Analysis
-
max time kernel
81s -
max time network
82s -
platform
windows10-1703_x64 -
resource
win10-20240404-en -
resource tags
-
submitted
30-06-2024 06:10
General
-
Target
Wave Goodbye.exe
-
Size
6.0MB
-
MD5
b67c09157b260b02037a716d28d7c34f
-
SHA1
a6da5549351e78fda395b5381dcf9e14240390fd
-
SHA256
ceb6a0b8e1c27c75155ab28b9283fe488ae5daca15b0cc58ebfc009200c8e824
-
SHA512
61cc65311af74f83ea950ef54661a5421df67026f7760e257ae3701b3b339f554ac1b42a63f2adafe142ad71a81c545b6749aac0a4f5c78eccd90d072fb7bbad
-
SSDEEP
98304:dHx3rQ9UT/cnDEuzHEAtpW1pAT0WaDMyaATQKC2witrFr9vQVN9x3gHWdFISYft4:73rpbcnDEuzkAtpWzATIaAEHVYJJmN/P
Malware Config
Signatures
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
-
Drops file in Drivers directory 1 IoCs
-
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
-
Themida packer 14 IoCs
Detects Themida, an advanced Windows software protection system.
-
Checks whether UAC is enabled 1 TTPs 1 IoCs
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs 5 IoCs
-
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
-
Drops file in Windows directory 4 IoCs
-
Checks processor information in registry 2 TTPs 8 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Modifies Internet Explorer settings 1 TTPs 2 IoCs
-
Modifies registry class 64 IoCs
-
Modifies system certificate store 2 TTPs 2 IoCs
-
Suspicious behavior: MapViewOfSection 4 IoCs
-
Suspicious use of AdjustPrivilegeToken 8 IoCs
-
Suspicious use of FindShellTrayWindow 5 IoCs
-
Suspicious use of SendNotifyMessage 3 IoCs
-
Suspicious use of SetWindowsHookEx 5 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\Wave Goodbye.exe"C:\Users\Admin\AppData\Local\Temp\Wave Goodbye.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Drops file in Drivers directory
- Checks BIOS information in registry
- Checks computer location settings
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Modifies system certificate store
- Suspicious use of FindShellTrayWindow
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca1⤵
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
-
C:\Windows\system32\browser_broker.exeC:\Windows\system32\browser_broker.exe -Embedding1⤵
- Modifies Internet Explorer settings
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
- Modifies registry class
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
- Drops file in Windows directory
- Modifies registry class
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe"2⤵
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1644.0.551979365\485903070" -parentBuildID 20221007134813 -prefsHandle 1684 -prefMapHandle 1676 -prefsLen 20747 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {8da49658-b902-43f0-be71-83bbda0832b3} 1644 "\\.\pipe\gecko-crash-server-pipe.1644" 1764 19e4a8da358 gpu3⤵
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1644.1.1959711004\307765663" -parentBuildID 20221007134813 -prefsHandle 2092 -prefMapHandle 2088 -prefsLen 20828 -prefMapSize 233444 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {6de6c8c2-37db-4a1d-aca8-65119e2c7fda} 1644 "\\.\pipe\gecko-crash-server-pipe.1644" 2116 19e4a23e558 socket3⤵
- Checks processor information in registry
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1644.2.2129936577\1542181422" -childID 1 -isForBrowser -prefsHandle 2952 -prefMapHandle 2888 -prefsLen 20866 -prefMapSize 233444 -jsInitHandle 1272 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {4b9aeb07-9fb8-45fc-8f02-be8a32f7d7f9} 1644 "\\.\pipe\gecko-crash-server-pipe.1644" 2880 19e4e89da58 tab3⤵
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1644.3.1163556275\434887594" -childID 2 -isForBrowser -prefsHandle 3352 -prefMapHandle 3344 -prefsLen 26109 -prefMapSize 233444 -jsInitHandle 1272 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {107b5048-8eff-475e-955b-029197c7021b} 1644 "\\.\pipe\gecko-crash-server-pipe.1644" 3372 19e38271658 tab3⤵
