Edit tour

Windows Analysis Report
WaveInstaller.exe

Overview

General Information

Sample name:	WaveInstaller.exe
Analysis ID:	1465751
MD5:	b075f4320e46d0d5e78a649e8ee011cc
SHA1:	b0dd50171323f0f83dbea0340e9ed8cf44bea38e
SHA256:	8581823244a50bbed9709d09f3eba29dd9989681d96bff2b6c19245053069feb
Tags:	exe
Infos:

Detection

Score:	52
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

.NET source code contains potential unpacker

Uses Windows timers to delay execution

Yara detected Costura Assembly Loader

Allocates memory with a write watch (potentially for evading sandboxes)

Binary contains a suspicious time stamp

Potential time zone aware malware

Program does not show much activity (idle)

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

System is w10x64

WaveInstaller.exe (PID: 7348 cmdline: "C:\Users\user\Desktop\WaveInstaller.exe" MD5: B075F4320E46D0D5E78A649E8EE011CC)

cleanup

Malware Configuration

⊘No configs have been found

Yara Signatures

Initial Sample

Source	Rule	Description	Author	Strings
WaveInstaller.exe	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security

Memory Dumps

Source	Rule	Description	Author
00000000.00000000.1639042963.00000000005C2000.00000002.00000001.01000000.00000003.sdmp	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
00000000.00000002.2902400992.0000000002BA1000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
Process Memory Space: WaveInstaller.exe PID: 7348	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security

Unpacked PEs

Source	Rule	Description	Author	Strings
0.0.WaveInstaller.exe.5c0000.0.unpack	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security

Sigma Signatures

⊘No Sigma rule has matched

Snort Signatures

⊘No Snort rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

Source: WaveInstaller.exe

Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source: WaveInstaller.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: C:\Users\User\Desktop\WaveInstaller\obj\Release\WaveInstaller.pdb source: WaveInstaller.exe
Source:	Binary string: costura.costura.pdb.compressed source: WaveInstaller.exe
Source:	Binary string: C:\Users\User\Desktop\WaveInstaller\obj\Release\WaveInstaller.pdbL source: WaveInstaller.exe
Source:	Binary string: costura.costura.pdb.compressed\|\|\|Costura.pdb\|6C6000A5EAF8579850AB82A89BD6268776EB51AD\|2608 source: WaveInstaller.exe
Source:	Binary string: costura=costura.costura.dll.compressed=costura.costura.pdb.compressed;microsoft.bcl.asyncinterfacesicostura.microsoft.bcl.asyncinterfaces.dll.compressed source: WaveInstaller.exe

Source: WaveInstaller.exe, 00000000.00000002.2902400992.0000000002BA1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/dxgi/wave-binaries/raw/main/CefSharp.Common.124.3.8.rar
Source: WaveInstaller.exe	String found in binary or memory: https://github.com/dxgi/wave-binaries/raw/main/CefSharp.Common.124.3.8.rar1CefSharp.Wpf.124.3.8.rar
Source: WaveInstaller.exe	String found in binary or memory: https://github.com/dxgi/wave-binaries/raw/main/CefSharp.Wpf.124.3.8.rar
Source: WaveInstaller.exe	String found in binary or memory: https://github.com/dxgi/wave-binaries/raw/main/Luau-x64.rar
Source: WaveInstaller.exe	String found in binary or memory: https://github.com/dxgi/wave-binaries/raw/main/Wave-x64.rar
Source: WaveInstaller.exe, 00000000.00000002.2902400992.0000000002BA1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/dxgi/wave-binaries/raw/main/Wave-x64.rarmeP?
Source: WaveInstaller.exe, 00000000.00000002.2902400992.0000000002BA1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.nuget.org/api/v2/package/chromiumembeddedframework.runtime.win-x86/124.3.8
Source: WaveInstaller.exe	String found in binary or memory: https://www.nuget.org/api/v2/package/chromiumembeddedframework.runtime.win-x86/124.3.87CefSharp.Comm

Source: WaveInstaller.exe, 00000000.00000002.2901031823.0000000000B6E000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: OriginalFilenameclr.dllT vs WaveInstaller.exe

Source: WaveInstaller.exe

Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source: WaveInstaller.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: WaveInstaller.exe, MainWindow.cs

Suspicious URL: 'https://www.nuget.org/api/v2/package/chromiumembeddedframework.runtime.win-x86/124.3.8'

Source: classification engine

Classification label: mal52.evad.winEXE@1/0@0/0

Source: C:\Users\user\Desktop\WaveInstaller.exe

Mutant created: NULL

Source: WaveInstaller.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: WaveInstaller.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%

Source: C:\Users\user\Desktop\WaveInstaller.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: WaveInstaller.exe	String found in binary or memory: :includes/images/installer.png0includes/images/logo.png
Source: WaveInstaller.exe	String found in binary or memory: Includes/Images/Installer.png
Source: WaveInstaller.exe	String found in binary or memory: The installation process will take some time. Sit back, relax and let this process finish. Please do not turn off your computer.-Installation Completed

Source: C:\Users\user\Desktop\WaveInstaller.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\WaveInstaller.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\WaveInstaller.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\WaveInstaller.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\WaveInstaller.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\WaveInstaller.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\WaveInstaller.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\WaveInstaller.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\WaveInstaller.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\WaveInstaller.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\WaveInstaller.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\WaveInstaller.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Users\user\Desktop\WaveInstaller.exe	Section loaded: msvcp140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\WaveInstaller.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\WaveInstaller.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\WaveInstaller.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\WaveInstaller.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\WaveInstaller.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\WaveInstaller.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\Desktop\WaveInstaller.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\Desktop\WaveInstaller.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\WaveInstaller.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\WaveInstaller.exe	Section loaded: d3d9.dll	Jump to behavior
Source: C:\Users\user\Desktop\WaveInstaller.exe	Section loaded: d3d10warp.dll	Jump to behavior
Source: C:\Users\user\Desktop\WaveInstaller.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\WaveInstaller.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\WaveInstaller.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\WaveInstaller.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\WaveInstaller.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\Desktop\WaveInstaller.exe	Section loaded: wtsapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\WaveInstaller.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Users\user\Desktop\WaveInstaller.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Users\user\Desktop\WaveInstaller.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Users\user\Desktop\WaveInstaller.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\Desktop\WaveInstaller.exe	Section loaded: dataexchange.dll	Jump to behavior
Source: C:\Users\user\Desktop\WaveInstaller.exe	Section loaded: d3d11.dll	Jump to behavior
Source: C:\Users\user\Desktop\WaveInstaller.exe	Section loaded: dcomp.dll	Jump to behavior
Source: C:\Users\user\Desktop\WaveInstaller.exe	Section loaded: dxgi.dll	Jump to behavior
Source: C:\Users\user\Desktop\WaveInstaller.exe	Section loaded: twinapi.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\WaveInstaller.exe	Section loaded: resourcepolicyclient.dll	Jump to behavior
Source: C:\Users\user\Desktop\WaveInstaller.exe	Section loaded: dxcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\WaveInstaller.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\Desktop\WaveInstaller.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\Desktop\WaveInstaller.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\WaveInstaller.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\WaveInstaller.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\WaveInstaller.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\WaveInstaller.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\WaveInstaller.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\WaveInstaller.exe	Section loaded: msctfui.dll	Jump to behavior
Source: C:\Users\user\Desktop\WaveInstaller.exe	Section loaded: uiautomationcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\WaveInstaller.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\WaveInstaller.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\WaveInstaller.exe	Section loaded: d3dcompiler_47.dll	Jump to behavior

