Windows Analysis Report
WaveInstaller.exe

Overview

General Information

Sample name: WaveInstaller.exe
Analysis ID: 1502445
MD5: 215d509bc217f7878270c161763b471e
SHA1: bfe0a2580d54cfa28d3ff5ef8dc754fdc73adcd9
SHA256: 984dfc64c10f96c5350d6d9216a5d7abfece1658dfc93925f7a6b0c80817c886
Tags: exe
Infos:

Detection

Score: 76
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Antivirus detection for URL or domain
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
.NET source code contains potential unpacker
Uses Windows timers to delay execution
Yara detected Costura Assembly Loader
Allocates memory with a write watch (potentially for evading sandboxes)
Binary contains a suspicious time stamp
Potential time zone aware malware
Program does not show much activity (idle)
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)

Classification

AV Detection
barindex
Antivirus detection for URL or domain
Source: https://cdn.getwave.gg/bootstrapper/WaveWindows.exe-Wave Avira URL Cloud: Label: malware
Source: https://cdn.getwave.gg/bootstrapper/WaveWindows.exeio Avira URL Cloud: Label: malware
Multi AV Scanner detection for domain / URL
Source: https://cdn.getwave.gg/bootstrapper/WaveWindows.exe-Wave Virustotal: Detection: 11% Perma Link
Multi AV Scanner detection for submitted file
Source: WaveInstaller.exe ReversingLabs: Detection: 31%
Source: WaveInstaller.exe Virustotal: Detection: 44% Perma Link
Uses 32bit PE files
Source: WaveInstaller.exe Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
Source: WaveInstaller.exe Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Source: Binary string: C:\Users\imaxi\Desktop\WaveInstaller\obj\Release\WaveInstaller.pdb source: WaveInstaller.exe
Source: Binary string: costura.costura.pdb.compressed source: WaveInstaller.exe
Source: Binary string: costura.costura.pdb.compressed|||Costura.pdb|6C6000A5EAF8579850AB82A89BD6268776EB51AD|2608 source: WaveInstaller.exe
Source: Binary string: costura=costura.costura.dll.compressed=costura.costura.pdb.compressed;microsoft.bcl.asyncinterfacesicostura.microsoft.bcl.asyncinterfaces.dll.compressed source: WaveInstaller.exe
Source: WaveInstaller.exe String found in binary or memory: https://cdn.getwave.gg/bootstrapper/WaveWindows.exe-Wave
Source: WaveInstaller.exe, 00000000.00000002.2895806482.00000000031A1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://cdn.getwave.gg/bootstrapper/WaveWindows.exeio
Source: WaveInstaller.exe, 00000000.00000002.2895806482.00000000031A1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://github.com/dxgi/wave-binaries/raw/main/CefSharp.Common.124.3.8.rar
Source: WaveInstaller.exe String found in binary or memory: https://github.com/dxgi/wave-binaries/raw/main/CefSharp.Common.124.3.8.rar1CefSharp.Wpf.124.3.8.rar
Source: WaveInstaller.exe String found in binary or memory: https://github.com/dxgi/wave-binaries/raw/main/CefSharp.Wpf.124.3.8.rar
Source: WaveInstaller.exe String found in binary or memory: https://github.com/dxgi/wave-binaries/raw/main/Luau-x64.rar
Source: WaveInstaller.exe String found in binary or memory: https://github.com/dxgi/wave-binaries/raw/main/Wave-x64.rar
Source: WaveInstaller.exe, 00000000.00000002.2895806482.00000000031A1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.nuget.org/api/v2/package/chromiumembeddedframework.runtime.win-x86/124.3.8
Source: WaveInstaller.exe String found in binary or memory: https://www.nuget.org/api/v2/package/chromiumembeddedframework.runtime.win-x86/124.3.87CefSharp.Comm
Sample file is different than original file name gathered from version info
Source: WaveInstaller.exe, 00000000.00000002.2894838722.000000000133E000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameclr.dllT vs WaveInstaller.exe
Uses 32bit PE files
Source: WaveInstaller.exe Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
Source: WaveInstaller.exe, MainWindow.cs Suspicious URL: 'https://www.nuget.org/api/v2/package/chromiumembeddedframework.runtime.win-x86/124.3.8'
Source: classification engine Classification label: mal76.evad.winEXE@1/0@0/0
Source: C:\Users\user\Desktop\WaveInstaller.exe Mutant created: NULL
Source: WaveInstaller.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: WaveInstaller.exe Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%
Source: C:\Users\user\Desktop\WaveInstaller.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: WaveInstaller.exe ReversingLabs: Detection: 31%
Source: WaveInstaller.exe Virustotal: Detection: 44%
Source: WaveInstaller.exe String found in binary or memory: :includes/images/installer.png0includes/images/logo.png
Source: WaveInstaller.exe String found in binary or memory: Includes/Images/Installer.png
Source: WaveInstaller.exe String found in binary or memory: The installation process will take some time. Sit back, relax and let this process finish. Please do not turn off your computer.-Installation Completed
Source: C:\Users\user\Desktop\WaveInstaller.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Users\user\Desktop\WaveInstaller.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\WaveInstaller.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\WaveInstaller.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\Desktop\WaveInstaller.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\WaveInstaller.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\WaveInstaller.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\WaveInstaller.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\WaveInstaller.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\Desktop\WaveInstaller.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\Desktop\WaveInstaller.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\Desktop\WaveInstaller.exe Section loaded: dwrite.dll Jump to behavior
