Overview

overview

9

Static

static

7

Wave Goodbye.exe

windows10-1703-x64

9

Analysis

  • max time kernel
    101s
  • max time network
    102s
  • platform
    windows10-1703_x64
  • resource
    win10-20240404-en
  • resource tags

    arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system
  • submitted
    30-06-2024 02:49

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Wave Goodbye.exe

  • Size

    6.0MB

  • MD5

    b67c09157b260b02037a716d28d7c34f

  • SHA1

    a6da5549351e78fda395b5381dcf9e14240390fd

  • SHA256

    ceb6a0b8e1c27c75155ab28b9283fe488ae5daca15b0cc58ebfc009200c8e824

  • SHA512

    61cc65311af74f83ea950ef54661a5421df67026f7760e257ae3701b3b339f554ac1b42a63f2adafe142ad71a81c545b6749aac0a4f5c78eccd90d072fb7bbad

  • SSDEEP

    98304:dHx3rQ9UT/cnDEuzHEAtpW1pAT0WaDMyaATQKC2witrFr9vQVN9x3gHWdFISYft4:73rpbcnDEuzkAtpWzATIaAEHVYJJmN/P

Score
9/10
evasionthemidatrojan

Malware Config

Signatures

  • Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
    evasion
  • Drops file in Drivers directory 1 IoCs
  • Checks BIOS information in registry 2 TTPs 2 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Themida packer 12 IoCs

    Detects Themida, an advanced Windows software protection system.

    themida
  • Checks whether UAC is enabled 1 TTPs 1 IoCs
    evasiontrojan
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 5 IoCs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
  • Drops file in Windows directory 9 IoCs
  • Checks SCSI registry key(s) 3 TTPs 3 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Modifies Internet Explorer settings 1 TTPs 2 IoCs
    adwarespyware
  • Modifies registry class 64 IoCs
  • Modifies system certificate store 2 TTPs 3 IoCs
    evasionspywaretrojan
  • Suspicious behavior: EnumeratesProcesses 26 IoCs
  • Suspicious behavior: MapViewOfSection 7 IoCs
  • Suspicious use of AdjustPrivilegeToken 11 IoCs
  • Suspicious use of FindShellTrayWindow 53 IoCs
  • Suspicious use of SendNotifyMessage 52 IoCs
  • Suspicious use of SetWindowsHookEx 5 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Wave Goodbye.exe
    "C:\Users\Admin\AppData\Local\Temp\Wave Goodbye.exe"
    1⤵
    • Identifies VirtualBox via ACPI registry values (likely anti-VM)
    • Drops file in Drivers directory
    • Checks BIOS information in registry
    • Checks computer location settings
    • Checks whether UAC is enabled
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • Modifies system certificate store
    • Suspicious use of FindShellTrayWindow
    PID:1716
  • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe
    "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca
    1⤵
    • Drops file in Windows directory
    • Modifies registry class
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of SetWindowsHookEx
    PID:4544
  • C:\Windows\system32\browser_broker.exe
    C:\Windows\system32\browser_broker.exe -Embedding
    1⤵
    • Modifies Internet Explorer settings
    PID:916
  • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
    "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
    1⤵
    • Suspicious behavior: MapViewOfSection
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2732
  • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
    "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
    1⤵
    • Drops file in Windows directory
    • Modifies Internet Explorer settings
    • Modifies registry class
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of SetWindowsHookEx
    PID:2860
  • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
    "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
    1⤵
    • Drops file in Windows directory
    • Modifies registry class
    PID:4940
  • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
    "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
    1⤵
    • Modifies registry class
    PID:1676
  • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
    "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
    1⤵
    • Modifies registry class
    PID:4504
  • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
    "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
    1⤵
    • Modifies registry class
    PID:4248
  • C:\Windows\system32\taskmgr.exe
    "C:\Windows\system32\taskmgr.exe" /6 /Startup
    1⤵
    • Drops file in Windows directory
    • Checks SCSI registry key(s)
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    PID:3068
  • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
    "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
    1⤵
    • Drops file in Windows directory
    • Modifies registry class
    • Suspicious use of SetWindowsHookEx
    PID:996
  • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
    "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
    1⤵
    • Modifies registry class
    PID:4208
  • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
    "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
    1⤵
    • Drops file in Windows directory
    • Modifies registry class
    PID:4120

