eacdda9c113625b56f28a7a468e2c3036aea1eeb7717974dd7d0408f7f47026e

Analysis

max time kernel
121s
max time network
150s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
19-08-2024 20:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Xwave.exe
Size

3.1MB
MD5

0872989048c641df5173d180f6b7d5c5
SHA1

63209b6e40ba1c7bb97cb12381a52235619b1acd
SHA256

eacdda9c113625b56f28a7a468e2c3036aea1eeb7717974dd7d0408f7f47026e
SHA512

8e76c2f589aa09757dc3e10af77148f5fa646f3cd3573ba4c63ce2a4504b561b9d695642afa4f10a1a4aa18a86949651d5cf79e79d78c3150e93fea61898b303
SSDEEP

49152:IBJi9y+Be60mtA0//DMKizK7z2iUu9bQvjcajUBO:y89m69/szu27QbQvjzmO

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
536	FontReview.exe
1488	lsass.exe

Loads dropped DLL 2 IoCs

pid	Process
2336	cmd.exe
2336	cmd.exe

Drops file in Program Files directory 3 IoCs

description	ioc	Process
File created	C:\Program Files\Mozilla Firefox\lsass.exe	FontReview.exe
File opened for modification	C:\Program Files\Mozilla Firefox\lsass.exe	FontReview.exe
File created	C:\Program Files\Mozilla Firefox\6203df4a6bafc7	FontReview.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\PolicyDefinitions\ja-JP\Idle.exe	FontReview.exe
File created	C:\Windows\PolicyDefinitions\ja-JP\6ccacd8608530f	FontReview.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Xwave.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
2700	PING.EXE

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
2700	PING.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
536	FontReview.exe
536	FontReview.exe
536	FontReview.exe
536	FontReview.exe
536	FontReview.exe
536	FontReview.exe
536	FontReview.exe
536	FontReview.exe
536	FontReview.exe
536	FontReview.exe
536	FontReview.exe
536	FontReview.exe
536	FontReview.exe
536	FontReview.exe
536	FontReview.exe
536	FontReview.exe
536	FontReview.exe
536	FontReview.exe
536	FontReview.exe
536	FontReview.exe
536	FontReview.exe
536	FontReview.exe
536	FontReview.exe
536	FontReview.exe
536	FontReview.exe
536	FontReview.exe
536	FontReview.exe
536	FontReview.exe
536	FontReview.exe
536	FontReview.exe
536	FontReview.exe
536	FontReview.exe
536	FontReview.exe
536	FontReview.exe
536	FontReview.exe
536	FontReview.exe
536	FontReview.exe
536	FontReview.exe
536	FontReview.exe
536	FontReview.exe
536	FontReview.exe
536	FontReview.exe
536	FontReview.exe
536	FontReview.exe
536	FontReview.exe
536	FontReview.exe
536	FontReview.exe
536	FontReview.exe
536	FontReview.exe
536	FontReview.exe
536	FontReview.exe
536	FontReview.exe
536	FontReview.exe
536	FontReview.exe
536	FontReview.exe
536	FontReview.exe
536	FontReview.exe
536	FontReview.exe
536	FontReview.exe
536	FontReview.exe
536	FontReview.exe
536	FontReview.exe
536	FontReview.exe
536	FontReview.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	536	FontReview.exe
Token: SeDebugPrivilege	1488	lsass.exe

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 2424 wrote to memory of 2988	2424	Xwave.exe	30
PID 2424 wrote to memory of 2988	2424	Xwave.exe	30
PID 2424 wrote to memory of 2988	2424	Xwave.exe	30
PID 2424 wrote to memory of 2988	2424	Xwave.exe	30
PID 2988 wrote to memory of 2336	2988	WScript.exe	31
PID 2988 wrote to memory of 2336	2988	WScript.exe	31
PID 2988 wrote to memory of 2336	2988	WScript.exe	31
PID 2988 wrote to memory of 2336	2988	WScript.exe	31
PID 2336 wrote to memory of 536	2336	cmd.exe	33
PID 2336 wrote to memory of 536	2336	cmd.exe	33
PID 2336 wrote to memory of 536	2336	cmd.exe	33
PID 2336 wrote to memory of 536	2336	cmd.exe	33
PID 536 wrote to memory of 2744	536	FontReview.exe	34
PID 536 wrote to memory of 2744	536	FontReview.exe	34
PID 536 wrote to memory of 2744	536	FontReview.exe	34
PID 2744 wrote to memory of 2664	2744	cmd.exe	36
PID 2744 wrote to memory of 2664	2744	cmd.exe	36
PID 2744 wrote to memory of 2664	2744	cmd.exe	36
PID 2744 wrote to memory of 2700	2744	cmd.exe	37
PID 2744 wrote to memory of 2700	2744	cmd.exe	37
PID 2744 wrote to memory of 2700	2744	cmd.exe	37
PID 2744 wrote to memory of 1488	2744	cmd.exe	39
PID 2744 wrote to memory of 1488	2744	cmd.exe	39
PID 2744 wrote to memory of 1488	2744	cmd.exe	39

