00007FFD7D20D000-memory.dmp

                  Filesize

                  756KB

                  Download