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1644.4.1521721712\1911795126" -childID 3 -isForBrowser -prefsHandle 4424 -prefMapHandle 4420 -prefsLen 26168 -prefMapSize 233444 -jsInitHandle 1272 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {8aabc673-b50e-4324-ad60-090ad8881403} 1644 "\\.\pipe\gecko-crash-server-pipe.1644" 4436 19e50a5a858 tab3⤵
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1644.5.220722509\620805002" -childID 4 -isForBrowser -prefsHandle 2472 -prefMapHandle 4976 -prefsLen 26247 -prefMapSize 233444 -jsInitHandle 1272 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {ab8a3392-6f15-4ee5-983a-d1ba6ae76b84} 1644 "\\.\pipe\gecko-crash-server-pipe.1644" 4984 19e4e89c858 tab3⤵
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1644.6.1122726447\981565075" -childID 5 -isForBrowser -prefsHandle 5128 -prefMapHandle 5132 -prefsLen 26247 -prefMapSize 233444 -jsInitHandle 1272 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {00eeb4ab-615c-4108-ae22-35427c8819fb} 1644 "\\.\pipe\gecko-crash-server-pipe.1644" 5020 19e50a5b158 tab3⤵
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1644.7.1744277544\1826765765" -childID 6 -isForBrowser -prefsHandle 5320 -prefMapHandle 5324 -prefsLen 26247 -prefMapSize 233444 -jsInitHandle 1272 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {1dec3976-a217-4591-bef4-413f1ae127ed} 1644 "\\.\pipe\gecko-crash-server-pipe.1644" 5312 19e5109d258 tab3⤵
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1644.8.1375018183\33616461" -childID 7 -isForBrowser -prefsHandle 4484 -prefMapHandle 4668 -prefsLen 26503 -prefMapSize 233444 -jsInitHandle 1272 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {1c805b5e-5dce-4be8-972a-d59990cc589c} 1644 "\\.\pipe\gecko-crash-server-pipe.1644" 2560 19e38230b58 tab3⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\MicrosoftEdge\Cache\3UMD097U\favicon[1].icoFilesize
23KB
MD5ec2c34cadd4b5f4594415127380a85e6
SHA1e7e129270da0153510ef04a148d08702b980b679
SHA256128e20b3b15c65dd470cb9d0dc8fe10e2ff9f72fac99ee621b01a391ef6b81c7
SHA512c1997779ff5d0f74a7fbb359606dab83439c143fbdb52025495bdc3a7cb87188085eaf12cc434cbf63b3f8da5417c8a03f2e64f751c0a63508e4412ea4e7425c
-
C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\Temp\~DF897CEC8FD68541A2.TMPFilesize
24KB
MD54308e270ae52407306281c5601ad068d
SHA15f8a2c9be5e57ab715935f341192f9833b27a2b8
SHA256901107b60da77fc52a1960b71e58321e28fede953f569e8f1b877783f7a57c1b
SHA51286c534e5963ff1b26c363a837dc6d5e29e54030cb6a1da230c40887d11150b3bf57326d2be326ffbb6e23ed4cf2c991d145323dcc6fe176c011e4435921364a5
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\6lk2b5bo.default-release\datareporting\glean\db\data.safe.binFilesize
2KB
MD552339c4abc3344fc48d1b22bf5b5e280
SHA19613d21246fc9733377ab10d9a46cec1978ed734
SHA2566e4e3ea7ad5c9b221d6b3e31da558072d346274fb8aefec2f81338c6d3db49df
SHA512c43ab336f564369d8b9023125c3d353ba758f25e1647da6aaf3f18d6bd504bb11fe9ecb39f03da3fd07d06d8104794c981d099d3185695b308de219f0865987e
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\6lk2b5bo.default-release\datareporting\glean\pending_pings\59cb9196-186e-4aaa-835c-cbb620ed3e1eFilesize
10KB
MD56a06646f890eb51dcf55b6faa61eeab2
SHA1bcdca1a7762b6080275a240c1829635b751747d2
SHA25611f466350255e1e0814954155f528a591206836dda6ced86c6eb90cae4385916
SHA5129a77d00a3137d7e2b73fcfc03b560c560d184c947da3bb5d07216405637e2b7522ed017452d328b7e50eb6fc583cacc45880781eaca13b18a188ac667376f82a
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\6lk2b5bo.default-release\datareporting\glean\pending_pings\94fcd856-74ed-4a55-ba13-3a2fe564194cFilesize
746B
MD58645fe96e8c686ee928da2e3702b348e
SHA16877adcd3cc9b9539c3065a593ed1dde9800e1f0
SHA2563a1c60a69b37da511e62645f6ae21955dc7d9bfba595ebafa4c169747ee1993b
SHA5123a258b0f383f37a3010448f096de3f8e3d08289a8b15f8de0791ef34234c58b33eb9cdc757be81861d21ff131a75afd8eae9beedc604422499b2a19e3587d397
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\6lk2b5bo.default-release\prefs-1.jsFilesize
6KB
MD5d8693d51f7a5293fc204405537a62e5b
SHA123a3673129eb4c650ad5665042e869ebec3185e9
SHA256e766a2c565f28a8407c8e78aa948670218ea82a4f45dc0fbe3d0feb76a805001
