Analysis Overview
SHA256
064955e9e82eb5a1ae440e67449baac17e992a283a15be1bad006d02a6d7959a
Threat Level: Likely malicious
The file Wave.zip was found to be: Likely malicious.
Malicious Activity Summary
Office macro that triggers on suspicious action
Drops desktop.ini file(s)
Enumerates connected drives
Drops file in Windows directory
Program crash
Unsigned PE
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Modifies registry class
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: AddClipboardFormatListener
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Opens file in notepad (likely ransom note)
Suspicious use of SendNotifyMessage
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-08-14 20:48
Signatures
Office macro that triggers on suspicious action
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Analysis: behavioral3
Detonation Overview
Submitted
2024-08-14 20:47
Reported
2024-08-14 20:52
Platform
win7-20240705-en
Max time kernel
121s
Max time network
128s
Command Line
Signatures
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\rundll32.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 3060 wrote to memory of 2468 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 3060 wrote to memory of 2468 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 3060 wrote to memory of 2468 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 3060 wrote to memory of 2468 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 3060 wrote to memory of 2468 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 3060 wrote to memory of 2468 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 3060 wrote to memory of 2468 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\Wave\CefSharp.BrowserSubprocess.Core.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\Wave\CefSharp.BrowserSubprocess.Core.dll,#1
Network
Files
Analysis: behavioral4
Detonation Overview
Submitted
2024-08-14 20:47
Reported
2024-08-14 20:52
Platform
win10v2004-20240802-en
Max time kernel
143s
Max time network
145s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\rundll32.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 3784 wrote to memory of 3588 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 3784 wrote to memory of 3588 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 3784 wrote to memory of 3588 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\Wave\CefSharp.BrowserSubprocess.Core.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\Wave\CefSharp.BrowserSubprocess.Core.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 3588 -ip 3588
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3588 -s 1088
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 81.144.22.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.126.166.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 192.142.123.92.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.58.199.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 23.236.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 105.193.132.51.in-addr.arpa | udp |
Files
memory/3588-0-0x0000000005600000-0x00000000056EA000-memory.dmp
Analysis: behavioral16
Detonation Overview
Submitted
2024-08-14 20:47
Reported
2024-08-14 20:53
Platform
win10v2004-20240802-en
Max time kernel
150s
Max time network
157s
Command Line
Signatures
Drops desktop.ini file(s)
| Description | Indicator | Process | Target |
| File opened for modification | C:\Users\Admin\Music\desktop.ini | C:\Program Files (x86)\Windows Media Player\wmplayer.exe | N/A |
| File opened for modification | C:\Users\Public\desktop.ini | C:\Program Files (x86)\Windows Media Player\wmplayer.exe | N/A |
| File opened for modification | C:\Users\Public\Music\desktop.ini | C:\Program Files (x86)\Windows Media Player\wmplayer.exe | N/A |
| File opened for modification | C:\Users\Admin\Videos\desktop.ini | C:\Program Files (x86)\Windows Media Player\wmplayer.exe | N/A |
| File opened for modification | C:\Users\Public\Videos\desktop.ini | C:\Program Files (x86)\Windows Media Player\wmplayer.exe | N/A |
| File opened for modification | C:\Users\Admin\Pictures\desktop.ini | C:\Program Files (x86)\Windows Media Player\wmplayer.exe | N/A |
| File opened for modification | C:\Users\Public\Pictures\desktop.ini | C:\Program Files (x86)\Windows Media Player\wmplayer.exe | N/A |
Enumerates connected drives
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\UPnP Device Host\upnphost\udhisapi.dll | C:\Windows\system32\svchost.exe | N/A |
| File opened for modification | C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\UPnP Device Host\upnphost\udhisapi.dll | C:\Windows\system32\svchost.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Program Files (x86)\Windows Media Player\wmplayer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\unregmp2.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-1194130065-3471212556-1656947724-1000\{21C20BB8-BBF9-41BE-9740-94F847713D36} | C:\Program Files (x86)\Windows Media Player\wmplayer.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\MIME\Database\Content Type\application/x-wmplayer | C:\Program Files (x86)\Windows Media Player\wmplayer.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\MIME\Database\Content Type\application/x-wmplayer\CLSID = "{cd3afa96-b84f-48f0-9393-7edc34128127}" | C:\Program Files (x86)\Windows Media Player\wmplayer.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeShutdownPrivilege | N/A | C:\Program Files (x86)\Windows Media Player\wmplayer.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Program Files (x86)\Windows Media Player\wmplayer.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\system32\unregmp2.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\system32\unregmp2.exe | N/A |
| Token: 33 | N/A | C:\Windows\system32\AUDIODG.EXE | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\system32\AUDIODG.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Program Files (x86)\Windows Media Player\wmplayer.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Program Files (x86)\Windows Media Player\wmplayer.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Windows Media Player\wmplayer.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 4872 wrote to memory of 3932 | N/A | C:\Program Files (x86)\Windows Media Player\wmplayer.exe | C:\Windows\SysWOW64\unregmp2.exe |
| PID 4872 wrote to memory of 3932 | N/A | C:\Program Files (x86)\Windows Media Player\wmplayer.exe | C:\Windows\SysWOW64\unregmp2.exe |
| PID 4872 wrote to memory of 3932 | N/A | C:\Program Files (x86)\Windows Media Player\wmplayer.exe | C:\Windows\SysWOW64\unregmp2.exe |
| PID 3932 wrote to memory of 1652 | N/A | C:\Windows\SysWOW64\unregmp2.exe | C:\Windows\system32\unregmp2.exe |
| PID 3932 wrote to memory of 1652 | N/A | C:\Windows\SysWOW64\unregmp2.exe | C:\Windows\system32\unregmp2.exe |
Processes