Source: C:\Users\user\Desktop\WaveInstaller.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{41945702-8302-44A6-9445-AC98E8AFA086}\InprocServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\user\Desktop\WaveInstaller.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: WaveInstaller.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: WaveInstaller.exe

Static PE information: Virtual size of .text is bigger than: 0x100000

Source: WaveInstaller.exe

Static file information: File size 1622016 > 1048576

Source: WaveInstaller.exe

Static PE information: Raw size of .text is bigger than: 0x100000 < 0x158600

Source: WaveInstaller.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source: WaveInstaller.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: C:\Users\User\Desktop\WaveInstaller\obj\Release\WaveInstaller.pdb source: WaveInstaller.exe
Source:	Binary string: costura.costura.pdb.compressed source: WaveInstaller.exe
Source:	Binary string: C:\Users\User\Desktop\WaveInstaller\obj\Release\WaveInstaller.pdbL source: WaveInstaller.exe
Source:	Binary string: costura.costura.pdb.compressed\|\|\|Costura.pdb\|6C6000A5EAF8579850AB82A89BD6268776EB51AD\|2608 source: WaveInstaller.exe
Source:	Binary string: costura=costura.costura.dll.compressed=costura.costura.pdb.compressed;microsoft.bcl.asyncinterfacesicostura.microsoft.bcl.asyncinterfaces.dll.compressed source: WaveInstaller.exe

Data Obfuscation

.NET source code contains potential unpacker

Source: WaveInstaller.exe, AssemblyLoader.cs

.Net Code: ReadFromEmbeddedResources System.Reflection.Assembly.Load(byte[])

Yara detected Costura Assembly Loader

Source: Yara match	File source: WaveInstaller.exe, type: SAMPLE
Source: Yara match	File source: 0.0.WaveInstaller.exe.5c0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000000.1639042963.00000000005C2000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2902400992.0000000002BA1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: WaveInstaller.exe PID: 7348, type: MEMORYSTR

Source: WaveInstaller.exe

Static PE information: 0xBAAC8B75 [Sat Mar 30 11:54:29 2069 UTC]

Source: C:\Users\user\Desktop\WaveInstaller.exe	Code function: 0_2_01124265 push esp; retf	0_2_01124269
Source: C:\Users\user\Desktop\WaveInstaller.exe	Code function: 0_2_01123D8A pushad ; iretd	0_2_01123D99
Source: C:\Users\user\Desktop\WaveInstaller.exe	Code function: 0_2_01123DBB pushfd ; iretd	0_2_01123DC9
Source: C:\Users\user\Desktop\WaveInstaller.exe	Code function: 0_2_011215CD pushfd ; iretd	0_2_011215D1
Source: C:\Users\user\Desktop\WaveInstaller.exe	Code function: 0_2_011216C7 pushad ; retf 6B29h	0_2_01121781

Source: WaveInstaller.exe

Static PE information: section name: .text entropy: 7.896784483784674

Source: C:\Users\user\Desktop\WaveInstaller.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\WaveInstaller.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\WaveInstaller.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\WaveInstaller.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\WaveInstaller.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\WaveInstaller.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\WaveInstaller.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\WaveInstaller.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\WaveInstaller.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\WaveInstaller.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\WaveInstaller.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\WaveInstaller.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\WaveInstaller.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\WaveInstaller.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\WaveInstaller.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\WaveInstaller.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\WaveInstaller.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\WaveInstaller.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\WaveInstaller.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\WaveInstaller.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\WaveInstaller.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\WaveInstaller.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\WaveInstaller.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\WaveInstaller.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\WaveInstaller.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\WaveInstaller.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\WaveInstaller.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\WaveInstaller.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\WaveInstaller.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\WaveInstaller.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\WaveInstaller.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\WaveInstaller.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\WaveInstaller.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\WaveInstaller.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\WaveInstaller.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\WaveInstaller.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\WaveInstaller.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\WaveInstaller.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\WaveInstaller.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\WaveInstaller.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\WaveInstaller.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\WaveInstaller.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\WaveInstaller.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\WaveInstaller.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\WaveInstaller.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\WaveInstaller.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\WaveInstaller.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\WaveInstaller.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\WaveInstaller.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\WaveInstaller.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\WaveInstaller.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\WaveInstaller.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\WaveInstaller.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\WaveInstaller.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\WaveInstaller.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\WaveInstaller.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\WaveInstaller.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\WaveInstaller.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\WaveInstaller.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\WaveInstaller.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\WaveInstaller.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\WaveInstaller.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\WaveInstaller.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\WaveInstaller.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\WaveInstaller.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\WaveInstaller.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\WaveInstaller.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\WaveInstaller.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\WaveInstaller.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\WaveInstaller.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\WaveInstaller.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\WaveInstaller.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Uses Windows timers to delay execution

Source: C:\Users\user\Desktop\WaveInstaller.exe	User Timer Set: Timeout: 125ms	Jump to behavior
Source: C:\Users\user\Desktop\WaveInstaller.exe	User Timer Set: Timeout: 10ms	Jump to behavior
Source: C:\Users\user\Desktop\WaveInstaller.exe	User Timer Set: Timeout: 1ms	Jump to behavior
Source: C:\Users\user\Desktop\WaveInstaller.exe	User Timer Set: Timeout: 984ms	Jump to behavior
Source: C:\Users\user\Desktop\WaveInstaller.exe	User Timer Set: Timeout: 125ms	Jump to behavior
Source: C:\Users\user\Desktop\WaveInstaller.exe	User Timer Set: Timeout: 1ms	Jump to behavior
Source: C:\Users\user\Desktop\WaveInstaller.exe	User Timer Set: Timeout: 1ms	Jump to behavior

Source: C:\Users\user\Desktop\WaveInstaller.exe	Memory allocated: 10C0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\WaveInstaller.exe	Memory allocated: 2BA0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\WaveInstaller.exe	Memory allocated: 28E0000 memory reserve \| memory write watch	Jump to behavior

