Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Overview
overview
8Static
static
8Wave.zip
windows7-x64
1Wave.zip
windows10-2004-x64
1Wave/CefSh...re.dll
windows7-x64
3Wave/CefSh...re.dll
windows10-2004-x64
3Wave/CefSh...ss.exe
windows7-x64
3Wave/CefSh...ss.exe
windows10-2004-x64
3Wave/CefSh...me.dll
windows7-x64
3Wave/CefSh...me.dll
windows10-2004-x64
3Wave/CefSh...re.dll
windows7-x64
1Wave/CefSh...re.dll
windows10-2004-x64
1Wave/CefSharp.Wpf.dll
windows7-x64
1Wave/CefSharp.Wpf.dll
windows10-2004-x64
1Wave/CefSharp.dll
windows7-x64
1Wave/CefSharp.dll
windows10-2004-x64
1Wave/bin/B...nd.mp4
windows7-x64
1Wave/bin/B...nd.mp4
windows10-2004-x64
6Wave/chrom...nt.pak
windows7-x64
3Wave/chrom...nt.pak
windows10-2004-x64
3Wave/chrom...nt.pak
windows7-x64
3Wave/chrom...nt.pak
windows10-2004-x64
3Wave/debug.log
windows7-x64
1Wave/debug.log
windows10-2004-x64
1Wave/icudtl.dat
windows7-x64
3Wave/icudtl.dat
windows10-2004-x64
3Wave/local...US.pak
windows7-x64
3Wave/local...US.pak
windows10-2004-x64
3Wave/resources.pak
windows7-x64
3Wave/resources.pak
windows10-2004-x64
3Wave/v8_co...ot.bin
windows7-x64
3Wave/v8_co...ot.bin
windows10-2004-x64
3Wave/works...et.txt
windows7-x64
1Wave/works...et.txt
windows10-2004-x64
1Analysis
-
max time kernel
117s -
max time network
130s -
platform
windows7_x64 -
resource
win7-20240708-en -
resource tags
arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system -
submitted
14/08/2024, 20:47
Behavioral task
behavioral1
Sample
Wave.zip
Resource
win7-20240704-en
Behavioral task
behavioral2
Sample
Wave.zip
Resource
win10v2004-20240802-en
Behavioral task
behavioral3
Sample
Wave/CefSharp.BrowserSubprocess.Core.dll
Resource
win7-20240705-en
Behavioral task
behavioral4
Sample
Wave/CefSharp.BrowserSubprocess.Core.dll
Resource
win10v2004-20240802-en
Behavioral task
behavioral5
Sample
Wave/CefSharp.BrowserSubprocess.exe
Resource
win7-20240729-en
Behavioral task
behavioral6
Sample
Wave/CefSharp.BrowserSubprocess.exe
Resource
win10v2004-20240802-en
Behavioral task
behavioral7
Sample
Wave/CefSharp.Core.Runtime.dll
Resource
win7-20240708-en
Behavioral task
behavioral8
Sample
Wave/CefSharp.Core.Runtime.dll
Resource
win10v2004-20240802-en
Behavioral task
behavioral9
Sample
Wave/CefSharp.Core.dll
Resource
win7-20240708-en
Behavioral task
behavioral10
Sample
Wave/CefSharp.Core.dll
Resource
win10v2004-20240802-en
Behavioral task
behavioral11
Sample
Wave/CefSharp.Wpf.dll
Resource
win7-20240708-en
Behavioral task
behavioral12
Sample
Wave/CefSharp.Wpf.dll
Resource
win10v2004-20240802-en
Behavioral task
behavioral13
Sample
Wave/CefSharp.dll
Resource
win7-20240704-en
Behavioral task
behavioral14
Sample
Wave/CefSharp.dll
Resource
win10v2004-20240802-en
Behavioral task
behavioral15
Sample
Wave/bin/Background.mp4
Resource
win7-20240704-en
Behavioral task
behavioral16
Sample
Wave/bin/Background.mp4
Resource
win10v2004-20240802-en
Behavioral task
behavioral17
Sample
Wave/chrome_100_percent.pak
Resource
win7-20240704-en
Behavioral task
behavioral18
Sample
Wave/chrome_100_percent.pak
Resource
win10v2004-20240802-en
Behavioral task
behavioral19
Sample
Wave/chrome_200_percent.pak
Resource
win7-20240705-en
Behavioral task
behavioral20
Sample
Wave/chrome_200_percent.pak
Resource
win10v2004-20240802-en
Behavioral task
behavioral21
Sample
Wave/debug.log
Resource
win7-20240705-en
Behavioral task
behavioral22
Sample
Wave/debug.log
Resource
win10v2004-20240802-en
Behavioral task
behavioral23
Sample
Wave/icudtl.dat
Resource
win7-20240705-en
Behavioral task
behavioral24
Sample
Wave/icudtl.dat
Resource
win10v2004-20240802-en
Behavioral task
behavioral25
Sample
Wave/locales/en-US.pak
Resource
win7-20240708-en
Behavioral task
behavioral26
Sample
Wave/locales/en-US.pak
