3251be108d2d1034710276af57fa4dd96692cd3cf9f0b3e9045528a4f32cb775

Analysis

max time kernel
41s
max time network
36s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
12/08/2024, 04:58

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

wave_bypass.exe
Size

25.6MB
MD5

bb86d90e6f8a455a3de78ab876f915d1
SHA1

6e216c2c17c066831c3a663d2c194cccc8799795
SHA256

3251be108d2d1034710276af57fa4dd96692cd3cf9f0b3e9045528a4f32cb775
SHA512

2be3bf5270a7a8516af9f3836eb82f5b74b82da52be581cf122f4d3f35bebee32c0782001f3e4475452f3f47c140cd8dd3f355be24d59cf50fb98049d6f8e757
SSDEEP

393216:HitBxmzN05GC7NSSjMKKBe7gpEgc/s0WVGwGAd4G+JH5GE5p3BmGHgsh+SwlcxV1:mBFjxjHgrZjzdKHcEtb7MJt8r

Score

9^/10

evasion themida trojan

Malware Config

Signatures

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	wave_bypass.exe

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	wave_bypass.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	wave_bypass.exe

Loads dropped DLL 6 IoCs

pid	Process
2812	wave_bypass.exe
2812	wave_bypass.exe
2812	wave_bypass.exe
2812	wave_bypass.exe
2812	wave_bypass.exe
2812	wave_bypass.exe

Themida packer 7 IoCs

Detects Themida, an advanced Windows software protection system.

themida

resource	yara_rule
behavioral2/memory/2812-0-0x0000000140000000-0x0000000144B43000-memory.dmp	themida
behavioral2/memory/2812-11-0x0000000140000000-0x0000000144B43000-memory.dmp	themida
behavioral2/memory/2812-12-0x0000000140000000-0x0000000144B43000-memory.dmp	themida
behavioral2/memory/2812-13-0x0000000140000000-0x0000000144B43000-memory.dmp	themida
behavioral2/memory/2812-14-0x0000000140000000-0x0000000144B43000-memory.dmp	themida
behavioral2/memory/2812-29-0x0000000140000000-0x0000000144B43000-memory.dmp	themida
behavioral2/memory/2812-150-0x0000000140000000-0x0000000144B43000-memory.dmp	themida

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	wave_bypass.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

pid	Process
2812	wave_bypass.exe

Modifies registry key 1 TTPs 2 IoCs

Modify Registry

T1112

pid	Process
4584	reg.exe
2192	reg.exe

Suspicious use of AdjustPrivilegeToken 42 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	3800	wmic.exe
Token: SeSecurityPrivilege	3800	wmic.exe
Token: SeTakeOwnershipPrivilege	3800	wmic.exe
Token: SeLoadDriverPrivilege	3800	wmic.exe
Token: SeSystemProfilePrivilege	3800	wmic.exe
Token: SeSystemtimePrivilege	3800	wmic.exe
Token: SeProfSingleProcessPrivilege	3800	wmic.exe
Token: SeIncBasePriorityPrivilege	3800	wmic.exe
Token: SeCreatePagefilePrivilege	3800	wmic.exe
Token: SeBackupPrivilege	3800	wmic.exe
Token: SeRestorePrivilege	3800	wmic.exe
Token: SeShutdownPrivilege	3800	wmic.exe
Token: SeDebugPrivilege	3800	wmic.exe
Token: SeSystemEnvironmentPrivilege	3800	wmic.exe
Token: SeRemoteShutdownPrivilege	3800	wmic.exe
Token: SeUndockPrivilege	3800	wmic.exe
Token: SeManageVolumePrivilege	3800	wmic.exe
Token: 33	3800	wmic.exe
Token: 34	3800	wmic.exe
Token: 35	3800	wmic.exe
Token: 36	3800	wmic.exe
Token: SeIncreaseQuotaPrivilege	3800	wmic.exe
Token: SeSecurityPrivilege	3800	wmic.exe
Token: SeTakeOwnershipPrivilege	3800	wmic.exe
Token: SeLoadDriverPrivilege	3800	wmic.exe
Token: SeSystemProfilePrivilege	3800	wmic.exe
Token: SeSystemtimePrivilege	3800	wmic.exe
Token: SeProfSingleProcessPrivilege	3800	wmic.exe
Token: SeIncBasePriorityPrivilege	3800	wmic.exe
Token: SeCreatePagefilePrivilege	3800	wmic.exe
Token: SeBackupPrivilege	3800	wmic.exe
Token: SeRestorePrivilege	3800	wmic.exe
Token: SeShutdownPrivilege	3800	wmic.exe
Token: SeDebugPrivilege	3800	wmic.exe
Token: SeSystemEnvironmentPrivilege	3800	wmic.exe
Token: SeRemoteShutdownPrivilege	3800	wmic.exe
Token: SeUndockPrivilege	3800	wmic.exe
Token: SeManageVolumePrivilege	3800	wmic.exe
Token: 33	3800	wmic.exe
Token: 34	3800	wmic.exe
Token: 35	3800	wmic.exe
Token: 36	3800	wmic.exe

