Overview
overview
8Static
static
3Wave-Setup.exe
windows7-x64
7Wave-Setup.exe
windows10-2004-x64
7$PLUGINSDI...er.dll
windows7-x64
3$PLUGINSDI...er.dll
windows10-2004-x64
3$PLUGINSDI...ls.dll
windows7-x64
3$PLUGINSDI...ls.dll
windows10-2004-x64
3$PLUGINSDI...em.dll
windows7-x64
3$PLUGINSDI...em.dll
windows10-2004-x64
3$PLUGINSDI...ll.dll
windows7-x64
3$PLUGINSDI...ll.dll
windows10-2004-x64
8LICENSES.c...m.html
windows7-x64
3LICENSES.c...m.html
windows10-2004-x64
3resources/...mon.js
ubuntu-18.04-amd64
3resources/...mon.js
debian-9-armhf
4resources/...mon.js
debian-9-mips
3resources/...mon.js
debian-9-mipsel
3resources/...ll.exe
windows7-x64
1resources/...ll.exe
windows10-2004-x64
1resources/...dex.js
windows7-x64
3resources/...dex.js
windows10-2004-x64
3resources/...rse.js
windows7-x64
3resources/...rse.js
windows10-2004-x64
3resources/...and.js
windows7-x64
3resources/...and.js
windows10-2004-x64
3resources/...lts.js
windows7-x64
3resources/...lts.js
windows10-2004-x64
3resources/...xec.js
windows7-x64
3resources/...xec.js
windows10-2004-x64
3resources/...dex.js
windows7-x64
3resources/...dex.js
windows10-2004-x64
3resources/...oad.js
windows7-x64
3resources/...oad.js
windows10-2004-x64
3Resubmissions
27/10/2024, 23:24
241027-3d31zsvele 727/10/2024, 22:52
241027-2txcpsvfkk 827/10/2024, 22:45
241027-2pv9vavamh 8Analysis
-
max time kernel
150s -
max time network
157s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
27/10/2024, 22:45
Static task
static1
Behavioral task
behavioral1
Sample
Wave-Setup.exe
Resource
win7-20240708-en
Behavioral task
behavioral2
Sample
Wave-Setup.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral3
Sample
$PLUGINSDIR/SpiderBanner.dll
Resource
win7-20240903-en
Behavioral task
behavioral4
Sample
$PLUGINSDIR/SpiderBanner.dll
Resource
win10v2004-20241007-en
Behavioral task
behavioral5
Sample
$PLUGINSDIR/StdUtils.dll
Resource
win7-20240903-en
Behavioral task
behavioral6
Sample
$PLUGINSDIR/StdUtils.dll
Resource
win10v2004-20241007-en
Behavioral task
behavioral7
Sample
$PLUGINSDIR/System.dll
Resource
win7-20241010-en
Behavioral task
behavioral8
Sample
$PLUGINSDIR/System.dll
Resource
win10v2004-20241007-en
Behavioral task
behavioral9
Sample
$PLUGINSDIR/WinShell.dll
Resource
win7-20240903-en
Behavioral task
behavioral10
Sample
$PLUGINSDIR/WinShell.dll
Resource
win10v2004-20241007-en
Behavioral task
behavioral11
Sample
LICENSES.chromium.html
Resource
win7-20240708-en
Behavioral task
behavioral12
Sample
LICENSES.chromium.html
Resource
win10v2004-20241007-en
Behavioral task
behavioral13
Sample
resources/app.asar.unpacked/node_modules/nodemon/bin/nodemon.js
Resource
ubuntu1804-amd64-20240611-en
Behavioral task
behavioral14
Sample
resources/app.asar.unpacked/node_modules/nodemon/bin/nodemon.js
Resource
debian9-armhf-20240611-en
Behavioral task
behavioral15
Sample
resources/app.asar.unpacked/node_modules/nodemon/bin/nodemon.js
Resource
debian9-mipsbe-20240611-en
Behavioral task
behavioral16
Sample
resources/app.asar.unpacked/node_modules/nodemon/bin/nodemon.js
Resource
debian9-mipsel-20240226-en
