Malware Analysis Report

2025-03-15 07:56

Sample ID 240814-zkyhastdpg
Target Wave.zip
SHA256 064955e9e82eb5a1ae440e67449baac17e992a283a15be1bad006d02a6d7959a
Tags
discovery macro macro_on_action
score
8/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral16

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral18

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral22

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral24

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral28

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral12

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral25

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral30

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral32

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral13

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral15

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral19

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral20

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral29

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral31

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral9

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral10

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral26

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral5

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral8

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral17

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral23

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral27

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral6

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral11

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral14

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral7

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral21

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
8/10

SHA256

064955e9e82eb5a1ae440e67449baac17e992a283a15be1bad006d02a6d7959a

Threat Level: Likely malicious

The file Wave.zip was found to be: Likely malicious.

Malicious Activity Summary

discovery macro macro_on_action

Office macro that triggers on suspicious action

Drops desktop.ini file(s)

Enumerates connected drives

Drops file in Windows directory

Program crash

Unsigned PE

Enumerates physical storage devices

System Location Discovery: System Language Discovery

Modifies registry class

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetWindowsHookEx

Suspicious behavior: GetForegroundWindowSpam

Suspicious behavior: AddClipboardFormatListener

Suspicious use of FindShellTrayWindow

Suspicious use of WriteProcessMemory

Opens file in notepad (likely ransom note)

Suspicious use of SendNotifyMessage

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-08-14 20:48

Signatures

Office macro that triggers on suspicious action

macro macro_on_action
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral3

Detonation Overview

Submitted

2024-08-14 20:47

Reported

2024-08-14 20:52

Platform

win7-20240705-en

Max time kernel

121s

Max time network

128s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\Wave\CefSharp.BrowserSubprocess.Core.dll,#1

Signatures

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3060 wrote to memory of 2468 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3060 wrote to memory of 2468 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3060 wrote to memory of 2468 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3060 wrote to memory of 2468 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3060 wrote to memory of 2468 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3060 wrote to memory of 2468 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3060 wrote to memory of 2468 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\Wave\CefSharp.BrowserSubprocess.Core.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\Wave\CefSharp.BrowserSubprocess.Core.dll,#1

Network

N/A

Files

N/A

Analysis: behavioral4

Detonation Overview

Submitted

2024-08-14 20:47

Reported

2024-08-14 20:52

Platform

win10v2004-20240802-en

Max time kernel

143s

Max time network

145s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\Wave\CefSharp.BrowserSubprocess.Core.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3784 wrote to memory of 3588 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3784 wrote to memory of 3588 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3784 wrote to memory of 3588 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\Wave\CefSharp.BrowserSubprocess.Core.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\Wave\CefSharp.BrowserSubprocess.Core.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 3588 -ip 3588

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3588 -s 1088

Network

Country Destination Domain Proto
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 14.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 81.144.22.2.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 192.142.123.92.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 23.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 105.193.132.51.in-addr.arpa udp

Files

memory/3588-0-0x0000000005600000-0x00000000056EA000-memory.dmp

Analysis: behavioral16

Detonation Overview

Submitted

2024-08-14 20:47

Reported

2024-08-14 20:53

Platform

win10v2004-20240802-en

Max time kernel

150s

Max time network

157s

Command Line

"C:\Program Files (x86)\Windows Media Player\wmplayer.exe" /prefetch:6 /Open "C:\Users\Admin\AppData\Local\Temp\Wave\bin\Background.mp4"

Signatures

Drops desktop.ini file(s)