Source: C:\Users\user\Desktop\WaveInstaller.exe

System information queried: CurrentTimeZoneInformation

Jump to behavior

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Source: C:\Users\user\Desktop\WaveInstaller.exe

Memory allocated: page read and write | page guard

Jump to behavior

Source: C:\Users\user\Desktop\WaveInstaller.exe	Queries volume information: C:\Users\user\Desktop\WaveInstaller.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\WaveInstaller.exe	Queries volume information: C:\Windows\Fonts\segoeui.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\WaveInstaller.exe	Queries volume information: C:\Windows\Fonts\seguisb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\WaveInstaller.exe	Queries volume information: C:\Windows\Fonts\seguisb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\WaveInstaller.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\UIAutomationTypes\v4.0_4.0.0.0__31bf3856ad364e35\UIAutomationTypes.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\WaveInstaller.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\UIAutomationProvider\v4.0_4.0.0.0__31bf3856ad364e35\UIAutomationProvider.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\WaveInstaller.exe	Queries volume information: C:\Windows\Fonts\segoeui.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\WaveInstaller.exe	Queries volume information: C:\Windows\Fonts\seguisb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\WaveInstaller.exe	Queries volume information: C:\Windows\Fonts\segoeui.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\WaveInstaller.exe	Queries volume information: C:\Windows\Fonts\segoeui.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\WaveInstaller.exe	Queries volume information: C:\Windows\Fonts\seguisb.ttf VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\WaveInstaller.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	2 Command and Scripting Interpreter	1 DLL Side-Loading	1 DLL Side-Loading	11 Virtualization/Sandbox Evasion	OS Credential Dumping	1 System Time Discovery	Remote Services	Data from Local System	Data Obfuscation	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	1 Disable or Modify Tools	LSASS Memory	11 Virtualization/Sandbox Evasion	Remote Desktop Protocol	Data from Removable Media	Junk Data	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	12 Software Packing	Security Account Manager	12 System Information Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	Steganography	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	1 Timestomp	NTDS	System Network Configuration Discovery	Distributed Component Object Model	Input Capture	Protocol Impersonation	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 DLL Side-Loading	LSA Secrets	Internet Connection Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	2 Obfuscated Files or Information	Cached Domain Credentials	Wi-Fi Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
WaveInstaller.exe	0%	ReversingLabs

Source	Detection	Scanner	Label
https://www.nuget.org/api/v2/package/chromiumembeddedframework.runtime.win-x86/124.3.8	0%	Avira URL Cloud	safe
https://github.com/dxgi/wave-binaries/raw/main/CefSharp.Common.124.3.8.rar1CefSharp.Wpf.124.3.8.rar	0%	Avira URL Cloud	safe
https://github.com/dxgi/wave-binaries/raw/main/CefSharp.Common.124.3.8.rar	0%	Avira URL Cloud	safe
https://github.com/dxgi/wave-binaries/raw/main/CefSharp.Wpf.124.3.8.rar	0%	Avira URL Cloud	safe
https://github.com/dxgi/wave-binaries/raw/main/Wave-x64.rarmeP?	0%	Avira URL Cloud	safe
https://github.com/dxgi/wave-binaries/raw/main/Wave-x64.rar	0%	Avira URL Cloud	safe
https://github.com/dxgi/wave-binaries/raw/main/Luau-x64.rar	0%	Avira URL Cloud	safe
https://www.nuget.org/api/v2/package/chromiumembeddedframework.runtime.win-x86/124.3.87CefSharp.Comm	0%	Avira URL Cloud	safe

Name	Source	Malicious	Antivirus Detection	Reputation
https://github.com/dxgi/wave-binaries/raw/main/CefSharp.Wpf.124.3.8.rar	WaveInstaller.exe	false	Avira URL Cloud: safe	unknown
https://www.nuget.org/api/v2/package/chromiumembeddedframework.runtime.win-x86/124.3.8	WaveInstaller.exe, 00000000.00000002.2902400992.0000000002BA1000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://github.com/dxgi/wave-binaries/raw/main/Wave-x64.rarmeP?	WaveInstaller.exe, 00000000.00000002.2902400992.0000000002BA1000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.nuget.org/api/v2/package/chromiumembeddedframework.runtime.win-x86/124.3.87CefSharp.Comm	WaveInstaller.exe	false	Avira URL Cloud: safe	unknown
https://github.com/dxgi/wave-binaries/raw/main/CefSharp.Common.124.3.8.rar	WaveInstaller.exe, 00000000.00000002.2902400992.0000000002BA1000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://github.com/dxgi/wave-binaries/raw/main/Luau-x64.rar	WaveInstaller.exe	false	Avira URL Cloud: safe	unknown
https://github.com/dxgi/wave-binaries/raw/main/Wave-x64.rar	WaveInstaller.exe	false	Avira URL Cloud: safe	unknown
https://github.com/dxgi/wave-binaries/raw/main/CefSharp.Common.124.3.8.rar1CefSharp.Wpf.124.3.8.rar	WaveInstaller.exe	false	Avira URL Cloud: safe	unknown

World Map of Contacted IPs

⊘No contacted IP infos

General Information

Joe Sandbox version:	40.0.0 Tourmaline
Analysis ID:	1465751
Start date and time:	2024-07-02 01:01:06 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 4m 2s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	6
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	WaveInstaller.exe
Detection:	MAL
Classification:	mal52.evad.winEXE@1/0@0/0
EGA Information:	Failed
HCA Information:	Successful, ratio: 100% Number of executed functions: 41 Number of non-executed functions: 0
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
Excluded domains from analysis (whitelisted): fs.microsoft.com, ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Execution Graph export aborted for target WaveInstaller.exe, PID 7348 because it is empty
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.
VT rate limit hit for: WaveInstaller.exe

File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	7.778883023585141
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.83% Win32 Executable (generic) a (10002005/4) 49.78% Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36% Generic Win/DOS Executable (2004/3) 0.01% DOS Executable Generic (2002/1) 0.01%
File name:	WaveInstaller.exe
File size:	1'622'016 bytes
MD5:	b075f4320e46d0d5e78a649e8ee011cc
SHA1:	b0dd50171323f0f83dbea0340e9ed8cf44bea38e
SHA256:	8581823244a50bbed9709d09f3eba29dd9989681d96bff2b6c19245053069feb
SHA512:	e08024b5fa50dc344ca18413a6c21e0f20490c22c90c565d6f663014f1673643da1d5d748e0cefca8a7cbae91a62470289803ad588d3aa5cf3dc6292d7393d47
SSDEEP:	24576:VviinbT3ipyqwPx4x3RyFoBkkAd04wJAAh/jV1gJcPNZI6fntX3HOt2pq081ind2:MinbT3ipTD0anywJAaD/3U2pqjindT
TLSH:	14750219263CC9CFFC2A07715DE6E15A7B3D317692090788ECCCC14C32FAE56B5AA529
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...u............."...0......8......~.... ........@.. ....................... ............`................................