Behavioral task
behavioral17
Sample
resources/app.asar.unpacked/node_modules/nodemon/bin/windows-kill.exe
Resource
win7-20240903-en
Behavioral task
behavioral18
Sample
resources/app.asar.unpacked/node_modules/nodemon/bin/windows-kill.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral19
Sample
resources/app.asar.unpacked/node_modules/nodemon/lib/cli/index.js
Resource
win7-20241023-en
Behavioral task
behavioral20
Sample
resources/app.asar.unpacked/node_modules/nodemon/lib/cli/index.js
Resource
win10v2004-20241007-en
Behavioral task
behavioral21
Sample
resources/app.asar.unpacked/node_modules/nodemon/lib/cli/parse.js
Resource
win7-20240903-en
Behavioral task
behavioral22
Sample
resources/app.asar.unpacked/node_modules/nodemon/lib/cli/parse.js
Resource
win10v2004-20241007-en
Behavioral task
behavioral23
Sample
resources/app.asar.unpacked/node_modules/nodemon/lib/config/command.js
Resource
win7-20240903-en
Behavioral task
behavioral24
Sample
resources/app.asar.unpacked/node_modules/nodemon/lib/config/command.js
Resource
win10v2004-20241007-en
Behavioral task
behavioral25
Sample
resources/app.asar.unpacked/node_modules/nodemon/lib/config/defaults.js
Resource
win7-20240903-en
Behavioral task
behavioral26
Sample
resources/app.asar.unpacked/node_modules/nodemon/lib/config/defaults.js
Resource
win10v2004-20241007-en
Behavioral task
behavioral27
Sample
resources/app.asar.unpacked/node_modules/nodemon/lib/config/exec.js
Resource
win7-20240903-en
Behavioral task
behavioral28
Sample
resources/app.asar.unpacked/node_modules/nodemon/lib/config/exec.js
Resource
win10v2004-20241007-en
Behavioral task
behavioral29
Sample
resources/app.asar.unpacked/node_modules/nodemon/lib/config/index.js
Resource
win7-20240903-en
Behavioral task
behavioral30
Sample
resources/app.asar.unpacked/node_modules/nodemon/lib/config/index.js
Resource
win10v2004-20241007-en
Behavioral task
behavioral31
Sample
resources/app.asar.unpacked/node_modules/nodemon/lib/config/load.js
Resource
win7-20240903-en
Behavioral task
behavioral32
Sample
resources/app.asar.unpacked/node_modules/nodemon/lib/config/load.js
Resource
win10v2004-20241007-en
General
-
Target
$PLUGINSDIR/WinShell.dll
-
Size
3KB
-
MD5
1cc7c37b7e0c8cd8bf04b6cc283e1e56
-
SHA1
0b9519763be6625bd5abce175dcc59c96d100d4c
-
SHA256
9be85b986ea66a6997dde658abe82b3147ed2a1a3dcb784bb5176f41d22815a6
-
SHA512
7acf7f8e68aa6066b59ca9f2ae2e67997e6b347bc08eb788d2a119b3295c844b5b9606757168e8d2fbd61c2cda367bf80e9e48c9a52c28d5a7a00464bfd2048f
Malware Config
Signatures
-
Downloads MZ/PE file
-
Executes dropped EXE 1 IoCs
pid Process 5776 Wave-Setup.exe -
Loads dropped DLL 5 IoCs
pid Process 5776 Wave-Setup.exe 5776 Wave-Setup.exe 5776 Wave-Setup.exe 5776 Wave-Setup.exe 5776 Wave-Setup.exe -
Enumerates processes with tasklist 1 TTPs 1 IoCs
pid Process 6112 tasklist.exe -
Subvert Trust Controls: Mark-of-the-Web Bypass 1 TTPs 1 IoCs
When files are downloaded from the Internet, they are tagged with a hidden NTFS Alternate Data Stream (ADS) named Zone.Identifier with a specific value known as the MOTW.