C:\Program Files (x86)\Windows Media Player\wmplayer.exe
"C:\Program Files (x86)\Windows Media Player\wmplayer.exe" /prefetch:6 /Open "C:\Users\Admin\AppData\Local\Temp\Wave\bin\Background.mp4"
C:\Windows\SysWOW64\unregmp2.exe
"C:\Windows\System32\unregmp2.exe" /AsyncFirstLogon
C:\Windows\system32\unregmp2.exe
"C:\Windows\SysNative\unregmp2.exe" /AsyncFirstLogon /REENTRANT
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p -s upnphost
C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x51c 0x494
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 74.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.144.22.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.205.248.87.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 45.19.74.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 29.243.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 205.47.74.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | musicmatch-ssl.xboxlive.com | udp |
| GB | 95.100.244.7:443 | musicmatch-ssl.xboxlive.com | tcp |
| US | 8.8.8.8:53 | 7.244.100.95.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Microsoft\Windows Media\12.0\WMSDKNS.XML
| MD5 | 7050d5ae8acfbe560fa11073fef8185d |
| SHA1 | 5bc38e77ff06785fe0aec5a345c4ccd15752560e |
| SHA256 | cb87767c4a384c24e4a0f88455f59101b1ae7b4fb8de8a5adb4136c5f7ee545b |
| SHA512 | a7a295ac8921bb3dde58d4bcde9372ed59def61d4b7699057274960fa8c1d1a1daff834a93f7a0698e9e5c16db43af05e9fd2d6d7c9232f7d26ffcff5fc5900b |
C:\Users\Admin\AppData\Local\Microsoft\Windows Media\12.0\WMSDKNS.DTD
| MD5 | 90be2701c8112bebc6bd58a7de19846e |
| SHA1 | a95be407036982392e2e684fb9ff6602ecad6f1e |
| SHA256 | 644fbcdc20086e16d57f31c5bad98be68d02b1c061938d2f5f91cbe88c871fbf |
| SHA512 | d618b473b68b48d746c912ac5fc06c73b047bd35a44a6efc7a859fe1162d68015cf69da41a5db504dcbc4928e360c095b32a3b7792fcc6a38072e1ebd12e7cbe |
C:\Users\Admin\AppData\Local\Microsoft\Media Player\CurrentDatabase_400.wmdb
| MD5 | 987a07b978cfe12e4ce45e513ef86619 |
| SHA1 | 22eec9a9b2e83ad33bedc59e3205f86590b7d40c |
| SHA256 | f1a4a978ce1c4731df1594043135cf58d084fdf129dd1c8e4507c9e06eac5ea8 |
| SHA512 | 39b86540e4d35c84609ef66537b5aa02058e3d4293f902127c7d4eac8ffc65920cb5c69a77552fc085687eed66e38367f83c177046d0ecb8e6d135463cc142aa |
C:\Users\Admin\AppData\Local\Temp\wmsetup.log
| MD5 | eb17eefd5fa89279412e3b0b6d3633e8 |
| SHA1 | 9045000ab898a83afa124654ea1f95f57839661e |
| SHA256 | 292df214df67f4c096515b91e61996f5d70f54571a592e4a8a3fd32725d739fc |
| SHA512 | 3068339a5cbfcd7f7a428b9f7a6c8e53fc66869cebfefa7ca2ac1b1ac5a7bc9324265bfb6e72f146cb6dd4642b9a692a9ebd8fa8570f49b0348108d92f250da0 |
memory/4872-36-0x0000000004FB0000-0x0000000004FC0000-memory.dmp
memory/4872-35-0x0000000004FB0000-0x0000000004FC0000-memory.dmp
memory/4872-34-0x0000000004FB0000-0x0000000004FC0000-memory.dmp
memory/4872-33-0x0000000004FB0000-0x0000000004FC0000-memory.dmp
memory/4872-37-0x00000000074C0000-0x00000000074D0000-memory.dmp
memory/4872-38-0x00000000074B0000-0x00000000074C0000-memory.dmp
memory/4872-39-0x00000000074B0000-0x00000000074C0000-memory.dmp
memory/4872-41-0x0000000004FB0000-0x0000000004FC0000-memory.dmp
memory/4872-40-0x0000000004FB0000-0x0000000004FC0000-memory.dmp
memory/4872-42-0x00000000074B0000-0x00000000074C0000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Media Player\CurrentDatabase_400.wmdb
| MD5 | c0405c55a93a0c034c7518fbd5b450c6 |
| SHA1 | 341ff12022d40bc5185efec001efcbcb477593ff |
| SHA256 | d41f2fc73cf70cc749abccd13bcf911aa19f9dc47fd7c233b38deff5df8743aa |
| SHA512 | f2b05977f5d63e5ae8068d7c1806c847ebe1f01e7ab1e96080dc470919a462853b839d90dd81a5b8cbb9e674e6f45dbc2ddab24ea9b8d3c146fea14ccf23207c |
memory/4872-45-0x0000000007410000-0x0000000007420000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Media Player\LocalMLS_3.wmdb
| MD5 | bb83990f7d80cb970a430c7809566003 |
| SHA1 | 72fb30564ebd5da94a501be6540699b51a2dc73a |
| SHA256 | 61404e2cd47b888f75e2342e9aa8630e39a624e667bdd745d040052ea071edfe |
| SHA512 | c654511614dad83f7c85557baa2c32a4f7fa9ebf52fccf5ddf3c343aa4c82d75c92d02a18a3e3d93512bef1af60ab3d292273a68aa04e0de90055bb805107f7d |
memory/4872-49-0x00000000074A0000-0x00000000074B0000-memory.dmp
memory/4872-50-0x00000000074A0000-0x00000000074B0000-memory.dmp
memory/4872-51-0x00000000074B0000-0x00000000074C0000-memory.dmp
memory/4872-52-0x00000000074B0000-0x00000000074C0000-memory.dmp
memory/4872-53-0x00000000074B0000-0x00000000074C0000-memory.dmp
memory/4872-54-0x00000000074B0000-0x00000000074C0000-memory.dmp
memory/4872-56-0x00000000074B0000-0x00000000074C0000-memory.dmp
memory/4872-55-0x00000000074A0000-0x00000000074B0000-memory.dmp
memory/4872-57-0x00000000074A0000-0x00000000074B0000-memory.dmp
memory/4872-59-0x00000000074A0000-0x00000000074B0000-memory.dmp
memory/4872-58-0x00000000074A0000-0x00000000074B0000-memory.dmp
memory/4872-61-0x00000000074A0000-0x00000000074B0000-memory.dmp
memory/4872-62-0x00000000074A0000-0x00000000074B0000-memory.dmp
memory/4872-64-0x00000000074A0000-0x00000000074B0000-memory.dmp
memory/4872-67-0x00000000074A0000-0x00000000074B0000-memory.dmp
memory/4872-66-0x00000000074A0000-0x00000000074B0000-memory.dmp
memory/4872-65-0x00000000074A0000-0x00000000074B0000-memory.dmp
memory/4872-70-0x00000000074A0000-0x00000000074B0000-memory.dmp
memory/4872-69-0x00000000074A0000-0x00000000074B0000-memory.dmp
memory/4872-72-0x00000000074B0000-0x00000000074C0000-memory.dmp
memory/4872-73-0x00000000074A0000-0x00000000074B0000-memory.dmp
memory/4872-74-0x00000000074A0000-0x00000000074B0000-memory.dmp
memory/4872-76-0x00000000074B0000-0x00000000074C0000-memory.dmp
memory/4872-77-0x00000000074B0000-0x00000000074C0000-memory.dmp
memory/4872-78-0x0000000007410000-0x0000000007420000-memory.dmp
memory/4872-80-0x00000000074A0000-0x00000000074B0000-memory.dmp
memory/4872-82-0x00000000074B0000-0x00000000074C0000-memory.dmp
memory/4872-81-0x00000000074A0000-0x00000000074B0000-memory.dmp
memory/4872-85-0x00000000074B0000-0x00000000074C0000-memory.dmp
memory/4872-87-0x00000000074B0000-0x00000000074C0000-memory.dmp
memory/4872-86-0x00000000074A0000-0x00000000074B0000-memory.dmp
memory/4872-90-0x00000000074A0000-0x00000000074B0000-memory.dmp
memory/4872-89-0x00000000074A0000-0x00000000074B0000-memory.dmp
memory/4872-88-0x00000000074A0000-0x00000000074B0000-memory.dmp
memory/4872-84-0x00000000074B0000-0x00000000074C0000-memory.dmp
memory/4872-83-0x00000000074B0000-0x00000000074C0000-memory.dmp
memory/4872-91-0x00000000074A0000-0x00000000074B0000-memory.dmp
memory/4872-93-0x00000000074A0000-0x00000000074B0000-memory.dmp
memory/4872-92-0x00000000074A0000-0x00000000074B0000-memory.dmp
memory/4872-94-0x00000000074A0000-0x00000000074B0000-memory.dmp
memory/4872-96-0x00000000074A0000-0x00000000074B0000-memory.dmp
memory/4872-95-0x00000000074A0000-0x00000000074B0000-memory.dmp
memory/4872-97-0x00000000074A0000-0x00000000074B0000-memory.dmp
memory/4872-98-0x00000000074A0000-0x00000000074B0000-memory.dmp