Description Indicator Process Target
File opened for modification C:\Users\Admin\Music\desktop.ini C:\Program Files (x86)\Windows Media Player\wmplayer.exe N/A
File opened for modification C:\Users\Public\desktop.ini C:\Program Files (x86)\Windows Media Player\wmplayer.exe N/A
File opened for modification C:\Users\Public\Music\desktop.ini C:\Program Files (x86)\Windows Media Player\wmplayer.exe N/A
File opened for modification C:\Users\Admin\Videos\desktop.ini C:\Program Files (x86)\Windows Media Player\wmplayer.exe N/A
File opened for modification C:\Users\Public\Videos\desktop.ini C:\Program Files (x86)\Windows Media Player\wmplayer.exe N/A
File opened for modification C:\Users\Admin\Pictures\desktop.ini C:\Program Files (x86)\Windows Media Player\wmplayer.exe N/A
File opened for modification C:\Users\Public\Pictures\desktop.ini C:\Program Files (x86)\Windows Media Player\wmplayer.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\K: C:\Windows\system32\unregmp2.exe N/A
File opened (read-only) \??\L: C:\Windows\system32\unregmp2.exe N/A
File opened (read-only) \??\O: C:\Windows\system32\unregmp2.exe N/A
File opened (read-only) \??\V: C:\Windows\system32\unregmp2.exe N/A
File opened (read-only) \??\P: C:\Program Files (x86)\Windows Media Player\wmplayer.exe N/A
File opened (read-only) \??\V: C:\Program Files (x86)\Windows Media Player\wmplayer.exe N/A
File opened (read-only) \??\A: C:\Windows\system32\unregmp2.exe N/A
File opened (read-only) \??\P: C:\Windows\system32\unregmp2.exe N/A
File opened (read-only) \??\T: C:\Windows\system32\unregmp2.exe N/A
File opened (read-only) \??\X: C:\Windows\system32\unregmp2.exe N/A
File opened (read-only) \??\W: C:\Program Files (x86)\Windows Media Player\wmplayer.exe N/A
File opened (read-only) \??\Y: C:\Program Files (x86)\Windows Media Player\wmplayer.exe N/A
File opened (read-only) \??\Z: C:\Program Files (x86)\Windows Media Player\wmplayer.exe N/A
File opened (read-only) \??\G: C:\Windows\system32\unregmp2.exe N/A
File opened (read-only) \??\N: C:\Windows\system32\unregmp2.exe N/A
File opened (read-only) \??\A: C:\Program Files (x86)\Windows Media Player\wmplayer.exe N/A
File opened (read-only) \??\K: C:\Program Files (x86)\Windows Media Player\wmplayer.exe N/A
File opened (read-only) \??\H: C:\Windows\system32\unregmp2.exe N/A
File opened (read-only) \??\B: C:\Program Files (x86)\Windows Media Player\wmplayer.exe N/A
File opened (read-only) \??\G: C:\Program Files (x86)\Windows Media Player\wmplayer.exe N/A
File opened (read-only) \??\N: C:\Program Files (x86)\Windows Media Player\wmplayer.exe N/A
File opened (read-only) \??\S: C:\Windows\system32\unregmp2.exe N/A
File opened (read-only) \??\H: C:\Program Files (x86)\Windows Media Player\wmplayer.exe N/A
File opened (read-only) \??\Q: C:\Program Files (x86)\Windows Media Player\wmplayer.exe N/A
File opened (read-only) \??\S: C:\Program Files (x86)\Windows Media Player\wmplayer.exe N/A
File opened (read-only) \??\E: C:\Program Files (x86)\Windows Media Player\wmplayer.exe N/A
File opened (read-only) \??\B: C:\Windows\system32\unregmp2.exe N/A
File opened (read-only) \??\E: C:\Windows\system32\unregmp2.exe N/A
File opened (read-only) \??\I: C:\Windows\system32\unregmp2.exe N/A
File opened (read-only) \??\U: C:\Windows\system32\unregmp2.exe N/A
File opened (read-only) \??\W: C:\Windows\system32\unregmp2.exe N/A
File opened (read-only) \??\Y: C:\Windows\system32\unregmp2.exe N/A
File opened (read-only) \??\Z: C:\Windows\system32\unregmp2.exe N/A
File opened (read-only) \??\J: C:\Program Files (x86)\Windows Media Player\wmplayer.exe N/A
File opened (read-only) \??\L: C:\Program Files (x86)\Windows Media Player\wmplayer.exe N/A
File opened (read-only) \??\R: C:\Program Files (x86)\Windows Media Player\wmplayer.exe N/A
File opened (read-only) \??\J: C:\Windows\system32\unregmp2.exe N/A
File opened (read-only) \??\M: C:\Windows\system32\unregmp2.exe N/A
File opened (read-only) \??\Q: C:\Windows\system32\unregmp2.exe N/A
File opened (read-only) \??\M: C:\Program Files (x86)\Windows Media Player\wmplayer.exe N/A
File opened (read-only) \??\O: C:\Program Files (x86)\Windows Media Player\wmplayer.exe N/A
File opened (read-only) \??\T: C:\Program Files (x86)\Windows Media Player\wmplayer.exe N/A
File opened (read-only) \??\R: C:\Windows\system32\unregmp2.exe N/A
File opened (read-only) \??\I: C:\Program Files (x86)\Windows Media Player\wmplayer.exe N/A
File opened (read-only) \??\U: C:\Program Files (x86)\Windows Media Player\wmplayer.exe N/A
File opened (read-only) \??\X: C:\Program Files (x86)\Windows Media Player\wmplayer.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\UPnP Device Host\upnphost\udhisapi.dll C:\Windows\system32\svchost.exe N/A
File opened for modification C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\UPnP Device Host\upnphost\udhisapi.dll C:\Windows\system32\svchost.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Windows Media Player\wmplayer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\unregmp2.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-1194130065-3471212556-1656947724-1000\{21C20BB8-BBF9-41BE-9740-94F847713D36} C:\Program Files (x86)\Windows Media Player\wmplayer.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\MIME\Database\Content Type\application/x-wmplayer C:\Program Files (x86)\Windows Media Player\wmplayer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\MIME\Database\Content Type\application/x-wmplayer\CLSID = "{cd3afa96-b84f-48f0-9393-7edc34128127}" C:\Program Files (x86)\Windows Media Player\wmplayer.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A C:\Program Files (x86)\Windows Media Player\wmplayer.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files (x86)\Windows Media Player\wmplayer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\system32\unregmp2.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\system32\unregmp2.exe N/A
Token: 33 N/A C:\Windows\system32\AUDIODG.EXE N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\system32\AUDIODG.EXE N/A
Token: SeShutdownPrivilege N/A C:\Program Files (x86)\Windows Media Player\wmplayer.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files (x86)\Windows Media Player\wmplayer.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Windows Media Player\wmplayer.exe N/A

Processes

C:\Program Files (x86)\Windows Media Player\wmplayer.exe

"C:\Program Files (x86)\Windows Media Player\wmplayer.exe" /prefetch:6 /Open "C:\Users\Admin\AppData\Local\Temp\Wave\bin\Background.mp4"

C:\Windows\SysWOW64\unregmp2.exe

"C:\Windows\System32\unregmp2.exe" /AsyncFirstLogon

C:\Windows\system32\unregmp2.exe

"C:\Windows\SysNative\unregmp2.exe" /AsyncFirstLogon /REENTRANT

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p -s upnphost

C:\Windows\system32\AUDIODG.EXE

C:\Windows\system32\AUDIODG.EXE 0x51c 0x494

Network

Country Destination Domain Proto
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 74.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 73.144.22.2.in-addr.arpa udp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 45.19.74.20.in-addr.arpa udp
US 8.8.8.8:53 29.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 musicmatch-ssl.xboxlive.com udp
GB 95.100.244.7:443 musicmatch-ssl.xboxlive.com tcp
US 8.8.8.8:53 7.244.100.95.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Microsoft\Windows Media\12.0\WMSDKNS.XML

MD5 7050d5ae8acfbe560fa11073fef8185d
SHA1 5bc38e77ff06785fe0aec5a345c4ccd15752560e
SHA256 cb87767c4a384c24e4a0f88455f59101b1ae7b4fb8de8a5adb4136c5f7ee545b
SHA512 a7a295ac8921bb3dde58d4bcde9372ed59def61d4b7699057274960fa8c1d1a1daff834a93f7a0698e9e5c16db43af05e9fd2d6d7c9232f7d26ffcff5fc5900b

C:\Users\Admin\AppData\Local\Microsoft\Windows Media\12.0\WMSDKNS.DTD

MD5 90be2701c8112bebc6bd58a7de19846e
SHA1 a95be407036982392e2e684fb9ff6602ecad6f1e
SHA256 644fbcdc20086e16d57f31c5bad98be68d02b1c061938d2f5f91cbe88c871fbf
SHA512 d618b473b68b48d746c912ac5fc06c73b047bd35a44a6efc7a859fe1162d68015cf69da41a5db504dcbc4928e360c095b32a3b7792fcc6a38072e1ebd12e7cbe

C:\Users\Admin\AppData\Local\Microsoft\Media Player\CurrentDatabase_400.wmdb

MD5 987a07b978cfe12e4ce45e513ef86619
SHA1 22eec9a9b2e83ad33bedc59e3205f86590b7d40c
SHA256 f1a4a978ce1c4731df1594043135cf58d084fdf129dd1c8e4507c9e06eac5ea8
SHA512 39b86540e4d35c84609ef66537b5aa02058e3d4293f902127c7d4eac8ffc65920cb5c69a77552fc085687eed66e38367f83c177046d0ecb8e6d135463cc142aa