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

1
T1497

Modify Registry

2
T1112

Subvert Trust Controls

1
T1553

Install Root Certificate

1
T1553.004

Credential Access

Discovery

Query Registry

4
T1012

Virtualization/Sandbox Evasion

1
T1497

System Information Discovery

4
T1082

Peripheral Device Discovery

1
T1120

Lateral Movement

Collection

Exfiltration

Command and Control

Web Service

1
T1102

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\57C8EDB95DF3F0AD4EE2DC2B8CFD4157
    Filesize

    4KB

    MD5

    1bfe591a4fe3d91b03cdf26eaacd8f89

    SHA1

    719c37c320f518ac168c86723724891950911cea

    SHA256

    9cf94355051bf0f4a45724ca20d1cc02f76371b963ab7d1e38bd8997737b13d8

    SHA512

    02f88da4b610678c31664609bcfa9d61db8d0b0617649981af948f670f41a6207b4ec19fecce7385a24e0c609cbbf3f2b79a8acaf09a03c2c432cc4dce75e9db

    Download Submit
  • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\E49JWOHD\edgecompatviewlist[1].xml
    Filesize

    74KB

    MD5

    d4fc49dc14f63895d997fa4940f24378

    SHA1

    3efb1437a7c5e46034147cbbc8db017c69d02c31

    SHA256

    853d2f4eb81c9fdcea2ee079f6faf98214b111b77cdf68709b38989d123890f1

    SHA512

    cc60d79b4afe5007634ac21dc4bc92081880be4c0d798a1735b63b27e936c02f399964f744dc73711987f01e8a1064b02a4867dd6cac27538e5fbe275cc61e0a

    Download Submit
  • C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\MicrosoftEdge\Cache\6KTCIBYQ\suggestions[1].en-US
    Filesize

    17KB

    MD5

    5a34cb996293fde2cb7a4ac89587393a

    SHA1

    3c96c993500690d1a77873cd62bc639b3a10653f

    SHA256

    c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad

    SHA512

    e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee

    Download Submit
  • C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\MicrosoftEdge\Cache\ZBRLKSH4\favicon[1].ico
    Filesize

    23KB

    MD5

    ec2c34cadd4b5f4594415127380a85e6

    SHA1

    e7e129270da0153510ef04a148d08702b980b679

    SHA256

    128e20b3b15c65dd470cb9d0dc8fe10e2ff9f72fac99ee621b01a391ef6b81c7

    SHA512

    c1997779ff5d0f74a7fbb359606dab83439c143fbdb52025495bdc3a7cb87188085eaf12cc434cbf63b3f8da5417c8a03f2e64f751c0a63508e4412ea4e7425c

    Download Submit
  • C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\MicrosoftEdge\Cache\ZBRLKSH4\favicon[2].ico
    Filesize

    758B

    MD5

    84cc977d0eb148166481b01d8418e375

    SHA1

    00e2461bcd67d7ba511db230415000aefbd30d2d

    SHA256

    bbf8da37d92138cc08ffeec8e3379c334988d5ae99f4415579999bfbbb57a66c

    SHA512

    f47a507077f9173fb07ec200c2677ba5f783d645be100f12efe71f701a74272a98e853c4fab63740d685853935d545730992d0004c9d2fe8e1965445cab509c3

    Download Submit
  • C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\MicrosoftEdge\User\Default\ImageStore\lzqne9h\imagestore.dat
    Filesize

    34KB

    MD5

    73a7e9cd2e18b5fe5b1dba255022e619

    SHA1

    7af3d33faac4b565348cbe81b34cafe96805e993

    SHA256

    8ca9883d472ddcb86e9bc6c05927767ff7d8ab6dc447818e670bd71b290a5697

    SHA512

    ce2f70d6394230baeeb896ac7c085e530cbab59c2445625ff4ad0f41701422cc8714218cb198574c87182b8b59e659055d865afb349ce1d64012a98a08ac9dab

    Download Submit
  • C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\Temp\~DFF75F2CA8D0512A5F.TMP
    Filesize

