7c2cb5bdaa3ce8e709450cd0ccfe4e81310f6c85180c672377e0ff8ce25c6592

Analysis

max time kernel
119s
max time network
119s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
21-12-2024 14:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Wave.rar
Size

1.9MB
MD5

11b42ba85912f44fc9e2230018fc02cb
SHA1

14f003be24179187a43001abc58789cf032a426e
SHA256

7c2cb5bdaa3ce8e709450cd0ccfe4e81310f6c85180c672377e0ff8ce25c6592
SHA512

fa3c1f6576b88900f5291a3549e0cdac76ac15f22205e7995578e427e5593ee30a63071d1ce8da8c9be8365793ccfea6cf02dc3dbd072191f9d78c2bb19b14b9
SSDEEP

49152:1pUD0SB9jlbfGtgKJc9jJ9yGmpPRliQhPeg33I:ED0ohfGadX9y5PLhbnI

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
320	WaveInstaller.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WaveInstaller.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2620	7zFM.exe
2620	7zFM.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2620	7zFM.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

description	pid	Process
Token: SeRestorePrivilege	2620	7zFM.exe
Token: 35	2620	7zFM.exe
Token: SeSecurityPrivilege	2620	7zFM.exe
Token: SeDebugPrivilege	320	WaveInstaller.exe
Token: SeSecurityPrivilege	2620	7zFM.exe

Suspicious use of FindShellTrayWindow 3 IoCs

pid	Process
2620	7zFM.exe
2620	7zFM.exe
2620	7zFM.exe

Suspicious use of WriteProcessMemory 10 IoCs

description	pid	Process	procid_target
PID 2620 wrote to memory of 320	2620	7zFM.exe	31
PID 2620 wrote to memory of 320	2620	7zFM.exe	31
PID 2620 wrote to memory of 320	2620	7zFM.exe	31
PID 2620 wrote to memory of 320	2620	7zFM.exe	31
PID 2620 wrote to memory of 320	2620	7zFM.exe	31
PID 2620 wrote to memory of 320	2620	7zFM.exe	31
PID 2620 wrote to memory of 320	2620	7zFM.exe	31
PID 2620 wrote to memory of 2708	2620	7zFM.exe	32
PID 2620 wrote to memory of 2708	2620	7zFM.exe	32
PID 2620 wrote to memory of 2708	2620	7zFM.exe	32

C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\Wave.rar"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:2620
- C:\Users\Admin\AppData\Local\Temp\7zOC3A953C6\WaveInstaller.exe
  "C:\Users\Admin\AppData\Local\Temp\7zOC3A953C6\WaveInstaller.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:320
- C:\Windows\system32\NOTEPAD.EXE
  "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\7zOC3A30F07\READ ME.txt
  2⤵
  PID:2708

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\7zOC3A30F07\READ ME.txt

Filesize
206B

MD5
cc23aadacfce9cfb8605ce6a109da30a

SHA1
7b8d5affa43505ab702e7aa77b86624a367cf5d3

SHA256
45a1ed9407270249b95bd1ef50e76233dae1fe690084a15ef21c28012b1ae884

SHA512
0e796ebba57fb33d4769f17a35ce3a54ab9a62c3cc6a6d5339aee8e2d90b4e3ff3201d1ed34f487ffdea52b7b2ad7290eab02dc04f0455803fdf8861da14df65

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zOC3A953C6\WaveInstaller.exe

Filesize
2.3MB

MD5
215d509bc217f7878270c161763b471e

SHA1
bfe0a2580d54cfa28d3ff5ef8dc754fdc73adcd9

SHA256
984dfc64c10f96c5350d6d9216a5d7abfece1658dfc93925f7a6b0c80817c886

SHA512
68e615dfcb1b7770ad64175438a913744c14bdd3af93b339c2b526271bdd0d23334e78d049fdae8ca9fe66672a8cf252ebf891be9ab6c46a3d8f1fb00fa8c83b

Download Submit
memory/320-12-0x00000000008D0000-0x0000000000B1A000-memory.dmp

Filesize
2.3MB

Download
memory/320-14-0x0000000000490000-0x000000000049A000-memory.dmp

Filesize
40KB

Download
memory/320-13-0x0000000000490000-0x000000000049A000-memory.dmp

Filesize
40KB

Download
memory/320-15-0x0000000000490000-0x000000000049A000-memory.dmp

Filesize
40KB

Download
memory/320-16-0x0000000000490000-0x000000000049A000-memory.dmp

Filesize
40KB

Download