File Icon


Icon Hash:	2340020b0bbf733f

Static PE Info

General

Entrypoint:	0x55a57e
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
DLL Characteristics:	HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0xBAAC8B75 [Sat Mar 30 11:54:29 2069 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x15a524	0x57	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x15c000	0x33568	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x190000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x15a490	0x38	.text
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0x158584	0x158600	87a0c02863b3dcaa0ae6c673aaae1007	False	0.9096068228221416	data	7.896784483784674	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rsrc	0x15c000	0x33568	0x33600	ebca0a1dbf0d38205e85addf43d2fa5f	False	0.5065674422141119	data	6.519252337857065	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x190000	0xc	0x200	f37c38bf08214507238c1de4f9dd7c49	False	0.044921875	data	0.10191042566270775	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	ZLIB Complexity
RT_ICON	0x15c200	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 1024, resolution 5669 x 5669 px/m	0.875
RT_ICON	0x15c678	0x988	Device independent bitmap graphic, 24 x 48 x 32, image size 2304, resolution 5669 x 5669 px/m	0.7729508196721312
RT_ICON	0x15d010	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 4096, resolution 5669 x 5669 px/m	0.6744840525328331
RT_ICON	0x15e0c8	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 9216, resolution 5669 x 5669 px/m	0.5504149377593361
RT_ICON	0x160680	0x4228	Device independent bitmap graphic, 64 x 128 x 32, image size 16384, resolution 5669 x 5669 px/m	0.4750236183278224
RT_ICON	0x1648b8	0x5488	Device independent bitmap graphic, 72 x 144 x 32, image size 20736, resolution 5669 x 5669 px/m	0.4406192236598891
RT_ICON	0x169d50	0x94a8	Device independent bitmap graphic, 96 x 192 x 32, image size 36864, resolution 5669 x 5669 px/m	0.36519865461425266
RT_ICON	0x173208	0x10828	Device independent bitmap graphic, 128 x 256 x 32, image size 65536, resolution 5669 x 5669 px/m	0.2990949958594582
RT_ICON	0x183a40	0xa9e7	PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced	0.9990343717668697
RT_GROUP_ICON	0x18e438	0x84	data	0.7272727272727273
RT_VERSION	0x18e4cc	0x33c	data	0.41304347826086957
RT_MANIFEST	0x18e818	0xd4c	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators	0.38689776733254994

Imports

DLL	Import
mscoree.dll	_CorExeMain

Target ID:	0
Start time:	19:01:53
Start date:	01/07/2024
Path:	C:\Users\user\Desktop\WaveInstaller.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\WaveInstaller.exe"
Imagebase:	0x5c0000
File size:	1'622'016 bytes
MD5 hash:	B075F4320E46D0D5E78A649E8EE011CC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_CosturaAssemblyLoader, Description: Yara detected Costura Assembly Loader, Source: 00000000.00000000.1639042963.00000000005C2000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security Rule: JoeSecurity_CosturaAssemblyLoader, Description: Yara detected Costura Assembly Loader, Source: 00000000.00000002.2902400992.0000000002BA1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	false

Show Windows behavior

Function 01122319 Relevance: 5.5, Strings: 4, Instructions: 544COMMON

Download Yara Rule

Strings

)k, xrefs: 01122550
f_l, xrefs: 01122909
f_l, xrefs: 011226BD
f_l, xrefs: 01122775

Memory Dump Source

Source File: 00000000.00000002.2902103662.0000000001120000.00000040.00000800.00020000.00000000.sdmp, Offset: 01120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1120000_WaveInstaller.jbxd

Similarity

API ID:
String ID: )k$f_l$f_l$f_l
API String ID: 0-1995727330
Opcode ID: 7356b2f9dcac1928da233f1d7c056dd55c6e2bb44f659a413e30df971182b9a3
Instruction ID: 807dcef3407fa0f81ca84224095db99938a724ee92065d9297d845b7b8b0bc03
Opcode Fuzzy Hash: 7356b2f9dcac1928da233f1d7c056dd55c6e2bb44f659a413e30df971182b9a3
Instruction Fuzzy Hash: 9B02037290E3F28FDB1B9B3898611ED7FB4AF53215B0A4587C4858F063D734496AC7A2

Function 01126A28 Relevance: 1.3, Strings: 1, Instructions: 45COMMON

Download Yara Rule

Strings

$^q, xrefs: 01126A93

Memory Dump Source

Source File: 00000000.00000002.2902103662.0000000001120000.00000040.00000800.00020000.00000000.sdmp, Offset: 01120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1120000_WaveInstaller.jbxd

Similarity

API ID:
String ID: $^q
API String ID: 0-388095546
Opcode ID: 9d438c870d209139f03c897c89da8281483c561bd2ddea748cf27be56dbcd6b2
Instruction ID: 3d98e777b7336da3fca2a56145af7d488de4cb527402f70291c7ee054d5274b9
Opcode Fuzzy Hash: 9d438c870d209139f03c897c89da8281483c561bd2ddea748cf27be56dbcd6b2
Instruction Fuzzy Hash: AFF028757002251FE7195A6968606BF37EAA7C8614F14843BDC09CB3C0EE705C0283B7

Function 01126A38 Relevance: 1.3, Strings: 1, Instructions: 42COMMON

Download Yara Rule

Strings

$^q, xrefs: 01126A93

Memory Dump Source

Source File: 00000000.00000002.2902103662.0000000001120000.00000040.00000800.00020000.00000000.sdmp, Offset: 01120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1120000_WaveInstaller.jbxd

Similarity

API ID:
String ID: $^q
API String ID: 0-388095546
Opcode ID: 02d1d7395a04039505808a563569a2064ef13740e4fc9a6493e194a2fc02e452
Instruction ID: e3b269686c45b2b1da082baa557af34fb687e069c45d696250bd8c56955b414f
Opcode Fuzzy Hash: 02d1d7395a04039505808a563569a2064ef13740e4fc9a6493e194a2fc02e452
Instruction Fuzzy Hash: FCF0F0757002291BEB18AA6A686066F22DAA7C8614F14843AD909C73C0DE70AC0283BA