description ioc Process File created C:\Users\Admin\Downloads\Wave-Setup.exe:Zone.Identifier firefox.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
pid pid_target Process procid_target 4064 4612 WerFault.exe 83 -
System Location Discovery: System Language Discovery 1 TTPs 5 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language find.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Wave-Setup.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tasklist.exe -
Checks processor information in registry 2 TTPs 8 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString firefox.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier firefox.exe -
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings firefox.exe -
NTFS ADS 1 IoCs
description ioc Process File created C:\Users\Admin\Downloads\Wave-Setup.exe:Zone.Identifier firefox.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
pid Process 5776 Wave-Setup.exe 5776 Wave-Setup.exe 6112 tasklist.exe 6112 tasklist.exe -
Suspicious use of AdjustPrivilegeToken 6 IoCs
description pid Process Token: SeDebugPrivilege 4800 firefox.exe Token: SeDebugPrivilege 4800 firefox.exe Token: SeDebugPrivilege 5776 Wave-Setup.exe Token: SeDebugPrivilege 5776 Wave-Setup.exe Token: SeDebugPrivilege 6112 tasklist.exe Token: SeSecurityPrivilege 5776 Wave-Setup.exe -
Suspicious use of FindShellTrayWindow 21 IoCs
pid Process 4800 firefox.exe 4800 firefox.exe 4800 firefox.exe 4800 firefox.exe 4800 firefox.exe 4800 firefox.exe 4800 firefox.exe 4800 firefox.exe 4800 firefox.exe 4800 firefox.exe 4800 firefox.exe 4800 firefox.exe 4800 firefox.exe 4800 firefox.exe 4800 firefox.exe 4800 firefox.exe 4800 firefox.exe 4800 firefox.exe 4800 firefox.exe 4800 firefox.exe 4800 firefox.exe -
Suspicious use of SendNotifyMessage 20 IoCs
pid Process 4800 firefox.exe 4800 firefox.exe 4800 firefox.exe 4800 firefox.exe 4800 firefox.exe 4800 firefox.exe 4800 firefox.exe 4800 firefox.exe 4800 firefox.exe 4800 firefox.exe 4800 firefox.exe 4800 firefox.exe 4800 firefox.exe 4800 firefox.exe 4800 firefox.exe 4800 firefox.exe 4800 firefox.exe 4800 firefox.exe 4800 firefox.exe 4800 firefox.exe -
Suspicious use of SetWindowsHookEx 4 IoCs
pid Process 4800 firefox.exe 4800 firefox.exe 4800 firefox.exe 4800 firefox.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4068 wrote to memory of 4612 4068 rundll32.exe 83 PID 4068 wrote to memory of 4612 4068 rundll32.exe 83 PID 4068 wrote to memory of 4612 4068 rundll32.exe 83 PID 4984 wrote to memory of 4800 4984 firefox.exe 121 PID 4984 wrote to memory of 4800 4984 firefox.exe 121 PID 4984 wrote to memory of 4800 4984 firefox.exe 121 PID 4984 wrote to memory of 4800 4984 firefox.exe 121 PID 4984 wrote to memory of 4800 4984 firefox.exe 121 PID 4984 wrote to memory of 4800 4984 firefox.exe 121 PID 4984 wrote to memory of 4800 4984 firefox.exe 121 PID 4984 wrote to memory of 4800 4984 firefox.exe 121 PID 4984 wrote to memory of 4800 4984 firefox.exe 121 PID 4984 wrote to memory of 4800 4984 firefox.exe 121 PID 4984 wrote to memory of 4800 4984 firefox.exe 121 PID 4800 wrote to memory of 2344 4800 firefox.exe 122 PID 4800 wrote to memory of 2344 4800 