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 2812 wrote to memory of 4256	2812	wave_bypass.exe	93
PID 2812 wrote to memory of 4256	2812	wave_bypass.exe	93
PID 4256 wrote to memory of 4584	4256	cmd.exe	94
PID 4256 wrote to memory of 4584	4256	cmd.exe	94
PID 2812 wrote to memory of 2640	2812	wave_bypass.exe	95
PID 2812 wrote to memory of 2640	2812	wave_bypass.exe	95
PID 2640 wrote to memory of 2192	2640	cmd.exe	96
PID 2640 wrote to memory of 2192	2640	cmd.exe	96
PID 2812 wrote to memory of 3800	2812	wave_bypass.exe	98
PID 2812 wrote to memory of 3800	2812	wave_bypass.exe	98
PID 2812 wrote to memory of 1944	2812	wave_bypass.exe	100
PID 2812 wrote to memory of 1944	2812	wave_bypass.exe	100
PID 2812 wrote to memory of 1724	2812	wave_bypass.exe	101
PID 2812 wrote to memory of 1724	2812	wave_bypass.exe	101
PID 1724 wrote to memory of 4084	1724	cmd.exe	102
PID 1724 wrote to memory of 4084	1724	cmd.exe	102
PID 2812 wrote to memory of 1652	2812	wave_bypass.exe	103
PID 2812 wrote to memory of 1652	2812	wave_bypass.exe	103
PID 2812 wrote to memory of 4880	2812	wave_bypass.exe	104
PID 2812 wrote to memory of 4880	2812	wave_bypass.exe	104

C:\Users\Admin\AppData\Local\Temp\wave_bypass.exe
"C:\Users\Admin\AppData\Local\Temp\wave_bypass.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Loads dropped DLL
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of WriteProcessMemory
PID:2812
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg add HKCU\Console\%%Startup /v DelegationConsole /t REG_SZ /d {B23D10C0-E52E-411E-9D5B-C09FDF709C7D} /f > nul
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4256
- - C:\Windows\system32\reg.exe
    reg add HKCU\Console\%%Startup /v DelegationConsole /t REG_SZ /d {B23D10C0-E52E-411E-9D5B-C09FDF709C7D} /f
    3⤵
    - Modifies registry key
    PID:4584
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg add HKCU\Console\%%Startup /v DelegationTerminal /t REG_SZ /d {B23D10C0-E52E-411E-9D5B-C09FDF709C7D} /f > nul
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2640
- - C:\Windows\system32\reg.exe
    reg add HKCU\Console\%%Startup /v DelegationTerminal /t REG_SZ /d {B23D10C0-E52E-411E-9D5B-C09FDF709C7D} /f
    3⤵
    - Modifies registry key
    PID:2192
- C:\Windows\System32\Wbem\wmic.exe
  wmic csproduct get uuid
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:3800
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c cls
  2⤵
  PID:1944
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c mode con: cols=99 lines=33
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1724
- - C:\Windows\system32\mode.com
    mode con: cols=99 lines=33
    3⤵
    PID:4084
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c color 09
  2⤵
  PID:1652
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c title WAVE BYPASS
  2⤵
  PID:4880

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Virtualization/Sandbox Evasion

T1497

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\31840d97.dll

Filesize
10KB

MD5
68c9742fd2d25e0eee1be7da6362adc0

SHA1
fd494a53bbca9b3b3016370608fa8e9fa3d73715

SHA256
0df39782cc8d7b3629c7cd33887d059268d806edede579a8d5da0252c142ebb6

SHA512
6aa7115444e4a6e5c0e52d5892fa2ce63d72864c56798e5abaf030270d9ef810f2da886b3a0e7a96549c1fb3dd754facb63025032179eef605d36a40d961a84e

Download Submit
C:\Users\Admin\AppData\Local\Temp\31840d98.dll

Filesize
10KB

MD5
d0b0669374e69be483c04e0bc7c18caf

SHA1
33dd016fe5ba76ae45c1444a6defa1f5afbd0556

SHA256
c9e3daa7fe44f7599826c93286956b10c452ae5344264b2c751efbd5698f32f5

SHA512
13695a52101da7858acbf2bc26e8d711105e0bcc83f9f8787622a134427ace971f93cae4801b2c7e875b5272795b987cdc9bde06e4b59822dda9e8febab6c529