Function 01126588 Relevance: .3, Instructions: 259COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2902103662.0000000001120000.00000040.00000800.00020000.00000000.sdmp, Offset: 01120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1120000_WaveInstaller.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 06f2052450bffa2b9605703516a533adcef91ea7215882649da438d35e6e04a5
Instruction ID: 0e648cf93d6a3cda2a240ce0e80ddf8e751b6f8007db268dfb6cc3b13386d4e5
Opcode Fuzzy Hash: 06f2052450bffa2b9605703516a533adcef91ea7215882649da438d35e6e04a5
Instruction Fuzzy Hash: 00219B30E592A18BCF487B74EC6C06D3EA2AF5930A3454879E446CB5A1EF348C72DB54

Function 011265ED Relevance: .3, Instructions: 255COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2902103662.0000000001120000.00000040.00000800.00020000.00000000.sdmp, Offset: 01120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1120000_WaveInstaller.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 72fe376b3011b9be5171d9772e16dd86f69d738046b386fa19042a274458edee
Instruction ID: 9e9830aea02f4087b6c1ff0c7b9117967eb1731177bcf6c8ad57b17da9c9768b
Opcode Fuzzy Hash: 72fe376b3011b9be5171d9772e16dd86f69d738046b386fa19042a274458edee
Instruction Fuzzy Hash: 53218930E592A18BCF497B74EC6C06C3EA2AF5930A7454869F447CB5A1EF348C72DB14

Function 011216C7 Relevance: .2, Instructions: 230COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2902103662.0000000001120000.00000040.00000800.00020000.00000000.sdmp, Offset: 01120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1120000_WaveInstaller.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 54e006e0d1a97f672fb3b1c12b4fd1d7d5803b2bc0d0c963059b457cd3e3cf65
Instruction ID: 23074c364a4205058daaf9721405e48da9a4b69a124c9f068795d940c58fccce
Opcode Fuzzy Hash: 54e006e0d1a97f672fb3b1c12b4fd1d7d5803b2bc0d0c963059b457cd3e3cf65
Instruction Fuzzy Hash: 44812571504B629FC703EB38E9A05D97FB2FFD2305B054A9AD0588F256DB30AC4AC7A5

Function 011279B0 Relevance: .2, Instructions: 181COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2902103662.0000000001120000.00000040.00000800.00020000.00000000.sdmp, Offset: 01120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1120000_WaveInstaller.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: db65bf9ab2d19c63eade178a243e3164ee152c99191682854ddbe9b1c5397aa8
Instruction ID: aaac6780270b23f5cc8456d3b780b0703da2df61fae7363961d4eb531bf132dc
Opcode Fuzzy Hash: db65bf9ab2d19c63eade178a243e3164ee152c99191682854ddbe9b1c5397aa8
Instruction Fuzzy Hash: 9F817634600A158FDB05FF64FAA9D4537A2F79830BB118F10E402076ADEFB0E8868BD1

Function 011279C0 Relevance: .2, Instructions: 177COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2902103662.0000000001120000.00000040.00000800.00020000.00000000.sdmp, Offset: 01120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1120000_WaveInstaller.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8b2147327bb1b8a5672c1f5d4ed37ee407df2e2e83c717be0f6f4fc163cf71b1
Instruction ID: 6e1c3f497e90d4d8cdd8fb5491ec4bff7daca12bced498d5e83bc488aa4876e0
Opcode Fuzzy Hash: 8b2147327bb1b8a5672c1f5d4ed37ee407df2e2e83c717be0f6f4fc163cf71b1
Instruction Fuzzy Hash: D3817934600A158FDB05FF64FAA9D4577A2F79830BB118F10E402076ADEFB0E9868BD1

Function 01125EA8 Relevance: .1, Instructions: 142COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2902103662.0000000001120000.00000040.00000800.00020000.00000000.sdmp, Offset: 01120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1120000_WaveInstaller.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 916771ff673d0f9613d4bf2f807664c4dbeab9324e427d85a6c8914e55a24534
Instruction ID: 559a0823b16a5cc40ebeb9476043ab573356773e1db48eaa06472d4fdc6a45e0
Opcode Fuzzy Hash: 916771ff673d0f9613d4bf2f807664c4dbeab9324e427d85a6c8914e55a24534
Instruction Fuzzy Hash: 0541F730B041259FDB0D9F69C4646AEBEB7EF89310F14846AE9069B390CF39DC15CBA5

Function 01121788 Relevance: .1, Instructions: 136COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2902103662.0000000001120000.00000040.00000800.00020000.00000000.sdmp, Offset: 01120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1120000_WaveInstaller.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 690f514750f17654405b6a9c2c960bc56a27d0ce3b1d4701383dd44782e876b5
Instruction ID: 8d00c0d131ec9264ae3640200940664028160847300b881244755d8e03144ce3
Opcode Fuzzy Hash: 690f514750f17654405b6a9c2c960bc56a27d0ce3b1d4701383dd44782e876b5
Instruction Fuzzy Hash: D2516D30200B169FC705EB28E990A9EB7A2FFD4306F008E29D05D8F658DF31AC46CB91

Function 01121798 Relevance: .1, Instructions: 131COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2902103662.0000000001120000.00000040.00000800.00020000.00000000.sdmp, Offset: 01120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1120000_WaveInstaller.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c33dd6aeeaff99b14618188b8964e918153032e9ef5468772d0dd431f9cd6706
Instruction ID: 0c2b0f65a9831812a1d1faf674285eff4cdebeea35e0ceb47822be5e09cfb8ab
Opcode Fuzzy Hash: c33dd6aeeaff99b14618188b8964e918153032e9ef5468772d0dd431f9cd6706
Instruction Fuzzy Hash: 52515C30200A169FC705EB28E990A9EB7A6FFD4306F008E29D15D8F618DF31BC46CB91

Function 011207EB Relevance: .1, Instructions: 105COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2902103662.0000000001120000.00000040.00000800.00020000.00000000.sdmp, Offset: 01120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1120000_WaveInstaller.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2e234c89fff883bc332bf5ddc3b23672cb2c19f1c596081eb376e64dc08d709a
Instruction ID: c4877d9a311514c7c006a67fcebe8bb22fa275f4080d1f5744f0394a8ae4e0e7
Opcode Fuzzy Hash: 2e234c89fff883bc332bf5ddc3b23672cb2c19f1c596081eb376e64dc08d709a
Instruction Fuzzy Hash: 19319CB294E7D05FC3074778AC156823FB4EB5B614F0A01D7E085CF2A3EA645909C7A2

Function 0103EAF8 Relevance: .1, Instructions: 83COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2901836095.000000000103D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0103D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_103d000_WaveInstaller.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5716ebf25ff5565aa108bfdd70fb393399663b7163473d5275e7c1b8552fdac6
Instruction ID: 45ff0a1a20969b47b338ff8f6cfefaa5f40386232e88ea9c54d27497227971fb
Opcode Fuzzy Hash: 5716ebf25ff5565aa108bfdd70fb393399663b7163473d5275e7c1b8552fdac6
Instruction Fuzzy Hash: CD31E672504240EFDF4B9F54D9C0F17BFAAFB88320F24C6A8E94A0A256C336D456DB61