memory/4872-100-0x00000000074A0000-0x00000000074B0000-memory.dmp
memory/4872-99-0x00000000074B0000-0x00000000074C0000-memory.dmp
memory/4872-103-0x00000000074B0000-0x00000000074C0000-memory.dmp
memory/4872-102-0x00000000074B0000-0x00000000074C0000-memory.dmp
memory/4872-104-0x0000000007410000-0x0000000007420000-memory.dmp
memory/4872-101-0x00000000074A0000-0x00000000074B0000-memory.dmp
memory/4872-105-0x00000000074A0000-0x00000000074B0000-memory.dmp
memory/4872-106-0x00000000074A0000-0x00000000074B0000-memory.dmp
memory/4872-107-0x00000000074B0000-0x00000000074C0000-memory.dmp
Analysis: behavioral18
Detonation Overview
Submitted
2024-08-14 20:47
Reported
2024-08-14 20:52
Platform
win10v2004-20240802-en
Max time kernel
144s
Max time network
152s
Command Line
Signatures
Enumerates physical storage devices
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000_Classes\Local Settings | C:\Windows\system32\cmd.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000_Classes\Local Settings | C:\Windows\system32\OpenWith.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\OpenWith.exe | N/A |
Processes
C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\Wave\chrome_100_percent.pak
C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.211.185.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 81.144.22.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 58.99.105.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 29.243.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 43.58.199.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 10.27.171.150.in-addr.arpa | udp |
Files
Analysis: behavioral22
Detonation Overview
Submitted
2024-08-14 20:47
Reported
2024-08-14 20:52
Platform
win10v2004-20240802-en
Max time kernel
145s
Max time network
153s
Command Line
Signatures
Opens file in notepad (likely ransom note)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\NOTEPAD.EXE | N/A |
Processes
C:\Windows\system32\NOTEPAD.EXE
C:\Windows\system32\NOTEPAD.EXE C:\Users\Admin\AppData\Local\Temp\Wave\debug.log
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 133.211.185.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 81.144.22.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 72.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.156.103.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.59.114.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 42.56.20.217.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 35.56.20.217.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 48.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 10.28.171.150.in-addr.arpa | udp |
Files
Analysis: behavioral24
Detonation Overview
Submitted
2024-08-14 20:47
Reported
2024-08-14 20:52
Platform
win10v2004-20240802-en
Max time kernel
144s
Max time network
160s
Command Line
Signatures
Enumerates physical storage devices
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000_Classes\Local Settings | C:\Windows\system32\OpenWith.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000_Classes\Local Settings | C:\Windows\system32\cmd.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\OpenWith.exe | N/A |
Processes
C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\Wave\icudtl.dat
C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 133.211.185.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 136.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 192.142.123.92.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 21.58.20.217.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 29.243.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 205.47.74.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 10.27.171.150.in-addr.arpa | udp |
Files
Analysis: behavioral28
Detonation Overview
Submitted
2024-08-14 20:47
Reported
2024-08-14 20:52
Platform
win10v2004-20240802-en
Max time kernel
140s
Max time network
131s
Command Line
Signatures
Enumerates physical storage devices
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000_Classes\Local Settings | C:\Windows\system32\cmd.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000_Classes\Local Settings | C:\Windows\system32\OpenWith.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\OpenWith.exe | N/A |
Processes
C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\Wave\resources.pak
C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 81.144.22.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.165.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 147.142.123.92.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 55.36.223.20.in-addr.arpa | udp |
Files
Analysis: behavioral12
Detonation Overview
Submitted
2024-08-14 20:47
Reported
2024-08-14 20:52
Platform
win10v2004-20240802-en
Max time kernel
147s
Max time network
158s
Command Line
Signatures
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\Wave\CefSharp.Wpf.dll,#1
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.211.185.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 13.107.21.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 81.144.22.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 22.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 237.21.107.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.165.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 147.142.123.92.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 45.19.74.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 10.28.171.150.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.227.111.52.in-addr.arpa | udp |
Files
Analysis: behavioral25
Detonation Overview
Submitted
2024-08-14 20:47
Reported
2024-08-14 20:52
Platform
win7-20240708-en
Max time kernel
121s
Max time network
128s
Command Line
Signatures
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\pak_auto_file | C:\Windows\system32\rundll32.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\.pak\ = "pak_auto_file" | C:\Windows\system32\rundll32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\pak_auto_file\shell | C:\Windows\system32\rundll32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\pak_auto_file\shell\Read | C:\Windows\system32\rundll32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\pak_auto_file\shell\Read\command | C:\Windows\system32\rundll32.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\pak_auto_file\shell\Read\command\ = "\"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\Reader\\AcroRd32.exe\" \"%1\"" | C:\Windows\system32\rundll32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_Classes\Local Settings | C:\Windows\system32\rundll32.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\pak_auto_file\ | C:\Windows\system32\rundll32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\.pak | C:\Windows\system32\rundll32.exe | N/A |