    16KB

    MD5

    9c6a76ef13286f179d9da84da2a19e10

    SHA1

    3388d38352786fa06db90dce4edceff1eec06de6

    SHA256

    ea0d6ed2ef7472c7fe840181d68b655b330967d6c29810e33d1138267cdfe5cb

    SHA512

    95257a89f47cd5009b8c95365de811e217fde062a1d2045a0237258e10e08e007e65fb585e42d2599138ebbe081aa0567d826af5f7209b417eace00edc9b36f5

    Download Submit
  • memory/996-258-0x000001D3E8360000-0x000001D3E8380000-memory.dmp
    Filesize

    128KB

    Download
  • memory/996-280-0x000001D3E8030000-0x000001D3E8050000-memory.dmp
    Filesize

    128KB

    Download
  • memory/996-260-0x000001D3E83C0000-0x000001D3E84C0000-memory.dmp
    Filesize

    1024KB

    Download
  • memory/996-265-0x000001D3E8D20000-0x000001D3E8D40000-memory.dmp
    Filesize

    128KB

    Download
  • memory/1716-127-0x0000000140000000-0x0000000140F65000-memory.dmp
    Filesize

    15.4MB

    Download
  • memory/1716-176-0x0000000140000000-0x0000000140F65000-memory.dmp
    Filesize

    15.4MB

    Download
  • memory/1716-4-0x0000000140000000-0x0000000140F65000-memory.dmp
    Filesize

    15.4MB

    Download
  • memory/1716-199-0x0000000140000000-0x0000000140F65000-memory.dmp
    Filesize

    15.4MB

    Download
  • memory/1716-196-0x0000000140000000-0x0000000140F65000-memory.dmp
    Filesize

    15.4MB

    Download
  • memory/1716-192-0x0000000140000000-0x0000000140F65000-memory.dmp
    Filesize

    15.4MB

    Download
  • memory/1716-0-0x0000000140000000-0x0000000140F65000-memory.dmp
    Filesize

    15.4MB

    Download
  • memory/1716-5-0x0000000140000000-0x0000000140F65000-memory.dmp
    Filesize

    15.4MB

    Download
  • memory/1716-2-0x0000000140000000-0x0000000140F65000-memory.dmp
    Filesize

    15.4MB

    Download
  • memory/1716-173-0x0000000140000000-0x0000000140F65000-memory.dmp
    Filesize

    15.4MB

    Download
  • memory/1716-6-0x0000000140000000-0x0000000140F65000-memory.dmp
    Filesize

    15.4MB

    Download
  • memory/1716-3-0x0000000140000000-0x0000000140F65000-memory.dmp
    Filesize

    15.4MB

    Download
  • memory/1716-1-0x00007FFE397C8000-0x00007FFE397CA000-memory.dmp
    Filesize

    8KB

    Download
  • memory/2860-51-0x000001BA2FB40000-0x000001BA2FC40000-memory.dmp
    Filesize

    1024KB

    Download
  • memory/2860-50-0x000001BA2FB40000-0x000001BA2FC40000-memory.dmp
    Filesize

    1024KB

    Download
  • memory/4120-342-0x0000025576200000-0x0000025576300000-memory.dmp
    Filesize

    1024KB

    Download
  • memory/4544-42-0x000001BF22770000-0x000001BF22772000-memory.dmp
    Filesize

    8KB

    Download
  • memory/4544-135-0x000001BF2B9C0000-0x000001BF2B9C1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/4544-136-0x000001BF2B9D0000-0x000001BF2B9D1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/4544-7-0x000001BF25320000-0x000001BF25330000-memory.dmp
    Filesize

    64KB

    Download
  • memory/4544-23-0x000001BF25420000-0x000001BF25430000-memory.dmp
    Filesize

    64KB

    Download
  • memory/4940-78-0x00000201657C0000-0x00000201657C2000-memory.dmp
    Filesize

    8KB

    Download
  • memory/4940-80-0x00000201657E0000-0x00000201657E2000-memory.dmp
    Filesize

    8KB

    Download
  • memory/4940-82-0x0000020166430000-0x0000020166432000-memory.dmp
    Filesize

    8KB

    Download
  • memory/4940-65-0x0000020154D00000-0x0000020154E00000-memory.dmp
    Filesize

    1024KB

    Download