firefox.exe 122 PID 4800 wrote to memory of 2344 4800 firefox.exe 122 PID 4800 wrote to memory of 2344 4800 firefox.exe 122 PID 4800 wrote to memory of 2344 4800 firefox.exe 122 PID 4800 wrote to memory of 2344 4800 firefox.exe 122 PID 4800 wrote to memory of 2344 4800 firefox.exe 122 PID 4800 wrote to memory of 2344 4800 firefox.exe 122 PID 4800 wrote to memory of 2344 4800 firefox.exe 122 PID 4800 wrote to memory of 2344 4800 firefox.exe 122 PID 4800 wrote to memory of 2344 4800 firefox.exe 122 PID 4800 wrote to memory of 2344 4800 firefox.exe 122 PID 4800 wrote to memory of 2344 4800 firefox.exe 122 PID 4800 wrote to memory of 2344 4800 firefox.exe 122 PID 4800 wrote to memory of 2344 4800 firefox.exe 122 PID 4800 wrote to memory of 2344 4800 firefox.exe 122 PID 4800 wrote to memory of 2344 4800 firefox.exe 122 PID 4800 wrote to memory of 2344 4800 firefox.exe 122 PID 4800 wrote to memory of 2344 4800 firefox.exe 122 PID 4800 wrote to memory of 2344 4800 firefox.exe 122 PID 4800 wrote to memory of 2344 4800 firefox.exe 122 PID 4800 wrote to memory of 2344 4800 firefox.exe 122 PID 4800 wrote to memory of 2344 4800 firefox.exe 122 PID 4800 wrote to memory of 2344 4800 firefox.exe 122 PID 4800 wrote to memory of 2344 4800 firefox.exe 122 PID 4800 wrote to memory of 2344 4800 firefox.exe 122 PID 4800 wrote to memory of 2344 4800 firefox.exe 122 PID 4800 wrote to memory of 2344 4800 firefox.exe 122 PID 4800 wrote to memory of 2344 4800 firefox.exe 122 PID 4800 wrote to memory of 2344 4800 firefox.exe 122 PID 4800 wrote to memory of 2344 4800 firefox.exe 122 PID 4800 wrote to memory of 2344 4800 firefox.exe 122 PID 4800 wrote to memory of 2344 4800 firefox.exe 122 PID 4800 wrote to memory of 2344 4800 firefox.exe 122 PID 4800 wrote to memory of 2344 4800 firefox.exe 122 PID 4800 wrote to memory of 2344 4800 firefox.exe 122 PID 4800 wrote to memory of 2344 4800 firefox.exe 122 PID 4800 wrote to memory of 2344 4800 firefox.exe 122 PID 4800 wrote to memory of 2344 4800 firefox.exe 122 PID 4800 wrote to memory of 2344 4800 firefox.exe 122 PID 4800 wrote to memory of 2344 4800 firefox.exe 122 PID 4800 wrote to memory of 2344 4800 firefox.exe 122 PID 4800 wrote to memory of 2344 4800 firefox.exe 122 PID 4800 wrote to memory of 2344 4800 firefox.exe 122 PID 4800 wrote to memory of 2344 4800 firefox.exe 122 PID 4800 wrote to memory of 1112 4800 firefox.exe 123 PID 4800 wrote to memory of 1112 4800 firefox.exe 123 PID 4800 wrote to memory of 1112 4800 firefox.exe 123 PID 4800 wrote to memory of 1112 4800 firefox.exe 123 PID 4800 wrote to memory of 1112 4800 firefox.exe 123 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\WinShell.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:4068 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\WinShell.dll,#12⤵
- System Location Discovery: System Language Discovery
PID:4612 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4612 -s 6123⤵
- Program crash
PID:4064
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 4612 -ip 46121⤵PID:2596
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:3604
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:4984 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe"2⤵
- Subvert Trust Controls: Mark-of-the-Web Bypass
- Checks processor information in registry
- Modifies registry class
- NTFS ADS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4800 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1996 -parentBuildID 20240401114208 -prefsHandle 1924 -prefMapHandle 1916 -prefsLen 23680 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {5e6dfcf3-c0cc-45d9-855c-183e29fa8d83} 4800 "\\.\pipe\gecko-crash-server-pipe.4800" gpu3⤵PID:2344
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2416 -parentBuildID 20240401114208 -prefsHandle 2392 -prefMapHandle 2388 -prefsLen 23716 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {0a397f5b-4380-446c-a047-c79febc92e00} 4800 "\\.\pipe\gecko-crash-server-pipe.4800" socket3⤵PID:1112
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2848 -childID 1 -isForBrowser -prefsHandle 3164 -prefMapHandle 2756 -prefsLen 23857 -prefMapSize 244658 -jsInitHandle 1088 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {f694f25f-a1fb-4302-848d-bd43076dbf32} 4800 "\\.\pipe\gecko-crash-server-pipe.4800" tab3⤵PID:3596
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3960 -childID 2 -isForBrowser -prefsHandle 3956 -prefMapHandle 3952 -prefsLen 29090 -prefMapSize 244658 -jsInitHandle 1088 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {810e154d-15bb-489b-917d-3bcdf3a3fc30} 4800 "\\.\pipe\gecko-crash-server-pipe.4800" tab3⤵PID:4288
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4880 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4832 -prefMapHandle 4824 -prefsLen 29090 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {7f5bf739-3613-43dc-8bb0-21426e810eda} 4800 "\\.\pipe\gecko-crash-server-pipe.4800" utility3⤵
- Checks processor information in registry
PID:5188
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4484 -childID 3 -isForBrowser -prefsHandle 5388 -prefMapHandle 3224 -prefsLen 27211 -prefMapSize 244658 -jsInitHandle 1088 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {d7d1c09d-4a61-4773-8cf4-97bc022db62f} 4800 "\\.\pipe\gecko-crash-server-pipe.4800" tab3⤵PID:6116
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5524 -childID 4 -isForBrowser -prefsHandle 5604 -prefMapHandle 5600 -prefsLen 27211 -prefMapSize 244658 -jsInitHandle 1088 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {e3b5e4ae-d615-4b7a-af2f-c5ca560100ae} 4800 "\\.\pipe\gecko-crash-server-pipe.4800" tab3⤵PID:6128
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5744 -childID 5 -isForBrowser -prefsHandle 5508 -prefMapHandle 5512 -prefsLen 27211 -prefMapSize 244658 -jsInitHandle 1088 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {ef7e6654-8ea4-4752-aa0e-508cfcd0d6fa} 4800 "\\.\pipe\gecko-crash-server-pipe.4800" tab3⤵PID:6140
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=6036 -childID 6 -isForBrowser -prefsHandle 5920 -prefMapHandle 6032 -prefsLen 27211 -prefMapSize 244658 -jsInitHandle 1088 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {28c9512a-8071-4e7d-87f2-928a1c0d6b2a} 4800 "\\.\pipe\gecko-crash-server-pipe.4800" tab3⤵PID:5336
-
-
C:\Users\Admin\Downloads\Wave-Setup.exe"C:\Users\Admin\Downloads\Wave-Setup.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5776 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c tasklist /FI "USERNAME eq %USERNAME%" /FI "IMAGENAME eq Wave.exe" /FO csv | "C:\Windows\system32\find.exe" "Wave.exe"4⤵
- System Location Discovery: System Language Discovery
PID:6052 -
C:\Windows\SysWOW64\tasklist.exetasklist /FI "USERNAME eq Admin" /FI "IMAGENAME eq Wave.exe" /FO csv5⤵
- Enumerates processes with tasklist
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:6112
-
-
C:\Windows\SysWOW64\find.exe"C:\Windows\system32\find.exe" "Wave.exe"5⤵
- System Location Discovery: System Language Discovery
PID:6136
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\85mw8mk9.default-release\activity-stream.discovery_stream.json
Filesize28KB
MD534c7cb79628b6c17392bb5f2bd87e08c
SHA13f959984acb6ae7e50b738c98e7f0a1808ed8e25
SHA25692c3d10a51f0016e385301555a6a0c03bf352f294490884ef8a448ccab301684
SHA5124af9e82dcb8d215e651de1d6fbd667bf6dd93d7efdc4863dab3b5b6d2f8bb3ffd367c4deb57e2f2ae1f3d7b944d613dc637f2a882116917da7f207643504669f
-
Filesize
148KB
MD5cb4f128469cd84711ed1c9c02212c7a8
SHA18ae60303be80b74163d5c4132de4a465a1eafc52
SHA2567dd5485def22a53c0635efdf8ae900f147ec8c8a22b9ed71c24668075dd605d3
SHA5120f0febe4ee321eb09d6a841fe3460d1f5b657b449058653111e7d0f7a9f36620b3d30369e367235948529409a6ce0ce625aede0c61b60926dec4d2c308306277
-
Filesize
192KB
MD5944d458f30889193e09e6d781caffb72
SHA16c4922c1b44b43e4c9938c5501f8d0e805ea85a1
SHA2563fb2f86a4d2a1b85ebb72fb02b2dd2de62e8a4ff9ca9db5d402fcb86354bc88f
SHA512b94c2ee27c1e5b09df87e0d5fd3423b83ffc0da2f73c8f67b133246bec47dffb54cdc72ab7ef0ead4ce194a3c66f06c41b17dbe22fff6e5355ba66d73309608f
-
Filesize
69KB
MD5894f7e73d730566bd6daf5d2d1e350f3
SHA1ea46265630af7cd1414ac880e2392bbd17247072
SHA256111e20449e119c5c1cce69f4669dd2ddab8f1b1937afe05b9fda568867cbcf08
SHA512af49adcbe6807c1bc137a4041e94198dbae73613da92e0159931785eeddf4532bc8da0703b820915518a41b24826e512eacd6d3a3dae112a7b5f6f58223b724e
-
Filesize
64KB
MD5bdb741dc08d62245aa22c439fc2e7fd9
SHA1ba33e163f29107bdb0fd85924331855de796c7e7
SHA25601f27d644bd64d82112004accba8ca783be337da37a76a7c0f3e60bde64cee68
SHA512c8e36cb168f91275335799dc65c735cdd5b1174fb03449a29fa649c2331c1e74b9af936ac6d740609d5e30eff0d0fac3c8fe4d05c57f38e5c57e4dde248e948c
-
Filesize
9KB
MD517309e33b596ba3a5693b4d3e85cf8d7
SHA17d361836cf53df42021c7f2b148aec9458818c01
SHA256996a259e53ca18b89ec36d038c40148957c978c0fd600a268497d4c92f882a93
SHA5121abac3ce4f2d5e4a635162e16cf9125e059ba1539f70086c2d71cd00d41a6e2a54d468e6f37792e55a822d7082fb388b8dfecc79b59226bbb047b7d28d44d298
-
Filesize
100KB
MD5c6a6e03f77c313b267498515488c5740
SHA13d49fc2784b9450962ed6b82b46e9c3c957d7c15
SHA256b72e9013a6204e9f01076dc38dabbf30870d44dfc66962adbf73619d4331601e
SHA5129870c5879f7b72836805088079ad5bbafcb59fc3d9127f2160d4ec3d6e88d3cc8ebe5a9f5d20a4720fe6407c1336ef10f33b2b9621bc587e930d4cbacf337803
-
Filesize
12KB
MD50d7ad4f45dc6f5aa87f606d0331c6901
SHA148df0911f0484cbe2a8cdd5362140b63c41ee457
SHA2563eb38ae99653a7dbc724132ee240f6e5c4af4bfe7c01d31d23faf373f9f2eaca
