Windows Analysis Report
WaveInstaller.exe

Overview

General Information

Sample name: WaveInstaller.exe
Analysis ID: 1465751
MD5: b075f4320e46d0d5e78a649e8ee011cc
SHA1: b0dd50171323f0f83dbea0340e9ed8cf44bea38e
SHA256: 8581823244a50bbed9709d09f3eba29dd9989681d96bff2b6c19245053069feb
Tags: exe
Infos:

Detection

Score: 52
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

.NET source code contains potential unpacker
Uses Windows timers to delay execution
Yara detected Costura Assembly Loader
Allocates memory with a write watch (potentially for evading sandboxes)
Binary contains a suspicious time stamp
Potential time zone aware malware
Program does not show much activity (idle)
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)

Classification

Uses 32bit PE files
Source: WaveInstaller.exe Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
Source: WaveInstaller.exe Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Source: Binary string: C:\Users\User\Desktop\WaveInstaller\obj\Release\WaveInstaller.pdb source: WaveInstaller.exe
Source: Binary string: costura.costura.pdb.compressed source: WaveInstaller.exe
Source: Binary string: C:\Users\User\Desktop\WaveInstaller\obj\Release\WaveInstaller.pdbL source: WaveInstaller.exe
Source: Binary string: costura.costura.pdb.compressed|||Costura.pdb|6C6000A5EAF8579850AB82A89BD6268776EB51AD|2608 source: WaveInstaller.exe
Source: Binary string: costura=costura.costura.dll.compressed=costura.costura.pdb.compressed;microsoft.bcl.asyncinterfacesicostura.microsoft.bcl.asyncinterfaces.dll.compressed source: WaveInstaller.exe
Source: WaveInstaller.exe, 00000000.00000002.2902400992.0000000002BA1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://github.com/dxgi/wave-binaries/raw/main/CefSharp.Common.124.3.8.rar
Source: WaveInstaller.exe String found in binary or memory: https://github.com/dxgi/wave-binaries/raw/main/CefSharp.Common.124.3.8.rar1CefSharp.Wpf.124.3.8.rar
Source: WaveInstaller.exe String found in binary or memory: https://github.com/dxgi/wave-binaries/raw/main/CefSharp.Wpf.124.3.8.rar
Source: WaveInstaller.exe String found in binary or memory: https://github.com/dxgi/wave-binaries/raw/main/Luau-x64.rar
Source: WaveInstaller.exe String found in binary or memory: https://github.com/dxgi/wave-binaries/raw/main/Wave-x64.rar
Source: WaveInstaller.exe, 00000000.00000002.2902400992.0000000002BA1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://github.com/dxgi/wave-binaries/raw/main/Wave-x64.rarmeP?
Source: WaveInstaller.exe, 00000000.00000002.2902400992.0000000002BA1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.nuget.org/api/v2/package/chromiumembeddedframework.runtime.win-x86/124.3.8
Source: WaveInstaller.exe String found in binary or memory: https://www.nuget.org/api/v2/package/chromiumembeddedframework.runtime.win-x86/124.3.87CefSharp.Comm
Sample file is different than original file name gathered from version info
Source: WaveInstaller.exe, 00000000.00000002.2901031823.0000000000B6E000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameclr.dllT vs WaveInstaller.exe
Uses 32bit PE files
Source: WaveInstaller.exe Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
Source: WaveInstaller.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: WaveInstaller.exe, MainWindow.cs Suspicious URL: 'https://www.nuget.org/api/v2/package/chromiumembeddedframework.runtime.win-x86/124.3.8'
Source: classification engine Classification label: mal52.evad.winEXE@1/0@0/0
Source: C:\Users\user\Desktop\WaveInstaller.exe Mutant created: NULL
Source: WaveInstaller.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: WaveInstaller.exe Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%
Source: C:\Users\user\Desktop\WaveInstaller.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: WaveInstaller.exe String found in binary or memory: :includes/images/installer.png0includes/images/logo.png
Source: WaveInstaller.exe String found in binary or memory: Includes/Images/Installer.png
Source: WaveInstaller.exe String found in binary or memory: The installation process will take some time. Sit back, relax and let this process finish. Please do not turn off your computer.-Installation Completed
Source: C:\Users\user\Desktop\WaveInstaller.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Users\user\Desktop\WaveInstaller.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\WaveInstaller.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\WaveInstaller.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\Desktop\WaveInstaller.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\WaveInstaller.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\WaveInstaller.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\WaveInstaller.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\WaveInstaller.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\Desktop\WaveInstaller.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\Desktop\WaveInstaller.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\Desktop\WaveInstaller.exe Section loaded: dwrite.dll Jump to behavior
Source: C:\Users\user\Desktop\WaveInstaller.exe Section loaded: msvcp140_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\WaveInstaller.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\Desktop\WaveInstaller.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\Desktop\WaveInstaller.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\Desktop\WaveInstaller.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\WaveInstaller.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Users\user\Desktop\WaveInstaller.exe Section loaded: dhcpcsvc6.dll Jump to behavior
Source: C:\Users\user\Desktop\WaveInstaller.exe Section loaded: dhcpcsvc.dll Jump to behavior
Source: C:\Users\user\Desktop\WaveInstaller.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Users\user\Desktop\WaveInstaller.exe Section loaded: dwmapi.dll Jump to behavior
Source: C:\Users\user\Desktop\WaveInstaller.exe Section loaded: d3d9.dll Jump to behavior
Source: C:\Users\user\Desktop\WaveInstaller.exe Section loaded: d3d10warp.dll Jump to behavior
Source: C:\Users\user\Desktop\WaveInstaller.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Users\user\Desktop\WaveInstaller.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Users\user\Desktop\WaveInstaller.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Users\user\Desktop\WaveInstaller.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Users\user\Desktop\WaveInstaller.exe Section loaded: windowscodecs.dll Jump to behavior
Source: C:\Users\user\Desktop\WaveInstaller.exe Section loaded: wtsapi32.dll Jump to behavior
Source: C:\Users\user\Desktop\WaveInstaller.exe Section loaded: winsta.dll Jump to behavior
Source: C:\Users\user\Desktop\WaveInstaller.exe Section loaded: powrprof.dll Jump to behavior
Source: C:\Users\user\Desktop\WaveInstaller.exe Section loaded: umpdc.dll Jump to behavior
Source: C:\Users\user\Desktop\WaveInstaller.exe Section loaded: textshaping.dll Jump to behavior
Source: C:\Users\user\Desktop\WaveInstaller.exe Section loaded: dataexchange.dll Jump to behavior
Source: C:\Users\user\Desktop\WaveInstaller.exe Section loaded: d3d11.dll Jump to behavior
Source: C:\Users\user\Desktop\WaveInstaller.exe Section loaded: dcomp.dll Jump to behavior
Source: C:\Users\user\Desktop\WaveInstaller.exe Section loaded: dxgi.dll Jump to behavior
Source: C:\Users\user\Desktop\WaveInstaller.exe Section loaded: twinapi.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\WaveInstaller.exe Section loaded: resourcepolicyclient.dll Jump to behavior
Source: C:\Users\user\Desktop\WaveInstaller.exe Section loaded: dxcore.dll Jump to behavior
Source: C:\Users\user\Desktop\WaveInstaller.exe Section loaded: textinputframework.dll Jump to behavior
Source: C:\Users\user\Desktop\WaveInstaller.exe Section loaded: coreuicomponents.dll Jump to behavior
Source: C:\Users\user\Desktop\WaveInstaller.exe Section loaded: coremessaging.dll Jump to behavior
Source: C:\Users\user\Desktop\WaveInstaller.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Users\user\Desktop\WaveInstaller.exe Section loaded: coremessaging.dll Jump to behavior
Source: C:\Users\user\Desktop\WaveInstaller.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\WaveInstaller.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\WaveInstaller.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\WaveInstaller.exe Section loaded: msctfui.dll Jump to behavior
Source: C:\Users\user\Desktop\WaveInstaller.exe Section loaded: uiautomationcore.dll Jump to behavior
Source: C:\Users\user\Desktop\WaveInstaller.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Users\user\Desktop\WaveInstaller.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Users\user\Desktop\WaveInstaller.exe Section loaded: d3dcompiler_47.dll Jump to behavior
Source: C:\Users\user\Desktop\WaveInstaller.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{41945702-8302-44A6-9445-AC98E8AFA086}\InprocServer32 Jump to behavior
Source: Window Recorder Window detected: More than 3 window changes detected
Source: C:\Users\user\Desktop\WaveInstaller.exe File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll Jump to behavior
Source: WaveInstaller.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
Source: WaveInstaller.exe Static PE information: Virtual size of .text is bigger than: 0x100000
Source: WaveInstaller.exe Static file information: File size 1622016 > 1048576
Source: WaveInstaller.exe Static PE information: Raw size of .text is bigger than: 0x100000 < 0x158600
Source: WaveInstaller.exe Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Source: WaveInstaller.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Binary string: C:\Users\User\Desktop\WaveInstaller\obj\Release\WaveInstaller.pdb source: WaveInstaller.exe
Source: Binary string: costura.costura.pdb.compressed source: WaveInstaller.exe
Source: Binary string: C:\Users\User\Desktop\WaveInstaller\obj\Release\WaveInstaller.pdbL source: WaveInstaller.exe
Source: Binary string: costura.costura.pdb.compressed|||Costura.pdb|6C6000A5EAF8579850AB82A89BD6268776EB51AD|2608 source: WaveInstaller.exe
Source: Binary string: costura=costura.costura.dll.compressed=costura.costura.pdb.compressed;microsoft.bcl.asyncinterfacesicostura.microsoft.bcl.asyncinterfaces.dll.compressed source: WaveInstaller.exe