Function 0103E9FC Relevance: .1, Instructions: 80COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2901836095.000000000103D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0103D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_103d000_WaveInstaller.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0b430f32f79b21a98269aff805e5588883063e8d9157f4110fc4218effc235c9
Instruction ID: 931bc80a9b9ec04cb7a401db23c85401eea756a3b68898d2200f70ad39dda8f4
Opcode Fuzzy Hash: 0b430f32f79b21a98269aff805e5588883063e8d9157f4110fc4218effc235c9
Instruction Fuzzy Hash: BA21D3B2504604EFDF06DF54D9C0B26BFAAFBC8314F24C6A9E9494A256C336E417CB61

Function 0103D5E8 Relevance: .1, Instructions: 78COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2901836095.000000000103D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0103D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_103d000_WaveInstaller.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dbbdc5bd9ce6835adc485178e8433856eff2d985a38ef46ca83426c58df3418b
Instruction ID: 670c4f4edb3c9f19a5bb9cfa205079cc52c1cb2c0277b003bb40080f0b47155d
Opcode Fuzzy Hash: dbbdc5bd9ce6835adc485178e8433856eff2d985a38ef46ca83426c58df3418b
Instruction Fuzzy Hash: AE2105B5504200EFCB06DF94D9C0B16BFA9FBCC314F648699E94D0B256C336D816DB61

Function 0102D06C Relevance: .1, Instructions: 77COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2901790012.000000000102D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0102D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_102d000_WaveInstaller.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0096aceda0d851b2f7be9b3fa9635a8c8c68829b5e6e22a6cf455891af3f2572
Instruction ID: 711ca5ceaaa75f6682edcff43514fdb83e1bf8246e0974afe2ff5d1f427a06ac
Opcode Fuzzy Hash: 0096aceda0d851b2f7be9b3fa9635a8c8c68829b5e6e22a6cf455891af3f2572
Instruction Fuzzy Hash: 8A214871504240EFCB05DF94D8C4B1ABFA5FB88314F34C6A9ED490B656C33AD816CBA1

Function 0102D5C8 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2901790012.000000000102D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0102D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_102d000_WaveInstaller.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 083ef9ab7687687dafab856ebfc03bd161f3ed3a5e795e13a8f43238ca82f0b4
Instruction ID: 8a33ce64e54a8e130b81b167c6dc613cc335c28bcf45dbead0dfa94fbc025d7f
Opcode Fuzzy Hash: 083ef9ab7687687dafab856ebfc03bd161f3ed3a5e795e13a8f43238ca82f0b4
Instruction Fuzzy Hash: 722128B1504200DFDB15DF58D9C8B1ABFA5FB98314F24C5ADE94E0B246C336D856C7A1

Function 0103D01C Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2901836095.000000000103D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0103D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_103d000_WaveInstaller.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eb5346d04b14f321a027bebbeb0de61f67ba599f34cf5a9e0b4f50d83d337864
Instruction ID: ca91a8ce9e08c13ec66ad8bd991a16148e9668b20fb539b5597c0507a1f11de7
Opcode Fuzzy Hash: eb5346d04b14f321a027bebbeb0de61f67ba599f34cf5a9e0b4f50d83d337864
Instruction Fuzzy Hash: FB2103B5604200DFCB15DF58D8C4B16FBA9FB84714F60C9ADE98A0B242C336D407CB61

Function 01127DC7 Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2902103662.0000000001120000.00000040.00000800.00020000.00000000.sdmp, Offset: 01120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1120000_WaveInstaller.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 859d42a48b05e2f23e9a3de4458050ec9ca38280756548a24c08c7a64180e424
Instruction ID: 0303535daa0c9c14ebd18537d2c72939eb6f5cf10944d8acd16d071a5e5ec6e4
Opcode Fuzzy Hash: 859d42a48b05e2f23e9a3de4458050ec9ca38280756548a24c08c7a64180e424
Instruction Fuzzy Hash: 7031E4B0D01268DFDB28DFA9C985BDEBFF5AF58314F148019E504BB290D7745845CB64

Function 01127DD0 Relevance: .1, Instructions: 66COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2902103662.0000000001120000.00000040.00000800.00020000.00000000.sdmp, Offset: 01120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1120000_WaveInstaller.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ca04208ae476bb2bae7891860c9480409bd9dc73ca3d9219620f54fc607729a8
Instruction ID: fe032d502efffadab097b5be5cbb497f5830da44b3cacf3915610f9c7386d75e
Opcode Fuzzy Hash: ca04208ae476bb2bae7891860c9480409bd9dc73ca3d9219620f54fc607729a8
Instruction Fuzzy Hash: B131F2B0D01228DFDB28DF9AC984BDEBFF5AF48314F148029E504BB290D7B46885CB65

Function 0103EAF3 Relevance: .1, Instructions: 64COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2901836095.000000000103D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0103D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_103d000_WaveInstaller.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e6238b9b0f021b19c456f668d1d9b97fb5dc473314950a21f6fd835f5d488ef7
Instruction ID: 53e442a7e714dcd81f64f61124ebc27037a27f14bcdd4b9de1bf5159ab333a9b
Opcode Fuzzy Hash: e6238b9b0f021b19c456f668d1d9b97fb5dc473314950a21f6fd835f5d488ef7
Instruction Fuzzy Hash: 9421A176504240DFCF478F44D9C4B56BF76FB88320F2482D9ED4A0A66AC336D466DB61

Function 0103D006 Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2901836095.000000000103D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0103D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_103d000_WaveInstaller.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e2bceaa1c9a2ba4655ceef15c3b01fce8464c0599f402d9918db0ac258bf21d2
Instruction ID: cdf0d7300c4133ba25e1f2db93cad18143d8aff842d31e360d3bb21c270d01e4
Opcode Fuzzy Hash: e2bceaa1c9a2ba4655ceef15c3b01fce8464c0599f402d9918db0ac258bf21d2
Instruction Fuzzy Hash: C02183755083809FCB02CF64D994711BFB5EB86214F28C5DAD8898F2A7C33A9816CB62

Function 011267E0 Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2902103662.0000000001120000.00000040.00000800.00020000.00000000.sdmp, Offset: 01120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1120000_WaveInstaller.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d56b9131b2e0caedcf37ca71e082d06e59b8be7127fd502585b3d94c2cea78a7
Instruction ID: 2e6755028b8549bdb90c70e54d89fd5a8dd6e1fd8c810aa16e797ba29ae4e2ab
Opcode Fuzzy Hash: d56b9131b2e0caedcf37ca71e082d06e59b8be7127fd502585b3d94c2cea78a7
Instruction Fuzzy Hash: F4110430E552628BCF4877B4EC6C06D7A92AFA830A3415838F457C75A5DF348C72DB54

