b9fed63092fd3154e4326de6063a6f9e51fde3e330d29379926090b515587681

Analysis

max time kernel
139s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
14-08-2024 12:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

DarkWave boostrap.exe
Size

2.5MB
MD5

213a74d525e22d4529e75d30d3c1d45b
SHA1

fd978ec2732d96c9b10b15305d796b8492706a44
SHA256

b9fed63092fd3154e4326de6063a6f9e51fde3e330d29379926090b515587681
SHA512

00b0f94719dad2d19803f54e02253a7df0a1d93bd7504528fe751285475c2baedf975543c8174d95abe77e394746fb853880544fee071706e6005887e5458f5e
SSDEEP

49152:3BC9Nl4EO7xPfu+vUHAvrQB612eJany5NNcilnVfWRCD:xYNlaxuHArQMJJB7VVuRY

Score

9^/10

credential_access discovery evasion spyware stealer

Malware Config

Signatures

Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
credential_access stealer

Credentials from Web Browsers
T1555.003
Disables Task Manager via registry modification
evasion

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Control Panel\International\Geo\Nation	DarkWave boostrap.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Control Panel\International\Geo\Nation	ChainRefBrokermonitorNet.exe

Executes dropped EXE 2 IoCs

pid	Process
4868	ChainRefBrokermonitorNet.exe
764	services.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DarkWave boostrap.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000_Classes\Local Settings	DarkWave boostrap.exe
Key created	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000_Classes\Local Settings	ChainRefBrokermonitorNet.exe

Modifies registry key 1 TTPs 1 IoCs

Modify Registry

T1112

pid	Process
1408	reg.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4868	ChainRefBrokermonitorNet.exe
4868	ChainRefBrokermonitorNet.exe
4868	ChainRefBrokermonitorNet.exe
4868	ChainRefBrokermonitorNet.exe
4868	ChainRefBrokermonitorNet.exe
4868	ChainRefBrokermonitorNet.exe
4868	ChainRefBrokermonitorNet.exe
4868	ChainRefBrokermonitorNet.exe
4868	ChainRefBrokermonitorNet.exe
4868	ChainRefBrokermonitorNet.exe
4868	ChainRefBrokermonitorNet.exe
4868	ChainRefBrokermonitorNet.exe
4868	ChainRefBrokermonitorNet.exe
4868	ChainRefBrokermonitorNet.exe
4868	ChainRefBrokermonitorNet.exe
4868	ChainRefBrokermonitorNet.exe
4868	ChainRefBrokermonitorNet.exe
4868	ChainRefBrokermonitorNet.exe
4868	ChainRefBrokermonitorNet.exe
4868	ChainRefBrokermonitorNet.exe
4868	ChainRefBrokermonitorNet.exe
4868	ChainRefBrokermonitorNet.exe
4868	ChainRefBrokermonitorNet.exe
4868	ChainRefBrokermonitorNet.exe
4868	ChainRefBrokermonitorNet.exe
4868	ChainRefBrokermonitorNet.exe
4868	ChainRefBrokermonitorNet.exe
4868	ChainRefBrokermonitorNet.exe
4868	ChainRefBrokermonitorNet.exe
4868	ChainRefBrokermonitorNet.exe
4868	ChainRefBrokermonitorNet.exe
4868	ChainRefBrokermonitorNet.exe
4868	ChainRefBrokermonitorNet.exe
4868	ChainRefBrokermonitorNet.exe
4868	ChainRefBrokermonitorNet.exe
4868	ChainRefBrokermonitorNet.exe
4868	ChainRefBrokermonitorNet.exe
4868	ChainRefBrokermonitorNet.exe
4868	ChainRefBrokermonitorNet.exe
4868	ChainRefBrokermonitorNet.exe
4868	ChainRefBrokermonitorNet.exe
4868	ChainRefBrokermonitorNet.exe
4868	ChainRefBrokermonitorNet.exe
4868	ChainRefBrokermonitorNet.exe
4868	ChainRefBrokermonitorNet.exe
4868	ChainRefBrokermonitorNet.exe
4868	ChainRefBrokermonitorNet.exe
4868	ChainRefBrokermonitorNet.exe
4868	ChainRefBrokermonitorNet.exe
4868	ChainRefBrokermonitorNet.exe
4868	ChainRefBrokermonitorNet.exe
4868	ChainRefBrokermonitorNet.exe
4868	ChainRefBrokermonitorNet.exe
4868	ChainRefBrokermonitorNet.exe
4868	ChainRefBrokermonitorNet.exe
4868	ChainRefBrokermonitorNet.exe
4868	ChainRefBrokermonitorNet.exe
4868	ChainRefBrokermonitorNet.exe
4868	ChainRefBrokermonitorNet.exe
4868	ChainRefBrokermonitorNet.exe
4868	ChainRefBrokermonitorNet.exe
4868	ChainRefBrokermonitorNet.exe
4868	ChainRefBrokermonitorNet.exe
4868	ChainRefBrokermonitorNet.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	4868	ChainRefBrokermonitorNet.exe
Token: SeDebugPrivilege	764	services.exe