Download Submit
C:\Users\Admin\AppData\Local\Temp\libcrypto-3.dll

Filesize
5.0MB

MD5
e547cf6d296a88f5b1c352c116df7c0c

SHA1
cafa14e0367f7c13ad140fd556f10f320a039783

SHA256
05fe080eab7fc535c51e10c1bd76a2f3e6217f9c91a25034774588881c3f99de

SHA512
9f42edf04c7af350a00fa4fdf92b8e2e6f47ab9d2d41491985b20cd0adde4f694253399f6a88f4bdd765c4f49792f25fb01e84ec03fd5d0be8bb61773d77d74d

Download Submit
C:\Users\Admin\AppData\Local\Temp\libssl-3.dll

Filesize
768KB

MD5
19a2aba25456181d5fb572d88ac0e73e

SHA1
656ca8cdfc9c3a6379536e2027e93408851483db

SHA256
2e9fbcd8f7fdc13a5179533239811456554f2b3aa2fb10e1b17be0df81c79006

SHA512
df17dc8a882363a6c5a1b78ba3cf448437d1118ccc4a6275cc7681551b13c1a4e0f94e30ffb94c3530b688b62bff1c03e57c2c185a7df2bf3e5737a06e114337

Download Submit
C:\Users\Admin\AppData\Local\Temp\vcruntime140.dll

Filesize
116KB

MD5
be8dbe2dc77ebe7f88f910c61aec691a

SHA1
a19f08bb2b1c1de5bb61daf9f2304531321e0e40

SHA256
4d292623516f65c80482081e62d5dadb759dc16e851de5db24c3cbb57b87db83

SHA512
0da644472b374f1da449a06623983d0477405b5229e386accadb154b43b8b083ee89f07c3f04d2c0c7501ead99ad95aecaa5873ff34c5eeb833285b598d5a655

Download Submit
C:\Users\Admin\AppData\Local\Temp\vcruntime140_1.dll

Filesize
48KB

MD5
f8dfa78045620cf8a732e67d1b1eb53d

SHA1
ff9a604d8c99405bfdbbf4295825d3fcbc792704

SHA256
a113f192195f245f17389e6ecbed8005990bcb2476ddad33f7c4c6c86327afe5

SHA512
ba7f8b7ab0deb7a7113124c28092b543e216ca08d1cf158d9f40a326fb69f4a2511a41a59ea8482a10c9ec4ec8ac69b70dfe9ca65e525097d93b819d498da371

Download Submit
memory/2812-47-0x00000000030E0000-0x00000000030F6000-memory.dmp

Filesize
88KB

Download
memory/2812-54-0x0000000003070000-0x0000000003079000-memory.dmp

Filesize
36KB

Download
memory/2812-13-0x0000000140000000-0x0000000144B43000-memory.dmp

Filesize
75.3MB

Download
memory/2812-14-0x0000000140000000-0x0000000144B43000-memory.dmp

Filesize
75.3MB

Download
memory/2812-29-0x0000000140000000-0x0000000144B43000-memory.dmp

Filesize
75.3MB

Download
memory/2812-11-0x0000000140000000-0x0000000144B43000-memory.dmp

Filesize
75.3MB

Download
memory/2812-33-0x0000000003080000-0x0000000003091000-memory.dmp

Filesize
68KB

Download
memory/2812-39-0x0000000003060000-0x0000000003068000-memory.dmp

Filesize
32KB

Download
memory/2812-40-0x0000000003060000-0x0000000003068000-memory.dmp

Filesize
32KB

Download
memory/2812-2-0x00007FFDA8340000-0x00007FFDA83FE000-memory.dmp

Filesize
760KB

Download
memory/2812-12-0x0000000140000000-0x0000000144B43000-memory.dmp

Filesize
75.3MB

Download
memory/2812-15-0x0000000180000000-0x00000001806A7000-memory.dmp

Filesize
6.7MB

Download
memory/2812-46-0x00000000030E0000-0x00000000030F6000-memory.dmp

Filesize
88KB

Download
memory/2812-63-0x00000000043A0000-0x00000000043CD000-memory.dmp

Filesize
180KB

Download
memory/2812-72-0x0000000003100000-0x000000000310B000-memory.dmp

Filesize
44KB

Download
memory/2812-0-0x0000000140000000-0x0000000144B43000-memory.dmp

Filesize
75.3MB

Download
memory/2812-79-0x0000000004DD0000-0x0000000004E53000-memory.dmp

Filesize
524KB

Download
memory/2812-85-0x0000000003110000-0x0000000003119000-memory.dmp

Filesize
36KB

Download
memory/2812-88-0x0000000003110000-0x0000000003119000-memory.dmp

Filesize
36KB

Download
memory/2812-1-0x00007FFDA835B000-0x00007FFDA835C000-memory.dmp

Filesize
4KB

Download
memory/2812-150-0x0000000140000000-0x0000000144B43000-memory.dmp

Filesize
75.3MB

Download
memory/2812-151-0x00007FFDA8340000-0x00007FFDA83FE000-memory.dmp

Filesize
760KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads