Analysis
-
max time kernel
21s -
max time network
23s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
26-08-2024 11:23
Behavioral task
behavioral1
Sample
WaveWindowsCracked.exe
Resource
win10v2004-20240802-en
General
-
Target
WaveWindowsCracked.exe
-
Size
1.6MB
-
MD5
1558c711774126500c3e278933d0a2bb
-
SHA1
168421e0fb742b2ae1e70130deeb65d18f88d02b
-
SHA256
965fd8dd7b3be89609936161d673541efcad2eb709ad37016ce37efbd72b054d
-
SHA512
6648801c431900e7deecc18ae997abdac293588248b9e64c5d8d50bfcfded0f5e4568e2592371d7b4ce7da7cf8399d761514e921a3bf7a35a812c429957976f7
-
SSDEEP
49152:bkTq24GjdGSiqkqXfd+/9AqYanieKds+:b1EjdGSiqkqXf0FLYW
Malware Config
Extracted
stealerium
https://discord.com/api/webhooks/1271851698473930752/0-NTtGyFGq1KkS0Bx3EmIVoBssXyqkg8GNp3zAN60XhQPY1LrLFrHs-zkIKSmQ0DtmDS
Signatures
-
Stealerium
An open source info stealer written in C# first seen in May 2022.
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\International\Geo\Nation WaveWindowsCracked.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
flow ioc 21 discord.com 25 discord.com -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 5 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language timeout.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WaveWindowsCracked.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language chcp.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe -
Delays execution with timeout.exe 1 IoCs
pid Process 3752 timeout.exe -
Kills process with taskkill 1 IoCs
pid Process 3328 taskkill.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
pid Process 4724 WaveWindowsCracked.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 4724 WaveWindowsCracked.exe Token: SeDebugPrivilege 3328 taskkill.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 4724 wrote to memory of 1148 4724 WaveWindowsCracked.exe 90 PID 4724 wrote to memory of 1148 4724 WaveWindowsCracked.exe 90 PID 4724 wrote to memory of 1148 4724 WaveWindowsCracked.exe 90 PID 1148 wrote to memory of 2376 1148 cmd.exe 92 PID 1148 wrote to memory of 2376 1148 cmd.exe 92 PID 1148 wrote to memory of 2376 1148 cmd.exe 92 PID 1148 wrote to memory of 3328 1148 cmd.exe 93 PID 1148 wrote to memory of 3328 1148 cmd.exe 93 PID 1148 wrote to memory of 3328 1148 cmd.exe 93 PID 1148 wrote to memory of 3752 1148 cmd.exe 94 PID 1148 wrote to memory of 3752 1148 cmd.exe 94 PID 1148 wrote to memory of 3752 1148 cmd.exe 94
Processes
-
C:\Users\Admin\AppData\Local\Temp\WaveWindowsCracked.exe"C:\Users\Admin\AppData\Local\Temp\WaveWindowsCracked.exe"1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4724 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C C:\Users\Admin\AppData\Local\Temp\tmpAA98.tmp.bat2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1148 -
C:\Windows\SysWOW64\chcp.comchcp 650013⤵
- System Location Discovery: System Language Discovery
PID:2376
-
-
C:\Windows\SysWOW64\taskkill.exeTaskKill /F /IM 47243⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3328
-
-
C:\Windows\SysWOW64\timeout.exeTimeout /T 2 /Nobreak3⤵
- System Location Discovery: System Language Discovery
- Delays execution with timeout.exe
PID:3752
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
57B
MD53475dbd87bd167228e02661aee5883b8
SHA1b9f67344f433333e6b73d8286867b6e7a29e7d54
SHA256f58ef1f9635a4439f33eb536060112d2e77df637f9951059a3e661201ffcf4f7
SHA512f93c9e3ebff2d2bbe8a76e86a780a27808c59b7742b1ea5fbc61321b62c3f76a48f6b861f1053d52ac222c21a3fd5aaa3dd155a264f1bda7e8c325cb3ed50551