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2112 wrote to memory of 2332 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\rundll32.exe |
| PID 2112 wrote to memory of 2332 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\rundll32.exe |
| PID 2112 wrote to memory of 2332 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\rundll32.exe |
| PID 2332 wrote to memory of 2740 | N/A | C:\Windows\system32\rundll32.exe | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe |
| PID 2332 wrote to memory of 2740 | N/A | C:\Windows\system32\rundll32.exe | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe |
| PID 2332 wrote to memory of 2740 | N/A | C:\Windows\system32\rundll32.exe | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe |
| PID 2332 wrote to memory of 2740 | N/A | C:\Windows\system32\rundll32.exe | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe |
Processes
C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\Wave\locales\en-US.pak
C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\Wave\locales\en-US.pak
C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\Wave\locales\en-US.pak"
Network
Files
C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents
| MD5 | 7e56574fa785940e0f1e5e1c16db2e75 |
| SHA1 | 942683b512d033db76be89aa6c0d7730dc873e63 |
| SHA256 | 5b114f0b9e0ffd912787296bc368d8b17ebfc4390c8faf183ffa6757d689b181 |
| SHA512 | 53ec34f8de1f219f8a7d78b922177104491563d577da6a3f32dfd4eca76e8071b472982bc429751b73bf48d95ff37e3d84c6070d30c100268e7f003e979b3113 |
Analysis: behavioral30
Detonation Overview
Submitted
2024-08-14 20:47
Reported
2024-08-14 20:52
Platform
win10v2004-20240802-en
Max time kernel
136s
Max time network
127s
Command Line
Signatures
Enumerates physical storage devices
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000_Classes\Local Settings | C:\Windows\system32\cmd.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000_Classes\Local Settings | C:\Windows\system32\OpenWith.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\OpenWith.exe | N/A |
Processes
C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\Wave\v8_context_snapshot.bin
C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 133.211.185.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 20.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 147.142.123.92.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.144.22.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 29.243.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
Files
Analysis: behavioral32
Detonation Overview
Submitted
2024-08-14 20:47
Reported
2024-08-14 20:52
Platform
win10v2004-20240802-en
Max time kernel
147s
Max time network
155s
Command Line
Signatures
Processes
C:\Windows\system32\NOTEPAD.EXE
C:\Windows\system32\NOTEPAD.EXE C:\Users\Admin\AppData\Local\Temp\Wave\workspace\.tests\getcustomasset.txt
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.211.185.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 20.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 21.58.20.217.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 98.58.20.217.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 55.36.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 48.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 10.28.171.150.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 214.143.182.52.in-addr.arpa | udp |
Files
Analysis: behavioral13
Detonation Overview
Submitted
2024-08-14 20:47
Reported
2024-08-14 20:53
Platform
win7-20240704-en
Max time kernel
122s
Max time network
145s
Command Line
Signatures
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\Wave\CefSharp.dll,#1
Network
Files
Analysis: behavioral15
Detonation Overview
Submitted
2024-08-14 20:47
Reported
2024-08-14 20:53
Platform
win7-20240704-en
Max time kernel
140s
Max time network
130s
Command Line
Signatures
Suspicious behavior: AddClipboardFormatListener
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\VideoLAN\VLC\vlc.exe | N/A |
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\VideoLAN\VLC\vlc.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: 33 | N/A | C:\Program Files\VideoLAN\VLC\vlc.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Program Files\VideoLAN\VLC\vlc.exe | N/A |
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\VideoLAN\VLC\vlc.exe | N/A |
| N/A | N/A | C:\Program Files\VideoLAN\VLC\vlc.exe | N/A |
| N/A | N/A | C:\Program Files\VideoLAN\VLC\vlc.exe | N/A |
| N/A | N/A | C:\Program Files\VideoLAN\VLC\vlc.exe | N/A |
| N/A | N/A | C:\Program Files\VideoLAN\VLC\vlc.exe | N/A |
| N/A | N/A | C:\Program Files\VideoLAN\VLC\vlc.exe | N/A |
| N/A | N/A | C:\Program Files\VideoLAN\VLC\vlc.exe | N/A |
| N/A | N/A | C:\Program Files\VideoLAN\VLC\vlc.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\VideoLAN\VLC\vlc.exe | N/A |
Processes
C:\Program Files\VideoLAN\VLC\vlc.exe
"C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file "C:\Users\Admin\AppData\Local\Temp\Wave\bin\Background.mp4"
Network
Files
memory/2400-6-0x000007FEF7290000-0x000007FEF72C4000-memory.dmp
memory/2400-5-0x000000013F590000-0x000000013F688000-memory.dmp
memory/2400-12-0x000007FEF7120000-0x000007FEF7131000-memory.dmp
memory/2400-14-0x000007FEF6C20000-0x000007FEF6C31000-memory.dmp
memory/2400-13-0x000007FEF6C80000-0x000007FEF6C9D000-memory.dmp
memory/2400-11-0x000007FEF7140000-0x000007FEF7157000-memory.dmp
memory/2400-10-0x000007FEFAE30000-0x000007FEFAE41000-memory.dmp
memory/2400-7-0x000007FEF6510000-0x000007FEF67C6000-memory.dmp
memory/2400-9-0x000007FEFB510000-0x000007FEFB527000-memory.dmp
memory/2400-8-0x000007FEFBF90000-0x000007FEFBFA8000-memory.dmp
memory/2400-32-0x000007FEF4F60000-0x000007FEF4F77000-memory.dmp
memory/2400-15-0x000007FEF5460000-0x000007FEF6510000-memory.dmp
memory/2400-16-0x000007FEF5250000-0x000007FEF545B000-memory.dmp
memory/2400-30-0x000007FEF5100000-0x000007FEF5157000-memory.dmp
memory/2400-31-0x000007FEF4F80000-0x000007FEF5100000-memory.dmp
memory/2400-29-0x000007FEF68E0000-0x000007FEF68F1000-memory.dmp
memory/2400-28-0x000007FEF5160000-0x000007FEF51DC000-memory.dmp
memory/2400-27-0x000007FEF51E0000-0x000007FEF5247000-memory.dmp
memory/2400-26-0x000007FEF6900000-0x000007FEF6930000-memory.dmp
memory/2400-25-0x000007FEF6930000-0x000007FEF6948000-memory.dmp
memory/2400-24-0x000007FEF6950000-0x000007FEF6961000-memory.dmp
memory/2400-23-0x000007FEF6970000-0x000007FEF698B000-memory.dmp
memory/2400-22-0x000007FEF6990000-0x000007FEF69A1000-memory.dmp
memory/2400-21-0x000007FEF69B0000-0x000007FEF69C1000-memory.dmp
memory/2400-20-0x000007FEF69D0000-0x000007FEF69E1000-memory.dmp
memory/2400-19-0x000007FEF6A60000-0x000007FEF6A78000-memory.dmp
memory/2400-18-0x000007FEF6BF0000-0x000007FEF6C11000-memory.dmp
memory/2400-17-0x000007FEF6A80000-0x000007FEF6AC1000-memory.dmp
memory/2400-34-0x000007FEF34E0000-0x000007FEF36E6000-memory.dmp
memory/2400-60-0x000007FEF03F0000-0x000007FEF043E000-memory.dmp
