344700d3141170111a9b77db100f6961cc54a2988d964d34f7e1ca57aa42aa2a | Triage

Submit
Reports

Overview

overview

8

Static

static

3

WaveInstaller (1).exe

windows7-x64

3

WaveInstaller (1).exe

windows10-2004-x64

8

Sharing

General

Target

WaveInstaller (1).exe
Size

1.5MB
Sample

240822-ddjjxaydrq
MD5

c822ab5332b11c9185765b157d0b6e17
SHA1

7fe909d73a24ddd87171896079cceb8b03663ad4
SHA256

344700d3141170111a9b77db100f6961cc54a2988d964d34f7e1ca57aa42aa2a
SHA512

a8612836fb4714b939d03f7fe08391bbc635ca83ab853fc677159e5db6b00f76b9b586bdae9c19d2406d9a2713d1caf614132cb6c14e1dddc6ac45e47f7e5a5d
SSDEEP

24576:9viinbT3ipyqwPx4x3RyFoBkkAd04wJAAh/jV1gJcPNZI6fntX3HOt2pbs81ind2:EinbT3ipTD0anywJAaD/3U2pb7indT

Score

8^/10

discovery persistence privilege_escalation

Static task

static1

1 signatures

Behavioral task

behavioral1

Sample

WaveInstaller (1).exe

Resource

win7-20240729-en

windows7-x64

1 signatures

150 seconds

Behavioral task

behavioral2

Sample

WaveInstaller (1).exe

Resource

win10v2004-20240802-en

discovery persistence privilege_escalation

windows10-2004-x64

23 signatures

150 seconds

Malware Config

Targets

- Target
  
  WaveInstaller (1).exe
- Size
  
  1.5MB
- MD5
  
  c822ab5332b11c9185765b157d0b6e17
- SHA1
  
  7fe909d73a24ddd87171896079cceb8b03663ad4
- SHA256
  
  344700d3141170111a9b77db100f6961cc54a2988d964d34f7e1ca57aa42aa2a
- SHA512
  
  a8612836fb4714b939d03f7fe08391bbc635ca83ab853fc677159e5db6b00f76b9b586bdae9c19d2406d9a2713d1caf614132cb6c14e1dddc6ac45e47f7e5a5d
- SSDEEP
  
  24576:9viinbT3ipyqwPx4x3RyFoBkkAd04wJAAh/jV1gJcPNZI6fntX3HOt2pbs81ind2:EinbT3ipTD0anywJAaD/3U2pb7indT
Score

8^/10

discovery persistence privilege_escalation
- Downloads MZ/PE file
- Event Triggered Execution: Image File Execution Options Injection
  persistence
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Event Triggered Execution: Component Object Model Hijacking
  Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.
  persistence privilege_escalation
- Executes dropped EXE
- Loads dropped DLL
- Checks for any installed AV software in registry
- Legitimate hosting services abused for malware hosting/C2
- Checks system information in the registry
  System information is often read in order to detect sandboxing environments.
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Event Triggered Execution

Image File Execution Options Injection

Component Object Model Hijacking

Privilege Escalation

Event Triggered Execution

Image File Execution Options Injection

Component Object Model Hijacking

Defense Evasion

Credential Access

Discovery

Query Registry

System Information Discovery

Software Discovery

Security Software Discovery

Browser Information Discovery

System Location Discovery

System Language Discovery

System Network Configuration Discovery

Internet Connection Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Web Service

Impact

Resource Development

Reconnaissance

Tasks

static1

behavioral1

behavioral2

discoverypersistenceprivilege_escalation

© 2018-2024

Terms | Privacy