C:\Users\Admin\AppData\Local\Temp\wmsetup.log

MD5 eb17eefd5fa89279412e3b0b6d3633e8
SHA1 9045000ab898a83afa124654ea1f95f57839661e
SHA256 292df214df67f4c096515b91e61996f5d70f54571a592e4a8a3fd32725d739fc
SHA512 3068339a5cbfcd7f7a428b9f7a6c8e53fc66869cebfefa7ca2ac1b1ac5a7bc9324265bfb6e72f146cb6dd4642b9a692a9ebd8fa8570f49b0348108d92f250da0

memory/4872-36-0x0000000004FB0000-0x0000000004FC0000-memory.dmp

memory/4872-35-0x0000000004FB0000-0x0000000004FC0000-memory.dmp

memory/4872-34-0x0000000004FB0000-0x0000000004FC0000-memory.dmp

memory/4872-33-0x0000000004FB0000-0x0000000004FC0000-memory.dmp

memory/4872-37-0x00000000074C0000-0x00000000074D0000-memory.dmp

memory/4872-38-0x00000000074B0000-0x00000000074C0000-memory.dmp

memory/4872-39-0x00000000074B0000-0x00000000074C0000-memory.dmp

memory/4872-41-0x0000000004FB0000-0x0000000004FC0000-memory.dmp

memory/4872-40-0x0000000004FB0000-0x0000000004FC0000-memory.dmp

memory/4872-42-0x00000000074B0000-0x00000000074C0000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Media Player\CurrentDatabase_400.wmdb

MD5 c0405c55a93a0c034c7518fbd5b450c6
SHA1 341ff12022d40bc5185efec001efcbcb477593ff
SHA256 d41f2fc73cf70cc749abccd13bcf911aa19f9dc47fd7c233b38deff5df8743aa
SHA512 f2b05977f5d63e5ae8068d7c1806c847ebe1f01e7ab1e96080dc470919a462853b839d90dd81a5b8cbb9e674e6f45dbc2ddab24ea9b8d3c146fea14ccf23207c

memory/4872-45-0x0000000007410000-0x0000000007420000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Media Player\LocalMLS_3.wmdb

MD5 bb83990f7d80cb970a430c7809566003
SHA1 72fb30564ebd5da94a501be6540699b51a2dc73a
SHA256 61404e2cd47b888f75e2342e9aa8630e39a624e667bdd745d040052ea071edfe
SHA512 c654511614dad83f7c85557baa2c32a4f7fa9ebf52fccf5ddf3c343aa4c82d75c92d02a18a3e3d93512bef1af60ab3d292273a68aa04e0de90055bb805107f7d