memory/2400-62-0x000007FEF02C0000-0x000007FEF02F4000-memory.dmp
memory/2400-58-0x000007FEF2340000-0x000007FEF23B4000-memory.dmp
memory/2400-61-0x000007FEF0300000-0x000007FEF0357000-memory.dmp
memory/2400-59-0x000007FEF21D0000-0x000007FEF21E1000-memory.dmp
memory/2400-33-0x000007FEF36F0000-0x000007FEF4F5F000-memory.dmp
memory/2400-56-0x000007FEF2410000-0x000007FEF2471000-memory.dmp
memory/2400-57-0x000007FEF23C0000-0x000007FEF2407000-memory.dmp
memory/2400-51-0x000007FEF2880000-0x000007FEF2986000-memory.dmp
memory/2400-55-0x000007FEF2480000-0x000007FEF2491000-memory.dmp
memory/2400-54-0x000007FEF27F0000-0x000007FEF2801000-memory.dmp
memory/2400-53-0x000007FEF2810000-0x000007FEF2823000-memory.dmp
memory/2400-52-0x000007FEF2830000-0x000007FEF285A000-memory.dmp
memory/2400-42-0x000007FEF2D60000-0x000007FEF2DCD000-memory.dmp
memory/2400-50-0x000007FEF2990000-0x000007FEF29A3000-memory.dmp
memory/2400-49-0x000007FEF29B0000-0x000007FEF29D3000-memory.dmp
memory/2400-48-0x000007FEF29E0000-0x000007FEF29F5000-memory.dmp
memory/2400-47-0x000007FEF2A00000-0x000007FEF2A15000-memory.dmp
memory/2400-46-0x000007FEF2A20000-0x000007FEF2CD0000-memory.dmp
memory/2400-45-0x000007FEF2CD0000-0x000007FEF2D20000-memory.dmp
memory/2400-44-0x000007FEF2D20000-0x000007FEF2D34000-memory.dmp
memory/2400-43-0x000007FEF2D40000-0x000007FEF2D53000-memory.dmp
memory/2400-41-0x000007FEF2DD0000-0x000007FEF2E32000-memory.dmp
memory/2400-40-0x000007FEF2E40000-0x000007FEF2E82000-memory.dmp
memory/2400-39-0x000007FEF2FA0000-0x000007FEF2FCF000-memory.dmp
memory/2400-38-0x000007FEF7110000-0x000007FEF7120000-memory.dmp
memory/2400-37-0x000007FEF3420000-0x000007FEF346D000-memory.dmp
memory/2400-36-0x000007FEF3470000-0x000007FEF34B2000-memory.dmp
memory/2400-35-0x000007FEF34C0000-0x000007FEF34D2000-memory.dmp
Analysis: behavioral19
Detonation Overview
Submitted
2024-08-14 20:47
Reported
2024-08-14 20:52
Platform
win7-20240705-en
Max time kernel
102s
Max time network
19s
Command Line
Signatures
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000_CLASSES\pak_auto_file\ | C:\Windows\system32\rundll32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000_CLASSES\.pak | C:\Windows\system32\rundll32.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000_CLASSES\.pak\ = "pak_auto_file" | C:\Windows\system32\rundll32.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000_CLASSES\pak_auto_file\shell\Read\command\ = "\"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\Reader\\AcroRd32.exe\" \"%1\"" | C:\Windows\system32\rundll32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000_CLASSES\pak_auto_file\shell\Read\command | C:\Windows\system32\rundll32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000_Classes\Local Settings | C:\Windows\system32\rundll32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000_CLASSES\pak_auto_file | C:\Windows\system32\rundll32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000_CLASSES\pak_auto_file\shell\Read | C:\Windows\system32\rundll32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000_CLASSES\pak_auto_file\shell | C:\Windows\system32\rundll32.exe | N/A |
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1732 wrote to memory of 2200 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\rundll32.exe |
| PID 1732 wrote to memory of 2200 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\rundll32.exe |
| PID 1732 wrote to memory of 2200 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\rundll32.exe |
| PID 2200 wrote to memory of 2748 | N/A | C:\Windows\system32\rundll32.exe | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe |
| PID 2200 wrote to memory of 2748 | N/A | C:\Windows\system32\rundll32.exe | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe |
| PID 2200 wrote to memory of 2748 | N/A | C:\Windows\system32\rundll32.exe | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe |
| PID 2200 wrote to memory of 2748 | N/A | C:\Windows\system32\rundll32.exe | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe |
Processes
C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\Wave\chrome_200_percent.pak
C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\Wave\chrome_200_percent.pak
C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\Wave\chrome_200_percent.pak"
Network
Files
C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents
| MD5 | ba4a3b104792c75f8ff2c75e634588c9 |
| SHA1 | 22c1bbe7ff19986653114604dd8fefa849d85895 |
| SHA256 | 6db8117438c0147790d32483678cc4d3826e5ef917c86edcd5eced6ef175f545 |
| SHA512 | 56e3b3b386354a9c8af894bead75ee84742bd6af0e5ceedd5913cf5efda4f6beba60b05d1044644a980f897a996836b0dc8f794714893af3e64d89cbc2fe1d1f |
Analysis: behavioral20
Detonation Overview
Submitted
2024-08-14 20:47
Reported
2024-08-14 20:52
Platform
win10v2004-20240802-en
Max time kernel
145s
Max time network
159s
Command Line
Signatures
Enumerates physical storage devices
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000_Classes\Local Settings | C:\Windows\system32\cmd.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000_Classes\Local Settings | C:\Windows\system32\OpenWith.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\OpenWith.exe | N/A |
Processes
C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\Wave\chrome_200_percent.pak
C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 13.107.21.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 133.211.185.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.144.22.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 67.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 237.21.107.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.59.114.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 35.56.20.217.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
Files
Analysis: behavioral29
Detonation Overview
Submitted
2024-08-14 20:47
Reported
2024-08-14 20:53
Platform
win7-20240708-en
Max time kernel
117s
Max time network
130s
Command Line
Signatures
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000_CLASSES\bin_auto_file | C:\Windows\system32\rundll32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000_CLASSES\.bin | C:\Windows\system32\rundll32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000_CLASSES\bin_auto_file\shell\Read | C:\Windows\system32\rundll32.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000_CLASSES\bin_auto_file\shell\Read\command\ = "\"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\Reader\\AcroRd32.exe\" \"%1\"" | C:\Windows\system32\rundll32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000_Classes\Local Settings | C:\Windows\system32\rundll32.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000_CLASSES\bin_auto_file\ | C:\Windows\system32\rundll32.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000_CLASSES\.bin\ = "bin_auto_file" | C:\Windows\system32\rundll32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000_CLASSES\bin_auto_file\shell | C:\Windows\system32\rundll32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000_CLASSES\bin_auto_file\shell\Read\command | C:\Windows\system32\rundll32.exe | N/A |