Data Obfuscation
barindex
.NET source code contains potential unpacker
Source: WaveInstaller.exe, AssemblyLoader.cs .Net Code: ReadFromEmbeddedResources System.Reflection.Assembly.Load(byte[])
Yara detected Costura Assembly Loader
Source: Yara match File source: WaveInstaller.exe, type: SAMPLE
Source: Yara match File source: 0.0.WaveInstaller.exe.5c0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000000.00000000.1639042963.00000000005C2000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.2902400992.0000000002BA1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: WaveInstaller.exe PID: 7348, type: MEMORYSTR
Binary contains a suspicious time stamp
Source: WaveInstaller.exe Static PE information: 0xBAAC8B75 [Sat Mar 30 11:54:29 2069 UTC]
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\WaveInstaller.exe Code function: 0_2_01124265 push esp; retf 0_2_01124269
Source: C:\Users\user\Desktop\WaveInstaller.exe Code function: 0_2_01123D8A pushad ; iretd 0_2_01123D99
Source: C:\Users\user\Desktop\WaveInstaller.exe Code function: 0_2_01123DBB pushfd ; iretd 0_2_01123DC9
Source: C:\Users\user\Desktop\WaveInstaller.exe Code function: 0_2_011215CD pushfd ; iretd 0_2_011215D1
Source: C:\Users\user\Desktop\WaveInstaller.exe Code function: 0_2_011216C7 pushad ; retf 6B29h 0_2_01121781
Source: WaveInstaller.exe Static PE information: section name: .text entropy: 7.896784483784674
Source: C:\Users\user\Desktop\WaveInstaller.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\WaveInstaller.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\WaveInstaller.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\WaveInstaller.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\WaveInstaller.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\WaveInstaller.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\WaveInstaller.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\WaveInstaller.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\WaveInstaller.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\WaveInstaller.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\WaveInstaller.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\WaveInstaller.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\WaveInstaller.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\WaveInstaller.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\WaveInstaller.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\WaveInstaller.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\WaveInstaller.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\WaveInstaller.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\WaveInstaller.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\WaveInstaller.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\WaveInstaller.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\WaveInstaller.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\WaveInstaller.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\WaveInstaller.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\WaveInstaller.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\WaveInstaller.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\WaveInstaller.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\WaveInstaller.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\WaveInstaller.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\WaveInstaller.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\WaveInstaller.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\WaveInstaller.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\WaveInstaller.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\WaveInstaller.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\WaveInstaller.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\WaveInstaller.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\WaveInstaller.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\WaveInstaller.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\WaveInstaller.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\WaveInstaller.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\WaveInstaller.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\WaveInstaller.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\WaveInstaller.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\WaveInstaller.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\WaveInstaller.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\WaveInstaller.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\WaveInstaller.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\WaveInstaller.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\WaveInstaller.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\WaveInstaller.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\WaveInstaller.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\WaveInstaller.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\WaveInstaller.