memory/4872-49-0x00000000074A0000-0x00000000074B0000-memory.dmp

memory/4872-50-0x00000000074A0000-0x00000000074B0000-memory.dmp

memory/4872-51-0x00000000074B0000-0x00000000074C0000-memory.dmp

memory/4872-52-0x00000000074B0000-0x00000000074C0000-memory.dmp

memory/4872-53-0x00000000074B0000-0x00000000074C0000-memory.dmp

memory/4872-54-0x00000000074B0000-0x00000000074C0000-memory.dmp

memory/4872-56-0x00000000074B0000-0x00000000074C0000-memory.dmp

memory/4872-55-0x00000000074A0000-0x00000000074B0000-memory.dmp

memory/4872-57-0x00000000074A0000-0x00000000074B0000-memory.dmp

memory/4872-59-0x00000000074A0000-0x00000000074B0000-memory.dmp

memory/4872-58-0x00000000074A0000-0x00000000074B0000-memory.dmp

memory/4872-61-0x00000000074A0000-0x00000000074B0000-memory.dmp

memory/4872-62-0x00000000074A0000-0x00000000074B0000-memory.dmp

memory/4872-64-0x00000000074A0000-0x00000000074B0000-memory.dmp

memory/4872-67-0x00000000074A0000-0x00000000074B0000-memory.dmp

memory/4872-66-0x00000000074A0000-0x00000000074B0000-memory.dmp

memory/4872-65-0x00000000074A0000-0x00000000074B0000-memory.dmp

memory/4872-70-0x00000000074A0000-0x00000000074B0000-memory.dmp

memory/4872-69-0x00000000074A0000-0x00000000074B0000-memory.dmp

memory/4872-72-0x00000000074B0000-0x00000000074C0000-memory.dmp

memory/4872-73-0x00000000074A0000-0x00000000074B0000-memory.dmp

memory/4872-74-0x00000000074A0000-0x00000000074B0000-memory.dmp

memory/4872-76-0x00000000074B0000-0x00000000074C0000-memory.dmp

memory/4872-77-0x00000000074B0000-0x00000000074C0000-memory.dmp

memory/4872-78-0x0000000007410000-0x0000000007420000-memory.dmp

memory/4872-80-0x00000000074A0000-0x00000000074B0000-memory.dmp

memory/4872-82-0x00000000074B0000-0x00000000074C0000-memory.dmp

memory/4872-81-0x00000000074A0000-0x00000000074B0000-memory.dmp

memory/4872-85-0x00000000074B0000-0x00000000074C0000-memory.dmp

memory/4872-87-0x00000000074B0000-0x00000000074C0000-memory.dmp

memory/4872-86-0x00000000074A0000-0x00000000074B0000-memory.dmp

memory/4872-90-0x00000000074A0000-0x00000000074B0000-memory.dmp

memory/4872-89-0x00000000074A0000-0x00000000074B0000-memory.dmp

memory/4872-88-0x00000000074A0000-0x00000000074B0000-memory.dmp

memory/4872-84-0x00000000074B0000-0x00000000074C0000-memory.dmp

memory/4872-83-0x00000000074B0000-0x00000000074C0000-memory.dmp

memory/4872-91-0x00000000074A0000-0x00000000074B0000-memory.dmp

memory/4872-93-0x00000000074A0000-0x00000000074B0000-memory.dmp

memory/4872-92-0x00000000074A0000-0x00000000074B0000-memory.dmp

memory/4872-94-0x00000000074A0000-0x00000000074B0000-memory.dmp

memory/4872-96-0x00000000074A0000-0x00000000074B0000-memory.dmp

memory/4872-95-0x00000000074A0000-0x00000000074B0000-memory.dmp

memory/4872-97-0x00000000074A0000-0x00000000074B0000-memory.dmp

memory/4872-98-0x00000000074A0000-0x00000000074B0000-memory.dmp

memory/4872-100-0x00000000074A0000-0x00000000074B0000-memory.dmp

memory/4872-99-0x00000000074B0000-0x00000000074C0000-memory.dmp

memory/4872-103-0x00000000074B0000-0x00000000074C0000-memory.dmp

memory/4872-102-0x00000000074B0000-0x00000000074C0000-memory.dmp

memory/4872-104-0x0000000007410000-0x0000000007420000-memory.dmp

memory/4872-101-0x00000000074A0000-0x00000000074B0000-memory.dmp

memory/4872-105-0x00000000074A0000-0x00000000074B0000-memory.dmp

memory/4872-106-0x00000000074A0000-0x00000000074B0000-memory.dmp

memory/4872-107-0x00000000074B0000-0x00000000074C0000-memory.dmp

Analysis: behavioral18

Detonation Overview

Submitted

2024-08-14 20:47

Reported

2024-08-14 20:52

Platform

win10v2004-20240802-en

Max time kernel

144s

Max time network

152s

Command Line

cmd /c C:\Users\Admin\AppData\Local\Temp\Wave\chrome_100_percent.pak

Signatures

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000_Classes\Local Settings C:\Windows\system32\cmd.exe N/A
Key created \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000_Classes\Local Settings C:\Windows\system32\OpenWith.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\system32\OpenWith.exe N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\Wave\chrome_100_percent.pak

C:\Windows\system32\OpenWith.exe

C:\Windows\system32\OpenWith.exe -Embedding

Network

Country Destination Domain Proto
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 81.144.22.2.in-addr.arpa udp
US 8.8.8.8:53 58.99.105.20.in-addr.arpa udp
US 8.8.8.8:53 29.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 10.27.171.150.in-addr.arpa udp

Files

N/A

Analysis: behavioral22

Detonation Overview

Submitted

2024-08-14 20:47

Reported

2024-08-14 20:52

Platform

win10v2004-20240802-en

Max time kernel

145s

Max time network

153s

Command Line

C:\Windows\system32\NOTEPAD.EXE C:\Users\Admin\AppData\Local\Temp\Wave\debug.log

Signatures

Opens file in notepad (likely ransom note)

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\system32\NOTEPAD.EXE N/A

Processes

C:\Windows\system32\NOTEPAD.EXE

C:\Windows\system32\NOTEPAD.EXE C:\Users\Admin\AppData\Local\Temp\Wave\debug.log

Network

Country Destination Domain Proto
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 81.144.22.2.in-addr.arpa udp
US 8.8.8.8:53 72.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 42.56.20.217.in-addr.arpa udp
US 8.8.8.8:53 35.56.20.217.in-addr.arpa udp
US 8.8.8.8:53 48.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 10.28.171.150.in-addr.arpa udp

Files

N/A

Analysis: behavioral24

Detonation Overview

Submitted

2024-08-14 20:47

Reported

2024-08-14 20:52

Platform

win10v2004-20240802-en

Max time kernel

144s

Max time network

160s

Command Line

cmd /c C:\Users\Admin\AppData\Local\Temp\Wave\icudtl.dat

Signatures

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000_Classes\Local Settings C:\Windows\system32\OpenWith.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000_Classes\Local Settings C:\Windows\system32\cmd.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\system32\OpenWith.exe N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\Wave\icudtl.dat

C:\Windows\system32\OpenWith.exe

C:\Windows\system32\OpenWith.exe -Embedding

Network

Country Destination Domain Proto
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 136.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 192.142.123.92.in-addr.arpa udp
US 8.8.8.8:53 21.58.20.217.in-addr.arpa udp
US 8.8.8.8:53 29.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp
US 8.8.8.8:53 10.27.171.150.in-addr.arpa udp

Files

N/A

Analysis: behavioral28

Detonation Overview

Submitted

2024-08-14 20:47

Reported

2024-08-14 20:52

Platform

win10v2004-20240802-en

Max time kernel

140s

Max time network

131s

Command Line

cmd /c C:\Users\Admin\AppData\Local\Temp\Wave\resources.pak

Signatures

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000_Classes\Local Settings C:\Windows\system32\cmd.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000_Classes\Local Settings C:\Windows\system32\OpenWith.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\system32\OpenWith.exe N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\Wave\resources.pak

C:\Windows\system32\OpenWith.exe

C:\Windows\system32\OpenWith.exe -Embedding

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 81.144.22.2.in-addr.arpa udp
US 8.8.8.8:53 0.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 147.142.123.92.in-addr.arpa udp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp

Files

N/A

Analysis: behavioral12

Detonation Overview

Submitted

2024-08-14 20:47

Reported

2024-08-14 20:52

Platform

win10v2004-20240802-en

Max time kernel

147s

Max time network

158s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\Wave\CefSharp.Wpf.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\Wave\CefSharp.Wpf.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 13.107.21.237:443 g.bing.com tcp
US 8.8.8.8:53 81.144.22.2.in-addr.arpa udp
US 8.8.8.8:53 22.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 237.21.107.13.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 147.142.123.92.in-addr.arpa udp
US 8.8.8.8:53 45.19.74.20.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 10.28.171.150.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp

Files

N/A

Analysis: behavioral25

Detonation Overview

Submitted

2024-08-14 20:47

Reported

2024-08-14 20:52

Platform

win7-20240708-en

Max time kernel

121s

Max time network

128s

Command Line

cmd /c C:\Users\Admin\AppData\Local\Temp\Wave\locales\en-US.pak

Signatures

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\pak_auto_file C:\Windows\system32\rundll32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\.pak\ = "pak_auto_file" C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\pak_auto_file\shell C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\pak_auto_file\shell\Read C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\pak_auto_file\shell\Read\command C:\Windows\system32\rundll32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\pak_auto_file\shell\Read\command\ = "\"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\Reader\\AcroRd32.exe\" \"%1\"" C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_Classes\Local Settings C:\Windows\system32\rundll32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\pak_auto_file\ C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\.pak C:\Windows\system32\rundll32.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A
N/A N/A C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\Wave\locales\en-US.pak

C:\Windows\system32\rundll32.exe

"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\Wave\locales\en-US.pak

C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe

"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\Wave\locales\en-US.pak"

Network

N/A

Files

C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents

MD5 7e56574fa785940e0f1e5e1c16db2e75
SHA1 942683b512d033db76be89aa6c0d7730dc873e63
SHA256 5b114f0b9e0ffd912787296bc368d8b17ebfc4390c8faf183ffa6757d689b181
SHA512 53ec34f8de1f219f8a7d78b922177104491563d577da6a3f32dfd4eca76e8071b472982bc429751b73bf48d95ff37e3d84c6070d30c100268e7f003e979b3113