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2532 wrote to memory of 2744 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\rundll32.exe |
| PID 2532 wrote to memory of 2744 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\rundll32.exe |
| PID 2532 wrote to memory of 2744 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\rundll32.exe |
| PID 2744 wrote to memory of 2740 | N/A | C:\Windows\system32\rundll32.exe | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe |
| PID 2744 wrote to memory of 2740 | N/A | C:\Windows\system32\rundll32.exe | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe |
| PID 2744 wrote to memory of 2740 | N/A | C:\Windows\system32\rundll32.exe | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe |
| PID 2744 wrote to memory of 2740 | N/A | C:\Windows\system32\rundll32.exe | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe |
Processes
C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\Wave\v8_context_snapshot.bin
C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\Wave\v8_context_snapshot.bin
C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\Wave\v8_context_snapshot.bin"
Network
Files
C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents
| MD5 | f38df21ff8920beb78d0cc5f2c6842c1 |
| SHA1 | 55e86f61ccfe9e587b3982153259eb5ebd7f7a34 |
| SHA256 | 232fd5f4f7b168dd4597d4812a196fbb88c9dfdf8775a9f769c9d8a6e3f2b344 |
| SHA512 | 84eaaf0eb15bebaf9123fe4dfd8815eedf446289ae1a376e856684bea274bdb7a88d1c326abf413dcb20b5b78fb7103e29e87d8550f1c2c2aec3ed4d238fa71d |
Analysis: behavioral31
Detonation Overview
Submitted
2024-08-14 20:47
Reported
2024-08-14 20:52
Platform
win7-20240729-en
Max time kernel
120s
Max time network
127s
Command Line
Signatures
Processes
C:\Windows\system32\NOTEPAD.EXE
C:\Windows\system32\NOTEPAD.EXE C:\Users\Admin\AppData\Local\Temp\Wave\workspace\.tests\getcustomasset.txt
Network
Files
Analysis: behavioral9
Detonation Overview
Submitted
2024-08-14 20:47
Reported
2024-08-14 20:53
Platform
win7-20240708-en
Max time kernel
121s
Max time network
134s
Command Line
Signatures
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\Wave\CefSharp.Core.dll,#1
Network
Files
Analysis: behavioral10
Detonation Overview
Submitted
2024-08-14 20:47
Reported
2024-08-14 20:52
Platform
win10v2004-20240802-en
Max time kernel
138s
Max time network
133s
Command Line
Signatures
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\Wave\CefSharp.Core.dll,#1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4180,i,3210801877307184477,8078594481454001567,262144 --variations-seed-version --mojo-platform-channel-handle=4612 /prefetch:8
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 13.107.21.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 6.181.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 237.21.107.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.211.185.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.59.114.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.126.166.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 20.58.20.217.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 58.99.105.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 10.28.171.150.in-addr.arpa | udp |
Files
Analysis: behavioral26
Detonation Overview
Submitted
2024-08-14 20:47
Reported
2024-08-14 20:52
Platform
win10v2004-20240802-en
Max time kernel
145s
Max time network
154s
Command Line
Signatures
Enumerates physical storage devices
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000_Classes\Local Settings | C:\Windows\system32\cmd.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000_Classes\Local Settings | C:\Windows\system32\OpenWith.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\OpenWith.exe | N/A |
Processes
C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\Wave\locales\en-US.pak
C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.211.185.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 75.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.156.103.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.59.114.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 38.58.20.217.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 81.144.22.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 23.236.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 10.27.171.150.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 27.173.189.20.in-addr.arpa | udp |
Files
Analysis: behavioral5
Detonation Overview
Submitted
2024-08-14 20:47
Reported
2024-08-14 20:53
Platform
win7-20240729-en
Max time kernel
117s
Max time network
128s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\Wave\CefSharp.BrowserSubprocess.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\Wave\CefSharp.BrowserSubprocess.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2544 wrote to memory of 2556 | N/A | C:\Users\Admin\AppData\Local\Temp\Wave\CefSharp.BrowserSubprocess.exe | C:\Windows\SysWOW64\WerFault.exe |
| PID 2544 wrote to memory of 2556 | N/A | C:\Users\Admin\AppData\Local\Temp\Wave\CefSharp.BrowserSubprocess.exe | C:\Windows\SysWOW64\WerFault.exe |
| PID 2544 wrote to memory of 2556 | N/A | C:\Users\Admin\AppData\Local\Temp\Wave\CefSharp.BrowserSubprocess.exe | C:\Windows\SysWOW64\WerFault.exe |
| PID 2544 wrote to memory of 2556 | N/A | C:\Users\Admin\AppData\Local\Temp\Wave\CefSharp.BrowserSubprocess.exe | C:\Windows\SysWOW64\WerFault.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\Wave\CefSharp.BrowserSubprocess.exe
"C:\Users\Admin\AppData\Local\Temp\Wave\CefSharp.BrowserSubprocess.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2544 -s 528
Network
Files
memory/2544-0-0x00000000746BE000-0x00000000746BF000-memory.dmp
memory/2544-1-0x0000000000B10000-0x0000000000B18000-memory.dmp
memory/2544-2-0x0000000001F20000-0x000000000200A000-memory.dmp
memory/2544-3-0x00000000746BE000-0x00000000746BF000-memory.dmp
Analysis: behavioral8
Detonation Overview
Submitted
2024-08-14 20:47
Reported
2024-08-14 20:52
Platform
win10v2004-20240802-en
Max time kernel
144s
Max time network
153s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\rundll32.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 856 wrote to memory of 1756 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 856 wrote to memory of 1756 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 856 wrote to memory of 1756 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\Wave\CefSharp.Core.Runtime.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\Wave\CefSharp.Core.Runtime.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1756 -ip 1756
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1756 -s 1096