SHA512203bd9d6ec3b947cb3c39baa74abd30d3bb8fffbddd1524dcc505d11f80c825286a13fd7c6c75e22cd457c12d38364d98e7d68f4f8ff75ad1e253d38bd4192fe
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\6lk2b5bo.default-release\sessionstore-backups\recovery.jsonlz4Filesize
111KB
MD52895a143b3f23d2a03775781939aa2d9
SHA1b4a04bcb61d950b90fcc4218065779a31ed1c307
SHA256cf2d825303a528ac22850b17f9d31aa9bf42bc8cf77040b2161062774a70cdda
SHA51285e728016ba0b3947e0a1b5f977c7a34ba4f3e620ddddb1403a0a497fff231c023ace1a02bc627da55657e787c672a4f9418c8ac99e6761f11c3ec4672680ed7
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\6lk2b5bo.default-release\sessionstore-backups\recovery.jsonlz4Filesize
112KB
MD5f59441365f2f30793b0bde703df319c1
SHA1de83839091c4239e379edca470add543f0368445
SHA25685800accd60f639cd1c057f20b36d7305615706644341215f1d4fad5130dbaa9
SHA5127a1c5747aa69ec582a2f72d02a8b5c02fe53d47da1c3169beacc214f70693d7bf90eea34822fa546c1109b8effbc1eef71819fc6d361f066bb9cd0f5c7d4d4d0
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\6lk2b5bo.default-release\sessionstore.jsonlz4Filesize
111KB
MD55f6cdabf0abaa29645b7d7683abc0b35
SHA1fbeb370ff8bfca322ec3fc20047ce0faaed2b32e
SHA2569dacc9e2713d039383aa7823b0580470d609378a20e00cf1f2cf00df4b6d8502
SHA51278eb8728741083a88739f767644ac547b172a944ecb19718289489a9cb3ef75b98b6c6f6895624ef4921fe3f406008ea91b3ace2e2c987605cd1fc0c92ad12af
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\6lk2b5bo.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqliteFilesize
184KB
MD53018d1aad8385b734068dbad441e344e
SHA12a3925bc92ec843db64b6db2cd6fe18ccf084a86
SHA256f33415b0b1fc8c7e52356318d44aef1ae6bd9c64a89afa012d43a01a79954f88
SHA5127ab1a1115a4f7ac61ba41bfe5875792cfa84d81f14f71239e43848de5940bfa07e2e34ea4be85a61c091d0b4b7742f3f55961fd26734b528cdb2c0b4d169c5e0
-
memory/3300-52-0x0000022BC9000000-0x0000022BC9100000-memory.dmpFilesize
1024KB
-
memory/3300-53-0x0000022BC9000000-0x0000022BC9100000-memory.dmpFilesize
1024KB
-
memory/4428-79-0x00000210B2C00000-0x00000210B2C02000-memory.dmpFilesize
8KB
-
memory/4428-64-0x00000210A1100000-0x00000210A1200000-memory.dmpFilesize
1024KB
-
memory/4428-77-0x00000210B29E0000-0x00000210B29E2000-memory.dmpFilesize
8KB
-
memory/4428-81-0x00000210B2C20000-0x00000210B2C22000-memory.dmpFilesize
8KB
-
memory/4912-8-0x00000287BD920000-0x00000287BD930000-memory.dmpFilesize
64KB
-
memory/4912-24-0x00000287BDA20000-0x00000287BDA30000-memory.dmpFilesize
64KB
-
memory/4912-134-0x00000287C4050000-0x00000287C4051000-memory.dmpFilesize
4KB
-
memory/4912-43-0x00000287BAE10000-0x00000287BAE12000-memory.dmpFilesize
8KB
-
memory/4912-178-0x00000287C1C30000-0x00000287C1C32000-memory.dmpFilesize
8KB
-
memory/4912-181-0x00000287BAEF0000-0x00000287BAEF1000-memory.dmpFilesize
4KB
-
memory/4912-185-0x00000287BAE00000-0x00000287BAE01000-memory.dmpFilesize
4KB
-
memory/4912-133-0x00000287C4040000-0x00000287C4041000-memory.dmpFilesize
4KB
-
memory/5116-6-0x0000000140000000-0x0000000140F65000-memory.dmpFilesize
15.4MB
-
memory/5116-5-0x0000000140000000-0x0000000140F65000-memory.dmpFilesize
15.4MB
-
memory/5116-194-0x0000000140000000-0x0000000140F65000-memory.dmpFilesize
15.4MB
-
memory/5116-0-0x0000000140000000-0x0000000140F65000-memory.dmpFilesize
15.4MB
-
memory/5116-7-0x0000000140000000-0x0000000140F65000-memory.dmpFilesize
15.4MB
-
memory/5116-2-0x0000000140000000-0x0000000140F65000-memory.dmpFilesize
15.4MB
-
memory/5116-193-0x0000000140000000-0x0000000140F65000-memory.dmpFilesize
15.4MB
-
memory/5116-286-0x0000000140000000-0x0000000140F65000-memory.dmpFilesize
15.4MB
-
memory/5116-191-0x0000000140000000-0x0000000140F65000-memory.dmpFilesize
15.4MB
-
memory/5116-3-0x0000000140000000-0x0000000140F65000-memory.dmpFilesize
15.4MB
-
memory/5116-327-0x0000000140000000-0x0000000140F65000-memory.dmpFilesize
15.4MB
-
memory/5116-4-0x0000000140000000-0x0000000140F65000-memory.dmpFilesize
15.4MB
-
memory/5116-1-0x00007FFEB04C8000-0x00007FFEB04CA000-memory.dmpFilesize
8KB
-
memory/5116-420-0x0000000140000000-0x0000000140F65000-memory.dmpFilesize
15.4MB
-
memory/5116-421-0x0000000140000000-0x0000000140F65000-memory.dmpFilesize
15.4MB