Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Overview
overview
8Static
static
8Wave.zip
windows7-x64
1Wave.zip
windows10-2004-x64
1Wave/CefSh...re.dll
windows7-x64
3Wave/CefSh...re.dll
windows10-2004-x64
3Wave/CefSh...ss.exe
windows7-x64
3Wave/CefSh...ss.exe
windows10-2004-x64
3Wave/CefSh...me.dll
windows7-x64
3Wave/CefSh...me.dll
windows10-2004-x64
3Wave/CefSh...re.dll
windows7-x64
1Wave/CefSh...re.dll
windows10-2004-x64
1Wave/CefSharp.Wpf.dll
windows7-x64
1Wave/CefSharp.Wpf.dll
windows10-2004-x64
1Wave/CefSharp.dll
windows7-x64
1Wave/CefSharp.dll
windows10-2004-x64
1Wave/bin/B...nd.mp4
windows7-x64
1Wave/bin/B...nd.mp4
windows10-2004-x64
6Wave/chrom...nt.pak
windows7-x64
3Wave/chrom...nt.pak
windows10-2004-x64
3Wave/chrom...nt.pak
windows7-x64
3Wave/chrom...nt.pak
windows10-2004-x64
3Wave/debug.log
windows7-x64
1Wave/debug.log
windows10-2004-x64
1Wave/icudtl.dat
windows7-x64
3Wave/icudtl.dat
windows10-2004-x64
3Wave/local...US.pak
windows7-x64
3Wave/local...US.pak
windows10-2004-x64
3Wave/resources.pak
windows7-x64
3Wave/resources.pak
windows10-2004-x64
3Wave/v8_co...ot.bin
windows7-x64
3Wave/v8_co...ot.bin
windows10-2004-x64
3Wave/works...et.txt
windows7-x64
1Wave/works...et.txt
windows10-2004-x64
1Analysis
-
max time kernel
150s -
max time network
157s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
14/08/2024, 20:47
Behavioral task
behavioral1
Sample
Wave.zip
Resource
win7-20240704-en
Behavioral task
behavioral2
Sample
Wave.zip
Resource
win10v2004-20240802-en
Behavioral task
behavioral3
Sample
Wave/CefSharp.BrowserSubprocess.Core.dll
Resource
win7-20240705-en
Behavioral task
behavioral4
Sample
Wave/CefSharp.BrowserSubprocess.Core.dll
Resource
win10v2004-20240802-en
Behavioral task
behavioral5
Sample
Wave/CefSharp.BrowserSubprocess.exe
Resource
win7-20240729-en
Behavioral task
behavioral6
Sample
Wave/CefSharp.BrowserSubprocess.exe
Resource
win10v2004-20240802-en
Behavioral task
behavioral7
Sample
Wave/CefSharp.Core.Runtime.dll
Resource
win7-20240708-en
Behavioral task
behavioral8
Sample
Wave/CefSharp.Core.Runtime.dll
Resource
win10v2004-20240802-en
Behavioral task
behavioral9
Sample
Wave/CefSharp.Core.dll
Resource
win7-20240708-en
Behavioral task
behavioral10
Sample
Wave/CefSharp.Core.dll
Resource
win10v2004-20240802-en
Behavioral task
behavioral11
Sample
Wave/CefSharp.Wpf.dll
Resource
win7-20240708-en
Behavioral task
behavioral12
Sample
Wave/CefSharp.Wpf.dll
Resource
win10v2004-20240802-en
Behavioral task
behavioral13
Sample
Wave/CefSharp.dll
Resource
win7-20240704-en
Behavioral task
behavioral14
Sample
Wave/CefSharp.dll
Resource
win10v2004-20240802-en
Behavioral task
behavioral15
Sample
Wave/bin/Background.mp4
Resource
win7-20240704-en
Behavioral task
behavioral16
Sample
Wave/bin/Background.mp4
Resource
win10v2004-20240802-en
Behavioral task
behavioral17
Sample
Wave/chrome_100_percent.pak
Resource
win7-20240704-en
Behavioral task
behavioral18
Sample
Wave/chrome_100_percent.pak
Resource
win10v2004-20240802-en
Behavioral task
behavioral19
Sample
Wave/chrome_200_percent.pak
Resource
win7-20240705-en
Behavioral task
behavioral20
Sample
Wave/chrome_200_percent.pak
Resource
win10v2004-20240802-en
Behavioral task
behavioral21
Sample
Wave/debug.log
Resource
win7-20240705-en
Behavioral task
behavioral22
Sample
Wave/debug.log
Resource
win10v2004-20240802-en
Behavioral task
behavioral23
Sample
Wave/icudtl.dat
Resource
win7-20240705-en
Behavioral task
behavioral24
Sample
Wave/icudtl.dat
Resource
win10v2004-20240802-en
Behavioral task
behavioral25
Sample
Wave/locales/en-US.pak
Resource
win7-20240708-en
Behavioral task
behavioral26
Sample
Wave/locales/en-US.pak
Resource
win10v2004-20240802-en
Behavioral task
behavioral27
Sample
Wave/resources.pak
Resource
win7-20240704-en
Behavioral task
behavioral28
Sample
Wave/resources.pak
Resource
win10v2004-20240802-en
Behavioral task
behavioral29
Sample
Wave/v8_context_snapshot.bin
Resource
win7-20240708-en
Behavioral task
behavioral30