SHA512c07de7308cb54205e8bd703001a7fe4fd7796c9ac1b4bb330c77c872bf712b093645f40b80ce7127531fe6746a5b66e18ea073ab6a644934abed9bb64126fea9
-
Filesize
6KB
MD5ec0504e6b8a11d5aad43b296beeb84b2
SHA191b5ce085130c8c7194d66b2439ec9e1c206497c
SHA2565d9ceb1ce5f35aea5f9e5a0c0edeeec04dfefe0c77890c80c70e98209b58b962
SHA5123f918f1b47e8a919cbe51eb17dc30acc8cfc18e743a1bae5b787d0db7d26038dc1210be98bf5ba3be8d6ed896dbbd7ac3d13e66454a98b2a38c7e69dad30bb57
-
Filesize
424KB
MD580e44ce4895304c6a3a831310fbf8cd0
SHA136bd49ae21c460be5753a904b4501f1abca53508
SHA256b393f05e8ff919ef071181050e1873c9a776e1a0ae8329aefff7007d0cadf592
SHA512c8ba7b1f9113ead23e993e74a48c4427ae3562c1f6d9910b2bbe6806c9107cf7d94bc7d204613e4743d0cd869e00dafd4fb54aad1e8adb69c553f3b9e5bc64df
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\85mw8mk9.default-release\datareporting\glean\db\data.safe.tmp
Filesize5KB
MD54b0fe2843a20fda264d45ee4b7153aad
SHA1880f3641da26b284463c2a75d72fac07bcaaa43d
SHA256c007c9f3cf4654e4f4cd89c46262ee8d6e41392da13e4844abc069d5964ff1eb
SHA51201b8734d68fbe49c31bfe30be0b7a1e4264e3c8580f3a5991b0a27efbc00fc7da265bb4a183c160d3ca7605cfc65c2d261bfac24d424272ccbd84c8a07df7f68
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\85mw8mk9.default-release\datareporting\glean\db\data.safe.tmp
Filesize6KB
MD5b321c1b17c69871b752e7dca12bc53f0
SHA17edd40a5dacc60e819cf659058f217248a3410f4
SHA2567cf88aaf219712e7ef33d417b045e6c0086730998b5aca7d6acddb9a3f79c332
SHA5125872928d9b952629005280b11a5c0586068babe79b6f53f8c4efe55db9646e08da76857cff0c89227b8fd1265930fe43be2bb1e7212fb07bf1fdeb41298f178d
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\85mw8mk9.default-release\datareporting\glean\pending_pings\261e81a9-6a71-45b9-b4c2-375e474fdb42
Filesize671B
MD5a304e1888e2ae3a4ff78bf87ad4150dc
SHA1fe003ce092844d8cdf0da1986957de080f2f6ae7
SHA2566dbbaaa3ee5cd06eca001c6fade4e7d9cf34625c00054ed24b858314a5d5222a
SHA512ac3e980df29b2589b3631565c5c3275f28f25d9098d208c204984ab1ea63f4675d0caec98e625804ee6c262b8a5d6d0c9f989a1ad2a432e794feb46035a318fc
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\85mw8mk9.default-release\datareporting\glean\pending_pings\77bf0ff6-09aa-4bd5-af5b-5a0cddf0a7ca
Filesize25KB
MD5f35121f042badded108f71302e7ce5f1
SHA1863d41294648246d5224a3f515fb30a942076911
SHA2562467726c50a05c0dba062303d905ee543a1ff37b7ea1e901dc3f70d759658fe9
SHA512182f317ffb31f3d056332c5f806e96a2d3372f1e30d4d3f423a405390c9b27bb83cd71d5dc34e5fc1875623b23331fe78132cda95cdb5abe4218ead987cfc749
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\85mw8mk9.default-release\datareporting\glean\pending_pings\c27a50de-fb7d-4a61-b570-9063c6cbfe92
Filesize982B
MD5df62f5f944b499dea4ef8f05ff6c2890
SHA13bb4b973cd735165df0d8b835272d8dc726fba3a
SHA2565c0964189c9ddc0656363b8337a48c50fc100acaef6593244f4ecc34a852bf3e
SHA51271d0bc8e862cba3e85d1c85e48b1c55d7ae1adcc17025ed9b5211cc95a8971252d3b64b2e20d8e20f046aa1a8e868b98f5aa9e5adcd674cc8b360a4c508e2b57
-
Filesize
10KB
MD5442cbd9ad7c4729803957f58e34d7315
SHA11f02bec44f5d23fa77b8052796f4f189c044e5ef
SHA2568463a87716542469a24addd8a982a316eb8ad51d456b4fe871fddf2016916745
SHA512892fbf57bae69186ec97e3511fdaef6d9eae6eaa0b001da77c207e9762716e4f84e574f0c91cf97c07a7e77946338395cb034befce2b760b0f3154d0a81542c5