Analysis: behavioral30

Detonation Overview

Submitted

2024-08-14 20:47

Reported

2024-08-14 20:52

Platform

win10v2004-20240802-en

Max time kernel

136s

Max time network

127s

Command Line

cmd /c C:\Users\Admin\AppData\Local\Temp\Wave\v8_context_snapshot.bin

Signatures

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000_Classes\Local Settings C:\Windows\system32\cmd.exe N/A
Key created \REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000_Classes\Local Settings C:\Windows\system32\OpenWith.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\system32\OpenWith.exe N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\Wave\v8_context_snapshot.bin

C:\Windows\system32\OpenWith.exe

C:\Windows\system32\OpenWith.exe -Embedding

Network

Country Destination Domain Proto
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 20.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 147.142.123.92.in-addr.arpa udp
US 8.8.8.8:53 73.144.22.2.in-addr.arpa udp
US 8.8.8.8:53 29.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp

Files

N/A

Analysis: behavioral32

Detonation Overview

Submitted

2024-08-14 20:47

Reported

2024-08-14 20:52

Platform

win10v2004-20240802-en

Max time kernel

147s

Max time network

155s

Command Line

C:\Windows\system32\NOTEPAD.EXE C:\Users\Admin\AppData\Local\Temp\Wave\workspace\.tests\getcustomasset.txt

Signatures

N/A

Processes

C:\Windows\system32\NOTEPAD.EXE

C:\Windows\system32\NOTEPAD.EXE C:\Users\Admin\AppData\Local\Temp\Wave\workspace\.tests\getcustomasset.txt

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 20.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 21.58.20.217.in-addr.arpa udp
US 8.8.8.8:53 98.58.20.217.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 48.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 10.28.171.150.in-addr.arpa udp
US 8.8.8.8:53 214.143.182.52.in-addr.arpa udp

Files

N/A

Analysis: behavioral13

Detonation Overview

Submitted

2024-08-14 20:47

Reported

2024-08-14 20:53

Platform

win7-20240704-en

Max time kernel

122s

Max time network

145s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\Wave\CefSharp.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\Wave\CefSharp.dll,#1

Network

N/A

Files

N/A

Analysis: behavioral15

Detonation Overview

Submitted

2024-08-14 20:47

Reported

2024-08-14 20:53

Platform

win7-20240704-en

Max time kernel

140s

Max time network

130s

Command Line

"C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file "C:\Users\Admin\AppData\Local\Temp\Wave\bin\Background.mp4"

Signatures

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Program Files\VideoLAN\VLC\vlc.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Program Files\VideoLAN\VLC\vlc.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: 33 N/A C:\Program Files\VideoLAN\VLC\vlc.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Program Files\VideoLAN\VLC\vlc.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Program Files\VideoLAN\VLC\vlc.exe N/A

Processes

C:\Program Files\VideoLAN\VLC\vlc.exe

"C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file "C:\Users\Admin\AppData\Local\Temp\Wave\bin\Background.mp4"