Sample
Wave/v8_context_snapshot.bin
Resource
win10v2004-20240802-en
Behavioral task
behavioral31
Sample
Wave/workspace/.tests/getcustomasset.txt
Resource
win7-20240729-en
Behavioral task
behavioral32
Sample
Wave/workspace/.tests/getcustomasset.txt
Resource
win10v2004-20240802-en
General
-
Target
Wave/bin/Background.mp4
-
Size
4.6MB
-
MD5
9782180eb68f73030fe24ef6a1735932
-
SHA1
589827fe098ba048c9f871a28db8eae3e3537ff4
-
SHA256
3a1cbb800f8f25c2ab703ba8bfdb01e938e4143c3bc0fea8ca734fb5ba779ba7
-
SHA512
dc768638bae2d6d47d8910252ae64a656d8a6fd88efdf24165ddce51b7afdb4acb3fddd41dfe788737a2cab4fab66174db2f0d2f48bc8669af76d1656bca8be1
-
SSDEEP
98304:xs/6Ldccul3Wn48btjNEkPSFTaIwJ0Mt6KNY:xs/Gul3EvEmFItMkb
Malware Config
Signatures
-
Drops desktop.ini file(s) 7 IoCs
description ioc Process File opened for modification C:\Users\Admin\Music\desktop.ini wmplayer.exe File opened for modification C:\Users\Public\desktop.ini wmplayer.exe File opened for modification C:\Users\Public\Music\desktop.ini wmplayer.exe File opened for modification C:\Users\Admin\Videos\desktop.ini wmplayer.exe File opened for modification C:\Users\Public\Videos\desktop.ini wmplayer.exe File opened for modification C:\Users\Admin\Pictures\desktop.ini wmplayer.exe File opened for modification C:\Users\Public\Pictures\desktop.ini wmplayer.exe -
Enumerates connected drives 3 TTPs 46 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\K: unregmp2.exe File opened (read-only) \??\L: unregmp2.exe File opened (read-only) \??\O: unregmp2.exe File opened (read-only) \??\V: unregmp2.exe File opened (read-only) \??\P: wmplayer.exe File opened (read-only) \??\V: wmplayer.exe File opened (read-only) \??\A: unregmp2.exe File opened (read-only) \??\P: unregmp2.exe File opened (read-only) \??\T: unregmp2.exe File opened (read-only) \??\X: unregmp2.exe File opened (read-only) \??\W: wmplayer.exe File opened (read-only) \??\Y: wmplayer.exe File opened (read-only) \??\Z: wmplayer.exe File opened (read-only) \??\G: unregmp2.exe File opened (read-only) \??\N: unregmp2.exe File opened (read-only) \??\A: wmplayer.exe File opened (read-only) \??\K: wmplayer.exe File opened (read-only) \??\H: unregmp2.exe File opened (read-only) \??\B: wmplayer.exe File opened (read-only) \??\G: wmplayer.exe File opened (read-only) \??\N: wmplayer.exe File opened (read-only) \??\S: unregmp2.exe File opened (read-only) \??\H: wmplayer.exe File opened (read-only) \??\Q: wmplayer.exe File opened (read-only) \??\S: wmplayer.exe File opened (read-only) \??\E: wmplayer.exe File opened (read-only) \??\B: unregmp2.exe File opened (read-only) \??\E: unregmp2.exe File opened (read-only) \??\I: unregmp2.exe File opened (read-only) \??\U: unregmp2.exe File opened (read-only) \??\W: unregmp2.exe File opened (read-only) \??\Y: unregmp2.exe File opened (read-only) \??\Z: unregmp2.exe File opened (read-only) \??\J: wmplayer.exe File opened (read-only) \??\L: wmplayer.exe File opened (read-only) \??\R: wmplayer.exe File opened (read-only) \??\J: unregmp2.exe File opened (read-only) \??\M: unregmp2.exe File opened (read-only) \??\Q: unregmp2.exe File opened (read-only) \??\M: wmplayer.exe File opened (read-only) \??\O: wmplayer.exe File opened (read-only) \??\T: wmplayer.exe File opened (read-only) \??\R: unregmp2.exe File opened (read-only) \??\I: wmplayer.exe File opened (read-only) \??\U: wmplayer.exe File opened (read-only) \??\X: wmplayer.exe -
Drops file in Windows directory 2 IoCs
description ioc Process File created C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\UPnP Device Host\upnphost\udhisapi.dll svchost.exe File opened for modification C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\UPnP Device Host\upnphost\udhisapi.dll svchost.exe -
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wmplayer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language unregmp2.exe -