Function 0103E9F7 Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2901836095.000000000103D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0103D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_103d000_WaveInstaller.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e0e969b801ef377ab038facd922e72ebd973ab157ff32c545a218f7ba5d2a2bc
Instruction ID: 1299deff80004277bf8c6a34dced97566e4de0f1bbc4d1da8cf7911da004c993
Opcode Fuzzy Hash: e0e969b801ef377ab038facd922e72ebd973ab157ff32c545a218f7ba5d2a2bc
Instruction Fuzzy Hash: 4B218B76504240DFCF06CF54D9C4B56BFB2FB88324F24C2A9ED494A65AC336E426DB91

Function 0103D5E3 Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2901836095.000000000103D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0103D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_103d000_WaveInstaller.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0dc0f46af7ee6ea708de2a39cceb2e6997bdb58e006c41f55ac8307ed99aad48
Instruction ID: 3dfe187c9b9d096cc0af6130656228bc5ac89ca1116f94385e9fbef47870c28f
Opcode Fuzzy Hash: 0dc0f46af7ee6ea708de2a39cceb2e6997bdb58e006c41f55ac8307ed99aad48
Instruction Fuzzy Hash: AA21AE76504280DFCF06DF54D9C4B16BFB2FB88314F2486A9D9890B256C336D426DB91

Function 0102D067 Relevance: .1, Instructions: 58COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2901790012.000000000102D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0102D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_102d000_WaveInstaller.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 85e589ff89d53fefa928555ed391731ad88d74b974b24a20ba51987b010bfd2c
Instruction ID: f07cabc5ded4e69532e414176ef735e2a6e333109efbbf12ee5d7447c60222bc
Opcode Fuzzy Hash: 85e589ff89d53fefa928555ed391731ad88d74b974b24a20ba51987b010bfd2c
Instruction Fuzzy Hash: 8021AF76504284EFDB06CF54D9C4B16BFB2FB88314F24C6A9DD490B656C33AD826CB91

Function 01126968 Relevance: .1, Instructions: 58COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2902103662.0000000001120000.00000040.00000800.00020000.00000000.sdmp, Offset: 01120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1120000_WaveInstaller.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f1e650c3283479d6a1e1fb96de398110c2ee324fbad33875e4a480727836e76e
Instruction ID: 5a61dfd8babe3c90e6258a34f096cac49e336f2493ad860359039e1959ac093c
Opcode Fuzzy Hash: f1e650c3283479d6a1e1fb96de398110c2ee324fbad33875e4a480727836e76e
Instruction Fuzzy Hash: 4011C6317002215FC716EB38AA6056E3BD6AB895987098576CD49D7388FF74CC13C782

Function 0102D5C3 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2901790012.000000000102D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0102D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_102d000_WaveInstaller.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3d7739f24a7f613363dc0741c1dd4920fb0d2c4cd1d09143030fc2081c46ff73
Instruction ID: e132714e87fe562096a29135eff1a37f4e0c032f8af50220d3d185963f1fb6fd
Opcode Fuzzy Hash: 3d7739f24a7f613363dc0741c1dd4920fb0d2c4cd1d09143030fc2081c46ff73
Instruction Fuzzy Hash: 78110676504240CFDB12CF54D5C8B16BFB2FB88324F24C6A9D8490B257C336D85ACB91

Function 0102DA05 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2901790012.000000000102D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0102D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_102d000_WaveInstaller.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b63217342cf880538fe6cd501b6f5b4ccd5ba804fd527e2364ff6a2d2d4a67a8
Instruction ID: 21b9c0950bd13c4f0deefd577012e6d2cb5031e79830921e89f26a45f84e1234
Opcode Fuzzy Hash: b63217342cf880538fe6cd501b6f5b4ccd5ba804fd527e2364ff6a2d2d4a67a8
Instruction Fuzzy Hash: 7201F27100D3509AEB608AA9CC84F6AFFD8DF51321F08C49AED990B282C6789C40C7B1

Function 0102D8A3 Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2901790012.000000000102D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0102D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_102d000_WaveInstaller.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d5a3e6915c2443c119e2f7b06fdfb3edc8c7c7ab2aebf83861ea60815ea7c0a0
Instruction ID: 0cccf804b8baa237dfe57447c61ae9c8c77a24dde20d672c97662fc5a5f42c84
Opcode Fuzzy Hash: d5a3e6915c2443c119e2f7b06fdfb3edc8c7c7ab2aebf83861ea60815ea7c0a0
Instruction Fuzzy Hash: 59010876100A00AF97619F46D980C23FBFAFF88720345855EE98A4BA22C772F851DF60

Function 0102D894 Relevance: .0, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2901790012.000000000102D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0102D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_102d000_WaveInstaller.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 360359eac1a3d7e20b6da4cfc55da3fa913ae026bf11310a64d8cdb81ecee9c7
Instruction ID: 4b2cd4b211f17347f32780df5b59634f75b98396deb248a2365455a3cbe4743f
Opcode Fuzzy Hash: 360359eac1a3d7e20b6da4cfc55da3fa913ae026bf11310a64d8cdb81ecee9c7
Instruction Fuzzy Hash: 6801E975104740AFD7268F55C940C62BFBAFF896207198589E9864BA22C672F812DB60

Function 0102DA04 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2901790012.000000000102D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0102D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_102d000_WaveInstaller.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ac969039ec78e2a9dcf70924ef1c7b4a86737a70ab40e144d98359abd16a37d0
Instruction ID: fe1aaba880a6ef8f56b711423e7bcc97c8aeb603b3eaeda811d7708a3ba83db1
Opcode Fuzzy Hash: ac969039ec78e2a9dcf70924ef1c7b4a86737a70ab40e144d98359abd16a37d0
Instruction Fuzzy Hash: 0BF0C272008340AEEB208E19CC84B62FFD8EB40634F18C09AED480B286C378A844CBB0

Function 01120AB8 Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2902103662.0000000001120000.00000040.00000800.00020000.00000000.sdmp, Offset: 01120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1120000_WaveInstaller.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 66c17b467471af9c506e8db0aa6e3275756b69223e90d484894b071e5eb2e926
Instruction ID: a0d06fa28ec7efd55f0a3b2b054b85306c6ed270ab644a34875d2632f9f2b686
Opcode Fuzzy Hash: 66c17b467471af9c506e8db0aa6e3275756b69223e90d484894b071e5eb2e926
Instruction Fuzzy Hash: 00E092753093209FCB0657B8946519D3BA9EBCB624701845AE546CB381DF7E8C02C7E5