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\WaveInstaller.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\WaveInstaller.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\WaveInstaller.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\WaveInstaller.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\WaveInstaller.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\WaveInstaller.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\WaveInstaller.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\WaveInstaller.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\WaveInstaller.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\WaveInstaller.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\WaveInstaller.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\WaveInstaller.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\WaveInstaller.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\WaveInstaller.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\WaveInstaller.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\WaveInstaller.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\WaveInstaller.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\WaveInstaller.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\WaveInstaller.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion
barindex
Uses Windows timers to delay execution
Source: C:\Users\user\Desktop\WaveInstaller.exe User Timer Set: Timeout: 125ms Jump to behavior
Source: C:\Users\user\Desktop\WaveInstaller.exe User Timer Set: Timeout: 10ms Jump to behavior
Source: C:\Users\user\Desktop\WaveInstaller.exe User Timer Set: Timeout: 1ms Jump to behavior
Source: C:\Users\user\Desktop\WaveInstaller.exe User Timer Set: Timeout: 984ms Jump to behavior
Source: C:\Users\user\Desktop\WaveInstaller.exe User Timer Set: Timeout: 125ms Jump to behavior
Source: C:\Users\user\Desktop\WaveInstaller.exe User Timer Set: Timeout: 1ms Jump to behavior
Source: C:\Users\user\Desktop\WaveInstaller.exe User Timer Set: Timeout: 1ms Jump to behavior
Allocates memory with a write watch (potentially for evading sandboxes)
Source: C:\Users\user\Desktop\WaveInstaller.exe Memory allocated: 10C0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\WaveInstaller.exe Memory allocated: 2BA0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\WaveInstaller.exe Memory allocated: 28E0000 memory reserve | memory write watch Jump to behavior
Potential time zone aware malware
Source: C:\Users\user\Desktop\WaveInstaller.exe System information queried: CurrentTimeZoneInformation Jump to behavior
Program does not show much activity (idle)
Source: all processes Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Program does not show much activity (idle)
Source: all processes Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Source: C:\Users\user\Desktop\WaveInstaller.exe Memory allocated: page read and write | page guard Jump to behavior
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\Desktop\WaveInstaller.exe Queries volume information: C:\Users\user\Desktop\WaveInstaller.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\WaveInstaller.exe Queries volume information: C:\Windows\Fonts\segoeui.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\WaveInstaller.exe Queries volume information: C:\Windows\Fonts\seguisb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\WaveInstaller.exe Queries volume information: C:\Windows\Fonts\seguisb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\WaveInstaller.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\UIAutomationTypes\v4.0_4.0.0.0__31bf3856ad364e35\UIAutomationTypes.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\WaveInstaller.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\UIAutomationProvider\v4.0_4.0.0.0__31bf3856ad364e35\UIAutomationProvider.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\WaveInstaller.exe Queries volume information: C:\Windows\Fonts\segoeui.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\WaveInstaller.exe Queries volume information: C:\Windows\Fonts\seguisb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\WaveInstaller.exe Queries volume information: C:\Windows\Fonts\segoeui.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\WaveInstaller.exe Queries volume information: C:\Windows\Fonts\segoeui.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\WaveInstaller.exe Queries volume information: C:\Windows\Fonts\seguisb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\WaveInstaller.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1465751 Sample: WaveInstaller.exe Startdate: 02/07/2024 Architecture: WINDOWS Score: 52 8 .NET source code contains potential unpacker 2->8 10 Yara detected Costura Assembly Loader 2->10 5 WaveInstaller.exe 2 2->5         started        process3 signatures4 12 Uses Windows timers to delay execution 5->12
No contacted IP infos