Network

N/A

Files

memory/2400-6-0x000007FEF7290000-0x000007FEF72C4000-memory.dmp

memory/2400-5-0x000000013F590000-0x000000013F688000-memory.dmp

memory/2400-12-0x000007FEF7120000-0x000007FEF7131000-memory.dmp

memory/2400-14-0x000007FEF6C20000-0x000007FEF6C31000-memory.dmp

memory/2400-13-0x000007FEF6C80000-0x000007FEF6C9D000-memory.dmp

memory/2400-11-0x000007FEF7140000-0x000007FEF7157000-memory.dmp

memory/2400-10-0x000007FEFAE30000-0x000007FEFAE41000-memory.dmp

memory/2400-7-0x000007FEF6510000-0x000007FEF67C6000-memory.dmp

memory/2400-9-0x000007FEFB510000-0x000007FEFB527000-memory.dmp

memory/2400-8-0x000007FEFBF90000-0x000007FEFBFA8000-memory.dmp

memory/2400-32-0x000007FEF4F60000-0x000007FEF4F77000-memory.dmp

memory/2400-15-0x000007FEF5460000-0x000007FEF6510000-memory.dmp

memory/2400-16-0x000007FEF5250000-0x000007FEF545B000-memory.dmp

memory/2400-30-0x000007FEF5100000-0x000007FEF5157000-memory.dmp

memory/2400-31-0x000007FEF4F80000-0x000007FEF5100000-memory.dmp

memory/2400-29-0x000007FEF68E0000-0x000007FEF68F1000-memory.dmp

memory/2400-28-0x000007FEF5160000-0x000007FEF51DC000-memory.dmp

memory/2400-27-0x000007FEF51E0000-0x000007FEF5247000-memory.dmp

memory/2400-26-0x000007FEF6900000-0x000007FEF6930000-memory.dmp

memory/2400-25-0x000007FEF6930000-0x000007FEF6948000-memory.dmp

memory/2400-24-0x000007FEF6950000-0x000007FEF6961000-memory.dmp

memory/2400-23-0x000007FEF6970000-0x000007FEF698B000-memory.dmp

memory/2400-22-0x000007FEF6990000-0x000007FEF69A1000-memory.dmp

memory/2400-21-0x000007FEF69B0000-0x000007FEF69C1000-memory.dmp

memory/2400-20-0x000007FEF69D0000-0x000007FEF69E1000-memory.dmp

memory/2400-19-0x000007FEF6A60000-0x000007FEF6A78000-memory.dmp

memory/2400-18-0x000007FEF6BF0000-0x000007FEF6C11000-memory.dmp

memory/2400-17-0x000007FEF6A80000-0x000007FEF6AC1000-memory.dmp

memory/2400-34-0x000007FEF34E0000-0x000007FEF36E6000-memory.dmp

memory/2400-60-0x000007FEF03F0000-0x000007FEF043E000-memory.dmp

memory/2400-62-0x000007FEF02C0000-0x000007FEF02F4000-memory.dmp

memory/2400-58-0x000007FEF2340000-0x000007FEF23B4000-memory.dmp

memory/2400-61-0x000007FEF0300000-0x000007FEF0357000-memory.dmp

memory/2400-59-0x000007FEF21D0000-0x000007FEF21E1000-memory.dmp

memory/2400-33-0x000007FEF36F0000-0x000007FEF4F5F000-memory.dmp

memory/2400-56-0x000007FEF2410000-0x000007FEF2471000-memory.dmp

memory/2400-57-0x000007FEF23C0000-0x000007FEF2407000-memory.dmp

memory/2400-51-0x000007FEF2880000-0x000007FEF2986000-memory.dmp

memory/2400-55-0x000007FEF2480000-0x000007FEF2491000-memory.dmp

memory/2400-54-0x000007FEF27F0000-0x000007FEF2801000-memory.dmp

memory/2400-53-0x000007FEF2810000-0x000007FEF2823000-memory.dmp

memory/2400-52-0x000007FEF2830000-0x000007FEF285A000-memory.dmp

memory/2400-42-0x000007FEF2D60000-0x000007FEF2DCD000-memory.dmp

memory/2400-50-0x000007FEF2990000-0x000007FEF29A3000-memory.dmp

memory/2400-49-0x000007FEF29B0000-0x000007FEF29D3000-memory.dmp

memory/2400-48-0x000007FEF29E0000-0x000007FEF29F5000-memory.dmp

memory/2400-47-0x000007FEF2A00000-0x000007FEF2A15000-memory.dmp

memory/2400-46-0x000007FEF2A20000-0x000007FEF2CD0000-memory.dmp

memory/2400-45-0x000007FEF2CD0000-0x000007FEF2D20000-memory.dmp

memory/2400-44-0x000007FEF2D20000-0x000007FEF2D34000-memory.dmp

memory/2400-43-0x000007FEF2D40000-0x000007FEF2D53000-memory.dmp

memory/2400-41-0x000007FEF2DD0000-0x000007FEF2E32000-memory.dmp

memory/2400-40-0x000007FEF2E40000-0x000007FEF2E82000-memory.dmp

memory/2400-39-0x000007FEF2FA0000-0x000007FEF2FCF000-memory.dmp

memory/2400-38-0x000007FEF7110000-0x000007FEF7120000-memory.dmp

memory/2400-37-0x000007FEF3420000-0x000007FEF346D000-memory.dmp

memory/2400-36-0x000007FEF3470000-0x000007FEF34B2000-memory.dmp

memory/2400-35-0x000007FEF34C0000-0x000007FEF34D2000-memory.dmp

Analysis: behavioral19

Detonation Overview

Submitted

2024-08-14 20:47

Reported

2024-08-14 20:52

Platform

win7-20240705-en

Max time kernel

102s

Max time network

19s

Command Line

cmd /c C:\Users\Admin\AppData\Local\Temp\Wave\chrome_200_percent.pak

Signatures

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000_CLASSES\pak_auto_file\ C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000_CLASSES\.pak C:\Windows\system32\rundll32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000_CLASSES\.pak\ = "pak_auto_file" C:\Windows\system32\rundll32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000_CLASSES\pak_auto_file\shell\Read\command\ = "\"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\Reader\\AcroRd32.exe\" \"%1\"" C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000_CLASSES\pak_auto_file\shell\Read\command C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000_Classes\Local Settings C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000_CLASSES\pak_auto_file C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000_CLASSES\pak_auto_file\shell\Read C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000_CLASSES\pak_auto_file\shell C:\Windows\system32\rundll32.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A
N/A N/A C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\Wave\chrome_200_percent.pak

C:\Windows\system32\rundll32.exe

"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\Wave\chrome_200_percent.pak

C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe

"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\Wave\chrome_200_percent.pak"

Network

N/A

Files

C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents

MD5 ba4a3b104792c75f8ff2c75e634588c9
SHA1 22c1bbe7ff19986653114604dd8fefa849d85895
SHA256 6db8117438c0147790d32483678cc4d3826e5ef917c86edcd5eced6ef175f545
SHA512 56e3b3b386354a9c8af894bead75ee84742bd6af0e5ceedd5913cf5efda4f6beba60b05d1044644a980f897a996836b0dc8f794714893af3e64d89cbc2fe1d1f

Analysis: behavioral20

Detonation Overview

Submitted

2024-08-14 20:47

Reported

2024-08-14 20:52

Platform

win10v2004-20240802-en

Max time kernel

145s

Max time network

159s

Command Line

cmd /c C:\Users\Admin\AppData\Local\Temp\Wave\chrome_200_percent.pak

Signatures

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000_Classes\Local Settings C:\Windows\system32\cmd.exe N/A
Key created \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000_Classes\Local Settings C:\Windows\system32\OpenWith.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\system32\OpenWith.exe N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\Wave\chrome_200_percent.pak

C:\Windows\system32\OpenWith.exe

C:\Windows\system32\OpenWith.exe -Embedding

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 13.107.21.237:443 g.bing.com tcp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 73.144.22.2.in-addr.arpa udp
US 8.8.8.8:53 67.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 237.21.107.13.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 35.56.20.217.in-addr.arpa udp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp

Files

N/A

Analysis: behavioral29

Detonation Overview

Submitted

2024-08-14 20:47

Reported

2024-08-14 20:53

Platform

win7-20240708-en

Max time kernel

117s

Max time network

130s

Command Line

cmd /c C:\Users\Admin\AppData\Local\Temp\Wave\v8_context_snapshot.bin

Signatures

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000_CLASSES\bin_auto_file C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000_CLASSES\.bin C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000_CLASSES\bin_auto_file\shell\Read C:\Windows\system32\rundll32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000_CLASSES\bin_auto_file\shell\Read\command\ = "\"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\Reader\\AcroRd32.exe\" \"%1\"" C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000_Classes\Local Settings C:\Windows\system32\rundll32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000_CLASSES\bin_auto_file\ C:\Windows\system32\rundll32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000_CLASSES\.bin\ = "bin_auto_file" C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000_CLASSES\bin_auto_file\shell C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000_CLASSES\bin_auto_file\shell\Read\command C:\Windows\system32\rundll32.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A
N/A N/A C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\Wave\v8_context_snapshot.bin

C:\Windows\system32\rundll32.exe

"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\Wave\v8_context_snapshot.bin

C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe

"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\Wave\v8_context_snapshot.bin"

Network

N/A

Files

C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents

MD5 f38df21ff8920beb78d0cc5f2c6842c1
SHA1 55e86f61ccfe9e587b3982153259eb5ebd7f7a34
SHA256 232fd5f4f7b168dd4597d4812a196fbb88c9dfdf8775a9f769c9d8a6e3f2b344
SHA512 84eaaf0eb15bebaf9123fe4dfd8815eedf446289ae1a376e856684bea274bdb7a88d1c326abf413dcb20b5b78fb7103e29e87d8550f1c2c2aec3ed4d238fa71d

Analysis: behavioral31

Detonation Overview

Submitted

2024-08-14 20:47

Reported

2024-08-14 20:52

Platform

win7-20240729-en

Max time kernel

120s

Max time network

127s

Command Line

C:\Windows\system32\NOTEPAD.EXE C:\Users\Admin\AppData\Local\Temp\Wave\workspace\.tests\getcustomasset.txt

Signatures

N/A

Processes

C:\Windows\system32\NOTEPAD.EXE

C:\Windows\system32\NOTEPAD.EXE C:\Users\Admin\AppData\Local\Temp\Wave\workspace\.tests\getcustomasset.txt