Modifies registry class 3 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-1194130065-3471212556-1656947724-1000\{21C20BB8-BBF9-41BE-9740-94F847713D36} wmplayer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\MIME\Database\Content Type\application/x-wmplayer wmplayer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\MIME\Database\Content Type\application/x-wmplayer\CLSID = "{cd3afa96-b84f-48f0-9393-7edc34128127}" wmplayer.exe -
Suspicious use of AdjustPrivilegeToken 8 IoCs
description pid Process Token: SeShutdownPrivilege 4872 wmplayer.exe Token: SeCreatePagefilePrivilege 4872 wmplayer.exe Token: SeShutdownPrivilege 1652 unregmp2.exe Token: SeCreatePagefilePrivilege 1652 unregmp2.exe Token: 33 4536 AUDIODG.EXE Token: SeIncBasePriorityPrivilege 4536 AUDIODG.EXE Token: SeShutdownPrivilege 4872 wmplayer.exe Token: SeCreatePagefilePrivilege 4872 wmplayer.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 4872 wmplayer.exe -
Suspicious use of WriteProcessMemory 5 IoCs
description pid Process procid_target PID 4872 wrote to memory of 3932 4872 wmplayer.exe 85 PID 4872 wrote to memory of 3932 4872 wmplayer.exe 85 PID 4872 wrote to memory of 3932 4872 wmplayer.exe 85 PID 3932 wrote to memory of 1652 3932 unregmp2.exe 86 PID 3932 wrote to memory of 1652 3932 unregmp2.exe 86
Processes
-
C:\Program Files (x86)\Windows Media Player\wmplayer.exe"C:\Program Files (x86)\Windows Media Player\wmplayer.exe" /prefetch:6 /Open "C:\Users\Admin\AppData\Local\Temp\Wave\bin\Background.mp4"1⤵
- Drops desktop.ini file(s)
- Enumerates connected drives
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:4872 -
C:\Windows\SysWOW64\unregmp2.exe"C:\Windows\System32\unregmp2.exe" /AsyncFirstLogon2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3932 -
C:\Windows\system32\unregmp2.exe"C:\Windows\SysNative\unregmp2.exe" /AsyncFirstLogon /REENTRANT3⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
PID:1652
-
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p -s upnphost1⤵
- Drops file in Windows directory
PID:2232
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x51c 0x4941⤵
- Suspicious use of AdjustPrivilegeToken
PID:4536
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
64KB
MD5987a07b978cfe12e4ce45e513ef86619
SHA122eec9a9b2e83ad33bedc59e3205f86590b7d40c
SHA256f1a4a978ce1c4731df1594043135cf58d084fdf129dd1c8e4507c9e06eac5ea8
SHA51239b86540e4d35c84609ef66537b5aa02058e3d4293f902127c7d4eac8ffc65920cb5c69a77552fc085687eed66e38367f83c177046d0ecb8e6d135463cc142aa
-
Filesize
1024KB
MD5c0405c55a93a0c034c7518fbd5b450c6
SHA1341ff12022d40bc5185efec001efcbcb477593ff
SHA256d41f2fc73cf70cc749abccd13bcf911aa19f9dc47fd7c233b38deff5df8743aa
SHA512f2b05977f5d63e5ae8068d7c1806c847ebe1f01e7ab1e96080dc470919a462853b839d90dd81a5b8cbb9e674e6f45dbc2ddab24ea9b8d3c146fea14ccf23207c
-
Filesize
68KB
MD5bb83990f7d80cb970a430c7809566003
SHA172fb30564ebd5da94a501be6540699b51a2dc73a
SHA25661404e2cd47b888f75e2342e9aa8630e39a624e667bdd745d040052ea071edfe
SHA512c654511614dad83f7c85557baa2c32a4f7fa9ebf52fccf5ddf3c343aa4c82d75c92d02a18a3e3d93512bef1af60ab3d292273a68aa04e0de90055bb805107f7d
-
Filesize
498B
MD590be2701c8112bebc6bd58a7de19846e
SHA1a95be407036982392e2e684fb9ff6602ecad6f1e
SHA256644fbcdc20086e16d57f31c5bad98be68d02b1c061938d2f5f91cbe88c871fbf
SHA512d618b473b68b48d746c912ac5fc06c73b047bd35a44a6efc7a859fe1162d68015cf69da41a5db504dcbc4928e360c095b32a3b7792fcc6a38072e1ebd12e7cbe
-
Filesize
9KB
MD57050d5ae8acfbe560fa11073fef8185d
SHA15bc38e77ff06785fe0aec5a345c4ccd15752560e
SHA256cb87767c4a384c24e4a0f88455f59101b1ae7b4fb8de8a5adb4136c5f7ee545b
SHA512a7a295ac8921bb3dde58d4bcde9372ed59def61d4b7699057274960fa8c1d1a1daff834a93f7a0698e9e5c16db43af05e9fd2d6d7c9232f7d26ffcff5fc5900b
-
Filesize
1KB
MD5eb17eefd5fa89279412e3b0b6d3633e8
SHA19045000ab898a83afa124654ea1f95f57839661e
SHA256292df214df67f4c096515b91e61996f5d70f54571a592e4a8a3fd32725d739fc
SHA5123068339a5cbfcd7f7a428b9f7a6c8e53fc66869cebfefa7ca2ac1b1ac5a7bc9324265bfb6e72f146cb6dd4642b9a692a9ebd8fa8570f49b0348108d92f250da0