Resource
win10v2004-20240802-en
Behavioral task
behavioral27
Sample
Wave/resources.pak
Resource
win7-20240704-en
Behavioral task
behavioral28
Sample
Wave/resources.pak
Resource
win10v2004-20240802-en
Behavioral task
behavioral29
Sample
Wave/v8_context_snapshot.bin
Resource
win7-20240708-en
Behavioral task
behavioral30
Sample
Wave/v8_context_snapshot.bin
Resource
win10v2004-20240802-en
Behavioral task
behavioral31
Sample
Wave/workspace/.tests/getcustomasset.txt
Resource
win7-20240729-en
Behavioral task
behavioral32
Sample
Wave/workspace/.tests/getcustomasset.txt
Resource
win10v2004-20240802-en
General
-
Target
Wave/v8_context_snapshot.bin
-
Size
643KB
-
MD5
28477a60b4fbd51dfef5237245817690
-
SHA1
b0afd5ea9f9d550124f23c65bc7851ddeffc662f
-
SHA256
169ea86f544e5cdf2a460675f876a9abb7f56bbe122782e94bb03d624931fc12
-
SHA512
3520658583bb498d5032a7f7ae77195fd2e5f8ed03c6531e56dee8320d8701102a723766e59f7766ab223f837e65a6d85cf862bb2bef6d2755ce45e672a47b22
-
SSDEEP
6144:rJ8NbhO1/n8WRPyfR5mj4Wl2NNm6EKdxUJCnNlEux0fi9vjA5YbVKFLGxI6HYD:ruNbhnR5m+NUJ00f8lKOIzD
Malware Config
Signatures
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language AcroRd32.exe -
Modifies registry class 9 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000_CLASSES\bin_auto_file rundll32.exe Key created \REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000_CLASSES\.bin rundll32.exe Key created \REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000_CLASSES\bin_auto_file\shell\Read rundll32.exe Set value (str) \REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000_CLASSES\bin_auto_file\shell\Read\command\ = "\"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\Reader\\AcroRd32.exe\" \"%1\"" rundll32.exe Key created \REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000_Classes\Local Settings rundll32.exe Set value (str) \REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000_CLASSES\bin_auto_file\ rundll32.exe Set value (str) \REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000_CLASSES\.bin\ = "bin_auto_file" rundll32.exe Key created \REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000_CLASSES\bin_auto_file\shell rundll32.exe Key created \REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000_CLASSES\bin_auto_file\shell\Read\command rundll32.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 2740 AcroRd32.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 2740 AcroRd32.exe 2740 AcroRd32.exe -
Suspicious use of WriteProcessMemory 7 IoCs
description pid Process procid_target PID 2532 wrote to memory of 2744 2532 cmd.exe 31 PID 2532 wrote to memory of 2744 2532 cmd.exe 31 PID 2532 wrote to memory of 2744 2532 cmd.exe 31 PID 2744 wrote to memory of 2740 2744 rundll32.exe 32 PID 2744 wrote to memory of 2740 2744 rundll32.exe 32 PID 2744 wrote to memory of 2740 2744 rundll32.exe 32 PID 2744 wrote to memory of 2740 2744 rundll32.exe 32
Processes
-
C:\Windows\system32\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\Wave\v8_context_snapshot.bin1⤵
- Suspicious use of WriteProcessMemory
PID:2532 -
C:\Windows\system32\rundll32.exe"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\Wave\v8_context_snapshot.bin2⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2744 -
C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\Wave\v8_context_snapshot.bin"3⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:2740
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3KB
MD5f38df21ff8920beb78d0cc5f2c6842c1
SHA155e86f61ccfe9e587b3982153259eb5ebd7f7a34
SHA256232fd5f4f7b168dd4597d4812a196fbb88c9dfdf8775a9f769c9d8a6e3f2b344
SHA51284eaaf0eb15bebaf9123fe4dfd8815eedf446289ae1a376e856684bea274bdb7a88d1c326abf413dcb20b5b78fb7103e29e87d8550f1c2c2aec3ed4d238fa71d