Network

N/A

Files

N/A

Analysis: behavioral9

Detonation Overview

Submitted

2024-08-14 20:47

Reported

2024-08-14 20:53

Platform

win7-20240708-en

Max time kernel

121s

Max time network

134s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\Wave\CefSharp.Core.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\Wave\CefSharp.Core.dll,#1

Network

N/A

Files

N/A

Analysis: behavioral10

Detonation Overview

Submitted

2024-08-14 20:47

Reported

2024-08-14 20:52

Platform

win10v2004-20240802-en

Max time kernel

138s

Max time network

133s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\Wave\CefSharp.Core.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\Wave\CefSharp.Core.dll,#1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4180,i,3210801877307184477,8078594481454001567,262144 --variations-seed-version --mojo-platform-channel-handle=4612 /prefetch:8

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 13.107.21.237:443 g.bing.com tcp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 6.181.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 237.21.107.13.in-addr.arpa udp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 20.58.20.217.in-addr.arpa udp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 58.99.105.20.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 10.28.171.150.in-addr.arpa udp

Files

N/A

Analysis: behavioral26

Detonation Overview

Submitted

2024-08-14 20:47

Reported

2024-08-14 20:52

Platform

win10v2004-20240802-en

Max time kernel

145s

Max time network

154s

Command Line

cmd /c C:\Users\Admin\AppData\Local\Temp\Wave\locales\en-US.pak

Signatures

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000_Classes\Local Settings C:\Windows\system32\cmd.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000_Classes\Local Settings C:\Windows\system32\OpenWith.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\system32\OpenWith.exe N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\Wave\locales\en-US.pak

C:\Windows\system32\OpenWith.exe

C:\Windows\system32\OpenWith.exe -Embedding

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 75.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 38.58.20.217.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 81.144.22.2.in-addr.arpa udp
US 8.8.8.8:53 23.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 10.27.171.150.in-addr.arpa udp
US 8.8.8.8:53 27.173.189.20.in-addr.arpa udp

Files

N/A

Analysis: behavioral5

Detonation Overview

Submitted

2024-08-14 20:47

Reported

2024-08-14 20:53

Platform

win7-20240729-en

Max time kernel

117s

Max time network

128s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Wave\CefSharp.BrowserSubprocess.exe"

Signatures

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\Wave\CefSharp.BrowserSubprocess.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\Wave\CefSharp.BrowserSubprocess.exe

"C:\Users\Admin\AppData\Local\Temp\Wave\CefSharp.BrowserSubprocess.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2544 -s 528

Network

N/A

Files

memory/2544-0-0x00000000746BE000-0x00000000746BF000-memory.dmp

memory/2544-1-0x0000000000B10000-0x0000000000B18000-memory.dmp

memory/2544-2-0x0000000001F20000-0x000000000200A000-memory.dmp

memory/2544-3-0x00000000746BE000-0x00000000746BF000-memory.dmp

Analysis: behavioral8

Detonation Overview

Submitted

2024-08-14 20:47

Reported

2024-08-14 20:52

Platform

win10v2004-20240802-en

Max time kernel

144s

Max time network

153s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\Wave\CefSharp.Core.Runtime.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 856 wrote to memory of 1756 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 856 wrote to memory of 1756 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 856 wrote to memory of 1756 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\Wave\CefSharp.Core.Runtime.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\Wave\CefSharp.Core.Runtime.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1756 -ip 1756

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1756 -s 1096

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 81.144.22.2.in-addr.arpa udp
US 8.8.8.8:53 0.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 101.58.20.217.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 58.99.105.20.in-addr.arpa udp
US 8.8.8.8:53 30.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp
US 8.8.8.8:53 10.28.171.150.in-addr.arpa udp

Files

memory/1756-0-0x0000000004FE0000-0x000000000513B000-memory.dmp

Analysis: behavioral17

Detonation Overview

Submitted

2024-08-14 20:47

Reported

2024-08-14 20:53

Platform

win7-20240704-en

Max time kernel

117s

Max time network

129s

Command Line

cmd /c C:\Users\Admin\AppData\Local\Temp\Wave\chrome_100_percent.pak

Signatures

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000_CLASSES\pak_auto_file\shell\Read\command\ = "\"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\Reader\\AcroRd32.exe\" \"%1\"" C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000_CLASSES\pak_auto_file C:\Windows\system32\rundll32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000_CLASSES\pak_auto_file\ C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000_CLASSES\.pak C:\Windows\system32\rundll32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000_CLASSES\.pak\ = "pak_auto_file" C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000_CLASSES\pak_auto_file\shell\Read C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000_CLASSES\pak_auto_file\shell C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000_CLASSES\pak_auto_file\shell\Read\command C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000_Classes\Local Settings C:\Windows\system32\rundll32.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A
N/A N/A C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\Wave\chrome_100_percent.pak

C:\Windows\system32\rundll32.exe

"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\Wave\chrome_100_percent.pak

C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe

"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\Wave\chrome_100_percent.pak"

Network

N/A

Files

C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents

MD5 2357f76d21e37887f535257ae4744020
SHA1 46e21dbe5091ba8ca9a7779992a15cec5ccb9e9d
SHA256 7f7759ea0dd333f7555f9aa465b72c2b72e96f5f57dd878f949fd53c22714039
SHA512 f1109895a2452977296b7a2cd885e2140fa2b16aa9e56a73c3b2a693c2c223784b82ed4f33bb2c409018fb60e3fd3bd08a0f15a64ae3fe569e613ff35a4443a2

Analysis: behavioral23

Detonation Overview

Submitted

2024-08-14 20:47

Reported

2024-08-14 20:52

Platform

win7-20240705-en

Max time kernel

117s

Max time network

126s

Command Line

cmd /c C:\Users\Admin\AppData\Local\Temp\Wave\icudtl.dat

Signatures

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000_CLASSES\dat_auto_file C:\Windows\system32\rundll32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000_CLASSES\dat_auto_file\ C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000_CLASSES\.dat C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000_CLASSES\dat_auto_file\shell\Read\command C:\Windows\system32\rundll32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000_CLASSES\dat_auto_file\shell\Read\command\ = "\"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\Reader\\AcroRd32.exe\" \"%1\"" C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000_Classes\Local Settings C:\Windows\system32\rundll32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000_CLASSES\.dat\ = "dat_auto_file" C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000_CLASSES\dat_auto_file\shell\Read C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000_CLASSES\dat_auto_file\shell C:\Windows\system32\rundll32.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A
N/A N/A C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\Wave\icudtl.dat

C:\Windows\system32\rundll32.exe

"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\Wave\icudtl.dat

C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe

"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\Wave\icudtl.dat"