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.211.185.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 81.144.22.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 101.58.20.217.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 58.99.105.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 30.243.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 205.47.74.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 10.28.171.150.in-addr.arpa | udp |
Files
memory/1756-0-0x0000000004FE0000-0x000000000513B000-memory.dmp
Analysis: behavioral17
Detonation Overview
Submitted
2024-08-14 20:47
Reported
2024-08-14 20:53
Platform
win7-20240704-en
Max time kernel
117s
Max time network
129s
Command Line
Signatures
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000_CLASSES\pak_auto_file\shell\Read\command\ = "\"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\Reader\\AcroRd32.exe\" \"%1\"" | C:\Windows\system32\rundll32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000_CLASSES\pak_auto_file | C:\Windows\system32\rundll32.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000_CLASSES\pak_auto_file\ | C:\Windows\system32\rundll32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000_CLASSES\.pak | C:\Windows\system32\rundll32.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000_CLASSES\.pak\ = "pak_auto_file" | C:\Windows\system32\rundll32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000_CLASSES\pak_auto_file\shell\Read | C:\Windows\system32\rundll32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000_CLASSES\pak_auto_file\shell | C:\Windows\system32\rundll32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000_CLASSES\pak_auto_file\shell\Read\command | C:\Windows\system32\rundll32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000_Classes\Local Settings | C:\Windows\system32\rundll32.exe | N/A |
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2236 wrote to memory of 2740 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\rundll32.exe |
| PID 2236 wrote to memory of 2740 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\rundll32.exe |
| PID 2236 wrote to memory of 2740 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\rundll32.exe |
| PID 2740 wrote to memory of 2960 | N/A | C:\Windows\system32\rundll32.exe | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe |
| PID 2740 wrote to memory of 2960 | N/A | C:\Windows\system32\rundll32.exe | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe |
| PID 2740 wrote to memory of 2960 | N/A | C:\Windows\system32\rundll32.exe | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe |
| PID 2740 wrote to memory of 2960 | N/A | C:\Windows\system32\rundll32.exe | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe |
Processes
C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\Wave\chrome_100_percent.pak
C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\Wave\chrome_100_percent.pak
C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\Wave\chrome_100_percent.pak"
Network
Files
C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents
| MD5 | 2357f76d21e37887f535257ae4744020 |
| SHA1 | 46e21dbe5091ba8ca9a7779992a15cec5ccb9e9d |
| SHA256 | 7f7759ea0dd333f7555f9aa465b72c2b72e96f5f57dd878f949fd53c22714039 |
| SHA512 | f1109895a2452977296b7a2cd885e2140fa2b16aa9e56a73c3b2a693c2c223784b82ed4f33bb2c409018fb60e3fd3bd08a0f15a64ae3fe569e613ff35a4443a2 |
Analysis: behavioral23
Detonation Overview
Submitted
2024-08-14 20:47
Reported
2024-08-14 20:52
Platform
win7-20240705-en
Max time kernel
117s
Max time network
126s
Command Line
Signatures
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000_CLASSES\dat_auto_file | C:\Windows\system32\rundll32.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000_CLASSES\dat_auto_file\ | C:\Windows\system32\rundll32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000_CLASSES\.dat | C:\Windows\system32\rundll32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000_CLASSES\dat_auto_file\shell\Read\command | C:\Windows\system32\rundll32.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000_CLASSES\dat_auto_file\shell\Read\command\ = "\"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\Reader\\AcroRd32.exe\" \"%1\"" | C:\Windows\system32\rundll32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000_Classes\Local Settings | C:\Windows\system32\rundll32.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000_CLASSES\.dat\ = "dat_auto_file" | C:\Windows\system32\rundll32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000_CLASSES\dat_auto_file\shell\Read | C:\Windows\system32\rundll32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000_CLASSES\dat_auto_file\shell | C:\Windows\system32\rundll32.exe | N/A |
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2376 wrote to memory of 1980 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\rundll32.exe |
| PID 2376 wrote to memory of 1980 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\rundll32.exe |
| PID 2376 wrote to memory of 1980 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\rundll32.exe |
| PID 1980 wrote to memory of 2872 | N/A | C:\Windows\system32\rundll32.exe | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe |
| PID 1980 wrote to memory of 2872 | N/A | C:\Windows\system32\rundll32.exe | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe |
| PID 1980 wrote to memory of 2872 | N/A | C:\Windows\system32\rundll32.exe | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe |
| PID 1980 wrote to memory of 2872 | N/A | C:\Windows\system32\rundll32.exe | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe |
Processes
C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\Wave\icudtl.dat
C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\Wave\icudtl.dat
C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\Wave\icudtl.dat"
Network
Files
C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents
| MD5 | 01fafcdf54423adec51c51e28da2bc1e |
| SHA1 | 4467f08afa17b11189c737a6a3f99d39af8c6afb |
| SHA256 | 5410db395feb26c47d2113db7178e6abdf2260a4cbfcb5c5905370ff92a032b0 |
| SHA512 | 950558fc3e5e41c0cd110e0c55563ab8aa0a2d5693544b61561bdeca7405c31992035fb4eb646e1a8809760d20c62f4231ff72f3a0d95398299bd4c268fb4cc4 |
Analysis: behavioral27
Detonation Overview
Submitted
2024-08-14 20:47
Reported
2024-08-14 20:53
Platform
win7-20240704-en
Max time kernel
122s
Max time network
145s
Command Line
Signatures