Suspicious use of WriteProcessMemory 19 IoCs

description	pid	Process	procid_target
PID 828 wrote to memory of 2776	828	DarkWave boostrap.exe	87
PID 828 wrote to memory of 2776	828	DarkWave boostrap.exe	87
PID 828 wrote to memory of 2776	828	DarkWave boostrap.exe	87
PID 2776 wrote to memory of 1252	2776	WScript.exe	95
PID 2776 wrote to memory of 1252	2776	WScript.exe	95
PID 2776 wrote to memory of 1252	2776	WScript.exe	95
PID 1252 wrote to memory of 1408	1252	cmd.exe	97
PID 1252 wrote to memory of 1408	1252	cmd.exe	97
PID 1252 wrote to memory of 1408	1252	cmd.exe	97
PID 1252 wrote to memory of 4868	1252	cmd.exe	98
PID 1252 wrote to memory of 4868	1252	cmd.exe	98
PID 4868 wrote to memory of 5064	4868	ChainRefBrokermonitorNet.exe	99
PID 4868 wrote to memory of 5064	4868	ChainRefBrokermonitorNet.exe	99
PID 5064 wrote to memory of 4712	5064	cmd.exe	101
PID 5064 wrote to memory of 4712	5064	cmd.exe	101
PID 5064 wrote to memory of 2512	5064	cmd.exe	102
PID 5064 wrote to memory of 2512	5064	cmd.exe	102
PID 5064 wrote to memory of 764	5064	cmd.exe	106
PID 5064 wrote to memory of 764	5064	cmd.exe	106

C:\Users\Admin\AppData\Local\Temp\DarkWave boostrap.exe
"C:\Users\Admin\AppData\Local\Temp\DarkWave boostrap.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:828
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\msnet\FamJL3jtoTyFrda82Yb0JY9iJmI8NT2x1zWl.vbe"
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2776
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\msnet\hAgbALGNeQRptwxVZmIkdLB2.bat" "
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1252
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
      4⤵
      System Location Discovery: System Language Discovery
      Modifies registry key
      PID:1408
  - - C:\msnet\ChainRefBrokermonitorNet.exe
      "C:\msnet/ChainRefBrokermonitorNet.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Modifies registry class
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:4868
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\AzI5bRasoA.bat"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:5064
      - C:\Windows\system32\chcp.com
        
        chcp 65001
        6⤵
        
        PID:4712
      - C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        6⤵
        
        PID:2512
      - C:\Users\Admin\Application Data\services.exe
        
        "C:\Users\Admin\Application Data\services.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:764

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\AzI5bRasoA.bat

Filesize
220B

MD5
6d8991742cc812cf7b4c8433f873a1fd

SHA1
ab86dc8772c1d97a712fb5ce11812199d5188ddc

SHA256
89d969617c8f0e0741d364b5ded991deec3be91d1b35edcc8e66e943d8b59d9f

SHA512
e3b3dd0a65c9196052b97d1e98d5c73bd221f78a14fa458fb909b98c0003249522e556a27528eb091b272e41c37c2980ed41913956f2b60644605267c0fcad6a

Download Submit
C:\msnet\ChainRefBrokermonitorNet.exe

Filesize
2.2MB

MD5
7d5fce6d7240cf2da41113707dfca138

SHA1
184af9016ed6bb147116224bb09597d207387f5f

SHA256
a93150d90eff860ca9660bd13a663dac1027a0c7dc22c3ee839bafcce4984bfa

SHA512
3ed02ab90f78d2cc8e40923595c8148802122bd89bc076fd66e8efde7ad00a5a07d08cb3618a04c1d98003dcdb4dc5c24d51a035eaaae7ee9fdbe5b9700ea0a2

Download Submit
C:\msnet\FamJL3jtoTyFrda82Yb0JY9iJmI8NT2x1zWl.vbe

Filesize
208B

MD5
bb402dd37ccddf3aeb62319d6d8441e7

SHA1
8440a6578d443dccb0a0ad858c3751a7b094818e

SHA256
52a94c6eefa163f00c62cab0fc4b90b8bc766aa9a0c40ca3d191b441fdd4ab21

SHA512
440f56ae851e2446b5ff78475da3b2f5627fd9a38d7e988ed1cf76452029a844ba862abc76e7a1bef9eb40de0e3cb8ffca5ff046ca68193c8621ada843126107

Download Submit
C:\msnet\hAgbALGNeQRptwxVZmIkdLB2.bat

Filesize
203B

MD5
cd40d9fbf7b77f6d592f67d8f4d655ce

SHA1
e166c7455e1554e014e461d05f60c318b5c370ee

SHA256
6834e359b444d07121bc7822bcbe95c3b08069f515d4ccc71b233b36d45b67d7

SHA512
18aa58f6f04ffe7f2d4a00e160b92920282f84eb0f674c749d23184f3aa677fd79bc4a9ecb679d03df3663ca6b4cfc4d1a2d77727460179492398976a6d1eb33

Download Submit
memory/4868-18-0x00000000027F0000-0x000000000280C000-memory.dmp

Filesize
112KB

Download
memory/4868-16-0x0000000000BD0000-0x0000000000BDE000-memory.dmp

Filesize
56KB

Download
memory/4868-14-0x000000001B2D0000-0x000000001B2F6000-memory.dmp

Filesize
152KB

Download
memory/4868-19-0x000000001C700000-0x000000001C750000-memory.dmp

Filesize
320KB

Download
memory/4868-21-0x0000000000F80000-0x0000000000F90000-memory.dmp

Filesize
64KB

Download
memory/4868-23-0x000000001B120000-0x000000001B138000-memory.dmp

Filesize
96KB

Download
memory/4868-25-0x00000000026B0000-0x00000000026C0000-memory.dmp

Filesize
64KB

Download
memory/4868-27-0x00000000026C0000-0x00000000026CE000-memory.dmp

Filesize
56KB

Download
memory/4868-29-0x000000001C6B0000-0x000000001C6C8000-memory.dmp

Filesize
96KB

Download
memory/4868-31-0x000000001B140000-0x000000001B14C000-memory.dmp

Filesize
48KB

Download
memory/4868-12-0x00000000002D0000-0x000000000050C000-memory.dmp

Filesize
2.2MB

Download