Network

N/A

Files

C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents

MD5 01fafcdf54423adec51c51e28da2bc1e
SHA1 4467f08afa17b11189c737a6a3f99d39af8c6afb
SHA256 5410db395feb26c47d2113db7178e6abdf2260a4cbfcb5c5905370ff92a032b0
SHA512 950558fc3e5e41c0cd110e0c55563ab8aa0a2d5693544b61561bdeca7405c31992035fb4eb646e1a8809760d20c62f4231ff72f3a0d95398299bd4c268fb4cc4

Analysis: behavioral27

Detonation Overview

Submitted

2024-08-14 20:47

Reported

2024-08-14 20:53

Platform

win7-20240704-en

Max time kernel

122s

Max time network

145s

Command Line

cmd /c C:\Users\Admin\AppData\Local\Temp\Wave\resources.pak

Signatures

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000_CLASSES\.pak\ = "pak_auto_file" C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000_CLASSES\pak_auto_file\shell\Read C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000_CLASSES\pak_auto_file\shell C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000_CLASSES\pak_auto_file\shell\Read\command C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000_Classes\Local Settings C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000_CLASSES\pak_auto_file C:\Windows\system32\rundll32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000_CLASSES\pak_auto_file\ C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000_CLASSES\.pak C:\Windows\system32\rundll32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000_CLASSES\pak_auto_file\shell\Read\command\ = "\"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\Reader\\AcroRd32.exe\" \"%1\"" C:\Windows\system32\rundll32.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A
N/A N/A C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\Wave\resources.pak

C:\Windows\system32\rundll32.exe

"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\Wave\resources.pak

C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe

"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\Wave\resources.pak"

Network

N/A

Files

C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents

MD5 8c320b7aa445eded69f914b3976e9d5e
SHA1 f95254a6c7602d16e5a396fe2713b086f703ff85
SHA256 d21a46a738420f894a138688ef27d13371694ef40399dab2939605c84d632643
SHA512 f713f01798ca196aa6588dfbd9ab580b1f3521289e1334994625ef7618223fd1f8088efc76c8ef823b48a8d20378a912f1bb765a9f9ba286fb412398e9cdf9c6

Analysis: behavioral1

Detonation Overview

Submitted

2024-08-14 20:47

Reported

2024-08-14 20:53

Platform

win7-20240704-en

Max time kernel

117s

Max time network

130s

Command Line

C:\Windows\Explorer.exe /idlist,,C:\Users\Admin\AppData\Local\Temp\Wave.zip

Signatures

N/A

Processes

C:\Windows\Explorer.exe

C:\Windows\Explorer.exe /idlist,,C:\Users\Admin\AppData\Local\Temp\Wave.zip

Network

N/A

Files

N/A

Analysis: behavioral6

Detonation Overview

Submitted

2024-08-14 20:47

Reported

2024-08-14 20:52

Platform

win10v2004-20240802-en

Max time kernel

142s

Max time network

158s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Wave\CefSharp.BrowserSubprocess.exe"

Signatures

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\Wave\CefSharp.BrowserSubprocess.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\Wave\CefSharp.BrowserSubprocess.exe

"C:\Users\Admin\AppData\Local\Temp\Wave\CefSharp.BrowserSubprocess.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 22.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
US 8.8.8.8:53 45.19.74.20.in-addr.arpa udp
NL 52.111.243.31:443 tcp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 10.28.171.150.in-addr.arpa udp

Files

memory/3244-0-0x000000007483E000-0x000000007483F000-memory.dmp

memory/3244-1-0x0000000000780000-0x0000000000788000-memory.dmp

memory/3244-2-0x0000000005080000-0x000000000516A000-memory.dmp

memory/3244-3-0x00000000052A0000-0x00000000052EA000-memory.dmp

Analysis: behavioral11

Detonation Overview

Submitted

2024-08-14 20:47

Reported

2024-08-14 20:52

Platform

win7-20240708-en

Max time kernel

11s

Max time network

17s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\Wave\CefSharp.Wpf.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\Wave\CefSharp.Wpf.dll,#1

Network

N/A

Files

N/A

Analysis: behavioral14

Detonation Overview

Submitted

2024-08-14 20:47

Reported

2024-08-14 20:52

Platform

win10v2004-20240802-en

Max time kernel

137s

Max time network

148s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\Wave\CefSharp.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\Wave\CefSharp.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 73.144.22.2.in-addr.arpa udp
US 8.8.8.8:53 0.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 81.144.22.2.in-addr.arpa udp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp

Files

N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-08-14 20:47

Reported

2024-08-14 20:53

Platform

win10v2004-20240802-en

Max time kernel

91s

Max time network

158s

Command Line

C:\Windows\Explorer.exe /idlist,,C:\Users\Admin\AppData\Local\Temp\Wave.zip

Signatures

N/A

Processes

C:\Windows\Explorer.exe

C:\Windows\Explorer.exe /idlist,,C:\Users\Admin\AppData\Local\Temp\Wave.zip

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 13.107.21.237:443 g.bing.com tcp
US 8.8.8.8:53 68.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 81.144.22.2.in-addr.arpa udp
US 8.8.8.8:53 237.21.107.13.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 45.19.74.20.in-addr.arpa udp
US 8.8.8.8:53 192.142.123.92.in-addr.arpa udp
US 8.8.8.8:53 10.28.171.150.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 29.243.111.52.in-addr.arpa udp

Files

N/A

Analysis: behavioral7

Detonation Overview

Submitted

2024-08-14 20:47

Reported

2024-08-14 20:53

Platform

win7-20240708-en

Max time kernel

121s

Max time network

135s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\Wave\CefSharp.Core.Runtime.dll,#1

Signatures

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1188 wrote to memory of 2692 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1188 wrote to memory of 2692 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1188 wrote to memory of 2692 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1188 wrote to memory of 2692 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1188 wrote to memory of 2692 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1188 wrote to memory of 2692 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1188 wrote to memory of 2692 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\Wave\CefSharp.Core.Runtime.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\Wave\CefSharp.Core.Runtime.dll,#1

Network

N/A

Files

N/A

Analysis: behavioral21

Detonation Overview

Submitted

2024-08-14 20:47

Reported

2024-08-14 20:52

Platform

win7-20240705-en

Max time kernel

118s

Max time network

125s

Command Line

C:\Windows\system32\NOTEPAD.EXE C:\Users\Admin\AppData\Local\Temp\Wave\debug.log

Signatures

Opens file in notepad (likely ransom note)

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\system32\NOTEPAD.EXE N/A

Processes

C:\Windows\system32\NOTEPAD.EXE

C:\Windows\system32\NOTEPAD.EXE C:\Users\Admin\AppData\Local\Temp\Wave\debug.log

Network

N/A

Files

N/A