Function 01125E58 Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2902103662.0000000001120000.00000040.00000800.00020000.00000000.sdmp, Offset: 01120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1120000_WaveInstaller.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 771437c86df1a2037c573d66649674d348dceb9731e5e4485beff7e7c0aa3e39
Instruction ID: e2c1aae263138d14445c3fbd418890ebd2388b085b6a03a200e83851121fe894
Opcode Fuzzy Hash: 771437c86df1a2037c573d66649674d348dceb9731e5e4485beff7e7c0aa3e39
Instruction Fuzzy Hash: 9EE0DF70C1A3E58FCF978F3054462E6BFB6BF02206F82C0D7C5858A442DB3488A5CA52

Function 011207DB Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2902103662.0000000001120000.00000040.00000800.00020000.00000000.sdmp, Offset: 01120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1120000_WaveInstaller.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6f28bd47cd07e7e3933ec9d105c8e9d4eb79ecc26a1021060da42397c835b842
Instruction ID: d3797daa585b4777457d683e190463061aab88f83f617af3911f2399af954a43
Opcode Fuzzy Hash: 6f28bd47cd07e7e3933ec9d105c8e9d4eb79ecc26a1021060da42397c835b842
Instruction Fuzzy Hash: B5E0823146D3C88FC3039B70AC985403FB8EA1B21070A02EBC0C4CB063D2A9681ADBA2

Function 01120AC8 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2902103662.0000000001120000.00000040.00000800.00020000.00000000.sdmp, Offset: 01120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1120000_WaveInstaller.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0e597b7773e553648ff968926a664c4d1ac50e910a952cdba7af5f525d4d52dd
Instruction ID: 70043dd957020b52e086a749fe36d61e2ab6265128a4c5581f16d04a1a1d3e59
Opcode Fuzzy Hash: 0e597b7773e553648ff968926a664c4d1ac50e910a952cdba7af5f525d4d52dd
Instruction Fuzzy Hash: 0BD05E3570162497CA0927BDA0682AD364EEBCA625B004429EA47C7380CF7E9C02C7E9

Function 01127D9B Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2902103662.0000000001120000.00000040.00000800.00020000.00000000.sdmp, Offset: 01120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1120000_WaveInstaller.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 679bde044c40afe438e48265fbcb072bc07ea001b35ccfcca81e97ee9db1751d
Instruction ID: 3a6592b86d34c6861e6a557a12ec7fbcf75d839dadca741308cf395b220df621
Opcode Fuzzy Hash: 679bde044c40afe438e48265fbcb072bc07ea001b35ccfcca81e97ee9db1751d
Instruction Fuzzy Hash: 79D05230A00148EFCB09DFB0EA054AD7BF1EB0820170045AAE88AD3200EA304E15CA00

Function 01125E68 Relevance: .0, Instructions: 13COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2902103662.0000000001120000.00000040.00000800.00020000.00000000.sdmp, Offset: 01120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1120000_WaveInstaller.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a0de7738c01815e35b129fb56dc6cca89d68f4df4c115bb06aaca488911bb76f
Instruction ID: c6401450603b425ea05d07ec67c0c74fc087bbe110b533e9ff2664bfc3568122
Opcode Fuzzy Hash: a0de7738c01815e35b129fb56dc6cca89d68f4df4c115bb06aaca488911bb76f
Instruction Fuzzy Hash: D3C01270B081704FEF9D462C44443F7E9E3AB84701BC0C4A8E10AC6250DF26C8D185A2

Function 01126940 Relevance: .0, Instructions: 11COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2902103662.0000000001120000.00000040.00000800.00020000.00000000.sdmp, Offset: 01120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1120000_WaveInstaller.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e07583e2b1c09a664282009319749e2c13e17f787007affeae29f1d4f8d3cc11
Instruction ID: 310c9de307b84f4012d23cd340b2929a0f536b65de62df9c70a0a5a5a6cd692a
Opcode Fuzzy Hash: e07583e2b1c09a664282009319749e2c13e17f787007affeae29f1d4f8d3cc11
Instruction Fuzzy Hash: 16C012B19447968FC603ABA4E69A2403F75AB4831AB048DA3F109CB61AEA7448468B00

Function 01126950 Relevance: .0, Instructions: 7COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2902103662.0000000001120000.00000040.00000800.00020000.00000000.sdmp, Offset: 01120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1120000_WaveInstaller.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 57192f96194a955bbe4b836c6c6ecdd6d28d2eb3c5f7c1b19b799c55b0f86338
Instruction ID: 167601135c4ea5660b4087dcdb9f8389b2042bf35cc5a84d1d7daeb1e41aaeec
Opcode Fuzzy Hash: 57192f96194a955bbe4b836c6c6ecdd6d28d2eb3c5f7c1b19b799c55b0f86338
Instruction Fuzzy Hash: 58B01230044B1E4FC5007798F846504375DE680B0AB404E21B00C465096E65AC514784

Function 01120850 Relevance: .0, Instructions: 5COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2902103662.0000000001120000.00000040.00000800.00020000.00000000.sdmp, Offset: 01120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1120000_WaveInstaller.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 258a9e0e268d7e8d30852b39b9dc11e753865b50d734fab9e073a02520622d36
Instruction ID: 810072bd7b238e9e2d9efa590daee8753aab82e5c2228425b36cdb9b307bd1be
Opcode Fuzzy Hash: 258a9e0e268d7e8d30852b39b9dc11e753865b50d734fab9e073a02520622d36
Instruction Fuzzy Hash: 7F900231444A0DCB46502F957409555775CA5485157840051A58D855055A5A641456DA

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Network, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify file time attributes to hide new or changes to existing files. Timestomping is a technique that modifies the timestamps of a file (the modify, access, create, and change times), often to mimic files that are in the same folder. This is done, for example, on files that have been modified or created by the adversary so that they do not appear conspicuous to forensic investigators or file analysis tools.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata, File: File Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report WaveInstaller.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Initial Sample

Memory Dumps

Unpacked PEs

Sigma Signatures

Snort Signatures

Joe Sandbox Signatures

Compliance

Networking

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

Language, Device and Operating System Detection

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Network Behavior

Statistics

CPU Usage

Memory Usage

High Level Behavior Distribution

back

System Behavior

Analysis Process: WaveInstaller.exePID: 7348, Parent PID: 2580

General

Chronological Activities

Disassembly

Analysis Process: WaveInstaller.exePID: 7348, Parent PID: 2580COMMON

Executed Functions

Function 01122319 Relevance: 5.5, Strings: 4, Instructions: 544COMMON

Function 01126A28 Relevance: 1.3, Strings: 1, Instructions: 45COMMON

Windows Analysis Report
WaveInstaller.exe