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000_CLASSES\.pak\ = "pak_auto_file" | C:\Windows\system32\rundll32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000_CLASSES\pak_auto_file\shell\Read | C:\Windows\system32\rundll32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000_CLASSES\pak_auto_file\shell | C:\Windows\system32\rundll32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000_CLASSES\pak_auto_file\shell\Read\command | C:\Windows\system32\rundll32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000_Classes\Local Settings | C:\Windows\system32\rundll32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000_CLASSES\pak_auto_file | C:\Windows\system32\rundll32.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000_CLASSES\pak_auto_file\ | C:\Windows\system32\rundll32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000_CLASSES\.pak | C:\Windows\system32\rundll32.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000_CLASSES\pak_auto_file\shell\Read\command\ = "\"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\Reader\\AcroRd32.exe\" \"%1\"" | C:\Windows\system32\rundll32.exe | N/A |
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2860 wrote to memory of 2624 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\rundll32.exe |
| PID 2860 wrote to memory of 2624 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\rundll32.exe |
| PID 2860 wrote to memory of 2624 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\rundll32.exe |
| PID 2624 wrote to memory of 2648 | N/A | C:\Windows\system32\rundll32.exe | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe |
| PID 2624 wrote to memory of 2648 | N/A | C:\Windows\system32\rundll32.exe | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe |
| PID 2624 wrote to memory of 2648 | N/A | C:\Windows\system32\rundll32.exe | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe |
| PID 2624 wrote to memory of 2648 | N/A | C:\Windows\system32\rundll32.exe | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe |
Processes
C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\Wave\resources.pak
C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\Wave\resources.pak
C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\Wave\resources.pak"
Network
Files
C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents
| MD5 | 8c320b7aa445eded69f914b3976e9d5e |
| SHA1 | f95254a6c7602d16e5a396fe2713b086f703ff85 |
| SHA256 | d21a46a738420f894a138688ef27d13371694ef40399dab2939605c84d632643 |
| SHA512 | f713f01798ca196aa6588dfbd9ab580b1f3521289e1334994625ef7618223fd1f8088efc76c8ef823b48a8d20378a912f1bb765a9f9ba286fb412398e9cdf9c6 |
Analysis: behavioral1
Detonation Overview
Submitted
2024-08-14 20:47
Reported
2024-08-14 20:53
Platform
win7-20240704-en
Max time kernel
117s
Max time network
130s
Command Line
Signatures
Processes
C:\Windows\Explorer.exe
C:\Windows\Explorer.exe /idlist,,C:\Users\Admin\AppData\Local\Temp\Wave.zip
Network
Files
Analysis: behavioral6
Detonation Overview
Submitted
2024-08-14 20:47
Reported
2024-08-14 20:52
Platform
win10v2004-20240802-en
Max time kernel
142s
Max time network
158s
Command Line
Signatures
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\Wave\CefSharp.BrowserSubprocess.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\Wave\CefSharp.BrowserSubprocess.exe
"C:\Users\Admin\AppData\Local\Temp\Wave\CefSharp.BrowserSubprocess.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 22.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.205.248.87.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 45.19.74.20.in-addr.arpa | udp |
| NL | 52.111.243.31:443 | tcp | |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 55.36.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 10.28.171.150.in-addr.arpa | udp |
Files
memory/3244-0-0x000000007483E000-0x000000007483F000-memory.dmp
memory/3244-1-0x0000000000780000-0x0000000000788000-memory.dmp
memory/3244-2-0x0000000005080000-0x000000000516A000-memory.dmp
memory/3244-3-0x00000000052A0000-0x00000000052EA000-memory.dmp
Analysis: behavioral11
Detonation Overview
Submitted
2024-08-14 20:47
Reported
2024-08-14 20:52
Platform
win7-20240708-en
Max time kernel
11s
Max time network
17s
Command Line
Signatures
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\Wave\CefSharp.Wpf.dll,#1
Network
Files
Analysis: behavioral14
Detonation Overview
Submitted
2024-08-14 20:47
Reported
2024-08-14 20:52
Platform
win10v2004-20240802-en
Max time kernel
137s
Max time network
148s
Command Line
Signatures
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\Wave\CefSharp.dll,#1
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 133.211.185.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.144.22.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 55.36.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 81.144.22.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 11.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 88.156.103.20.in-addr.arpa | udp |
Files
Analysis: behavioral2
Detonation Overview
Submitted
2024-08-14 20:47
Reported
2024-08-14 20:53
Platform
win10v2004-20240802-en
Max time kernel
91s
Max time network
158s
Command Line
Signatures
Processes
C:\Windows\Explorer.exe
C:\Windows\Explorer.exe /idlist,,C:\Users\Admin\AppData\Local\Temp\Wave.zip
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 13.107.21.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 68.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 81.144.22.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 237.21.107.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 45.19.74.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 192.142.123.92.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 10.28.171.150.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 29.243.111.52.in-addr.arpa | udp |
Files
Analysis: behavioral7
Detonation Overview
Submitted
2024-08-14 20:47
Reported
2024-08-14 20:53
Platform
win7-20240708-en
Max time kernel
121s
Max time network
135s
Command Line
Signatures
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\rundll32.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1188 wrote to memory of 2692 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 1188 wrote to memory of 2692 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 1188 wrote to memory of 2692 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 1188 wrote to memory of 2692 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 1188 wrote to memory of 2692 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 1188 wrote to memory of 2692 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 1188 wrote to memory of 2692 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\Wave\CefSharp.Core.Runtime.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\Wave\CefSharp.Core.Runtime.dll,#1
Network
Files
Analysis: behavioral21
Detonation Overview
Submitted
2024-08-14 20:47
Reported
2024-08-14 20:52
Platform
win7-20240705-en
Max time kernel
118s
Max time network
125s
Command Line
Signatures
Opens file in notepad (likely ransom note)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\NOTEPAD.EXE | N/A |
Processes
C:\Windows\system32\NOTEPAD.EXE
C:\Windows\system32\NOTEPAD.EXE C:\Users\Admin\AppData\Local\Temp\Wave\debug.log