C:\Users\Admin\AppData\Local\Temp\Xwave.exe
"C:\Users\Admin\AppData\Local\Temp\Xwave.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2424
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\BridgeportComIntoDhcp\sH3WImtJJQwldLhw3vLhHERHLyfgdvqH7muYOp7XEqijEp.vbe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2988
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\BridgeportComIntoDhcp\GEyjfkDn0AtOyOdcJ8lbZuw.bat" "
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2336
  - - C:\BridgeportComIntoDhcp\FontReview.exe
      "C:\BridgeportComIntoDhcp/FontReview.exe"
      4⤵
      Executes dropped EXE
      Drops file in Program Files directory
      Drops file in Windows directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:536
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\MddIEWkrTL.bat"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:2744
      - C:\Windows\system32\chcp.com
        
        chcp 65001
        6⤵
        
        PID:2664
      - C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        6⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2700
      - C:\Program Files\Mozilla Firefox\lsass.exe
        
        "C:\Program Files\Mozilla Firefox\lsass.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1488

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Remote System Discovery

T1018

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\BridgeportComIntoDhcp\FontReview.exe

Filesize
2.8MB

MD5
19c4c9a7719c34a8ec0bfdfc687e64ea

SHA1
b0838a5e06d3728d5663e5fc3bbb8c7d8fbcff5b

SHA256
afcc827d5872aeac992109eee70a63a141e94d660a573137a41800957bb35910

SHA512
0d89cdb7973597dd3f248338b5fa6c75df7424228585f84ff8b3bc4afca8d8ebc85c267fa621fb6be2f8c9e962c533d3e7e4acd0111abeeec6c9f2d30212aeb6

Download Submit
C:\BridgeportComIntoDhcp\GEyjfkDn0AtOyOdcJ8lbZuw.bat

Filesize
77B

MD5
48442e2beb7f941c96f25691330f949c

SHA1
5632b66cc784c67c298e919077ce57c81b5980e8

SHA256
0299981133b8595644a305e4a97d6193f675d5bb3c0f5cb8d0b773f4614534d9

SHA512
7730bf97470c552ea293d1d448b06b54078049d2d5d7cb3994418a0bb7bd536ff0d2db253a92878cea2f1b8ce95b2cc835f8f7b997bfb4db8df9eb952f3c1f43

Download Submit
C:\BridgeportComIntoDhcp\sH3WImtJJQwldLhw3vLhHERHLyfgdvqH7muYOp7XEqijEp.vbe

Filesize
222B

MD5
775550401648d05bd23caa483cc3788b

SHA1
d762078664d0d7655bd5423cc97a75eb278a27e6

SHA256
5cbf46455d69882edd9b97089b7b09740f675328553f7739d09c236cd5232d28

SHA512
61363b7856673d2677975acee050a8b8e0fd575283d3cb813a187687921715ece932183c4380d2a97c313f4b73ce6c243e4d39d465272d02166bd77e178db06e

Download Submit
C:\Users\Admin\AppData\Local\Temp\MddIEWkrTL.bat

Filesize
170B

MD5
e85abdd8180d5fb8a37442307eac6e0a

SHA1
4961ece879ccb164a6095d72820c0dde54695c07

SHA256
28b186b45c887fbf64ebfd274382369b9d4b8380b6b2ea3a3742c1a7c27e5141

SHA512
50b7ae48a1ef294d3f1b8241d95669788bf2eabfb360e253c5ac21dc10e2a3b42dbba3a9918b31e118885e4d0938c4b377deb6936de599844e3ed920123257e1

Download Submit
memory/536-23-0x0000000000440000-0x0000000000450000-memory.dmp

Filesize
64KB

Download
memory/536-29-0x00000000005E0000-0x00000000005F0000-memory.dmp

Filesize
64KB

Download
memory/536-19-0x0000000000430000-0x0000000000440000-memory.dmp

Filesize
64KB

Download
memory/536-21-0x00000000005F0000-0x0000000000606000-memory.dmp

Filesize
88KB

Download
memory/536-15-0x0000000000410000-0x000000000041E000-memory.dmp

Filesize
56KB

Download
memory/536-25-0x00000000005D0000-0x00000000005E0000-memory.dmp

Filesize
64KB

Download
memory/536-27-0x0000000000C80000-0x0000000000CDA000-memory.dmp

Filesize
360KB

Download
memory/536-17-0x0000000000420000-0x0000000000430000-memory.dmp

Filesize
64KB

Download
memory/536-31-0x0000000000A40000-0x0000000000A4E000-memory.dmp

Filesize
56KB

Download
memory/536-33-0x0000000000A70000-0x0000000000A88000-memory.dmp

Filesize
96KB

Download
memory/536-35-0x0000000000A50000-0x0000000000A5C000-memory.dmp

Filesize
48KB

Download
memory/536-37-0x000000001AEB0000-0x000000001AEFE000-memory.dmp

Filesize
312KB

Download
memory/536-13-0x0000000000D10000-0x0000000000FEA000-memory.dmp

Filesize
2.9MB

Download
memory/1488-56-0x00000000008A0000-0x0000000000B7A000-memory.dmp

Filesize
2.9MB

Download