Source: C:\Users\user\Desktop\WaveInstaller.exe Section loaded: msvcp140_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\WaveInstaller.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\Desktop\WaveInstaller.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\Desktop\WaveInstaller.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\Desktop\WaveInstaller.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\WaveInstaller.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Users\user\Desktop\WaveInstaller.exe Section loaded: dhcpcsvc6.dll Jump to behavior
Source: C:\Users\user\Desktop\WaveInstaller.exe Section loaded: dhcpcsvc.dll Jump to behavior
Source: C:\Users\user\Desktop\WaveInstaller.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Users\user\Desktop\WaveInstaller.exe Section loaded: dwmapi.dll Jump to behavior
Source: C:\Users\user\Desktop\WaveInstaller.exe Section loaded: d3d9.dll Jump to behavior
Source: C:\Users\user\Desktop\WaveInstaller.exe Section loaded: d3d10warp.dll Jump to behavior
Source: C:\Users\user\Desktop\WaveInstaller.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Users\user\Desktop\WaveInstaller.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Users\user\Desktop\WaveInstaller.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Users\user\Desktop\WaveInstaller.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Users\user\Desktop\WaveInstaller.exe Section loaded: windowscodecs.dll Jump to behavior
Source: C:\Users\user\Desktop\WaveInstaller.exe Section loaded: wtsapi32.dll Jump to behavior
Source: C:\Users\user\Desktop\WaveInstaller.exe Section loaded: winsta.dll Jump to behavior
Source: C:\Users\user\Desktop\WaveInstaller.exe Section loaded: powrprof.dll Jump to behavior
Source: C:\Users\user\Desktop\WaveInstaller.exe Section loaded: umpdc.dll Jump to behavior
Source: C:\Users\user\Desktop\WaveInstaller.exe Section loaded: textshaping.dll Jump to behavior
Source: C:\Users\user\Desktop\WaveInstaller.exe Section loaded: dataexchange.dll Jump to behavior
Source: C:\Users\user\Desktop\WaveInstaller.exe Section loaded: d3d11.dll Jump to behavior
Source: C:\Users\user\Desktop\WaveInstaller.exe Section loaded: dcomp.dll Jump to behavior
Source: C:\Users\user\Desktop\WaveInstaller.exe Section loaded: dxgi.dll Jump to behavior
Source: C:\Users\user\Desktop\WaveInstaller.exe Section loaded: twinapi.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\WaveInstaller.exe Section loaded: resourcepolicyclient.dll Jump to behavior
Source: C:\Users\user\Desktop\WaveInstaller.exe Section loaded: dxcore.dll Jump to behavior
Source: C:\Users\user\Desktop\WaveInstaller.exe Section loaded: textinputframework.dll Jump to behavior
Source: C:\Users\user\Desktop\WaveInstaller.exe Section loaded: coreuicomponents.dll Jump to behavior
Source: C:\Users\user\Desktop\WaveInstaller.exe Section loaded: coremessaging.dll Jump to behavior
Source: C:\Users\user\Desktop\WaveInstaller.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Users\user\Desktop\WaveInstaller.exe Section loaded: coremessaging.dll Jump to behavior
Source: C:\Users\user\Desktop\WaveInstaller.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\WaveInstaller.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\WaveInstaller.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\WaveInstaller.exe Section loaded: msctfui.dll Jump to behavior
Source: C:\Users\user\Desktop\WaveInstaller.exe Section loaded: uiautomationcore.dll Jump to behavior
Source: C:\Users\user\Desktop\WaveInstaller.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Users\user\Desktop\WaveInstaller.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Users\user\Desktop\WaveInstaller.exe Section loaded: d3dcompiler_47.dll Jump to behavior
Source: C:\Users\user\Desktop\WaveInstaller.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{41945702-8302-44A6-9445-AC98E8AFA086}\InprocServer32 Jump to behavior
Source: Window Recorder Window detected: More than 3 window changes detected
Source: C:\Users\user\Desktop\WaveInstaller.exe File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll Jump to behavior
Source: WaveInstaller.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
Source: WaveInstaller.exe Static PE information: Virtual size of .text is bigger than: 0x100000
Source: WaveInstaller.exe Static file information: File size 2377216 > 1048576
Source: WaveInstaller.exe Static PE information: Raw size of .text is bigger than: 0x100000 < 0x210c00
Source: WaveInstaller.exe Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Source: WaveInstaller.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Binary string: C:\Users\imaxi\Desktop\WaveInstaller\obj\Release\WaveInstaller.pdb source: WaveInstaller.exe
Source: Binary string: costura.costura.pdb.compressed source: WaveInstaller.exe
Source: Binary string: costura.costura.pdb.compressed|||Costura.pdb|6C6000A5EAF8579850AB82A89BD6268776EB51AD|2608 source: WaveInstaller.exe
Source: Binary string: costura=costura.costura.dll.compressed=costura.costura.pdb.compressed;microsoft.bcl.asyncinterfacesicostura.microsoft.bcl.asyncinterfaces.dll.compressed source: WaveInstaller.exe

Data Obfuscation
barindex
.NET source code contains potential unpacker
Source: WaveInstaller.exe, AssemblyLoader.cs .Net Code: ReadFromEmbeddedResources System.Reflection.Assembly.Load(byte[])
Yara detected Costura Assembly Loader
Source: Yara match File source: WaveInstaller.exe, type: SAMPLE
Source: Yara match File source: 0.0.WaveInstaller.exe.b80000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000000.00000000.1637430102.0000000000B82000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.2895806482.00000000031A1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: WaveInstaller.exe PID: 7464, type: MEMORYSTR
Binary contains a suspicious time stamp
Source: WaveInstaller.exe Static PE information: 0x8C34F576 [Sat Jul 16 11:22:30 2044 UTC]
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\WaveInstaller.exe Code function: 0_2_018A4442 push esp; retf 0_2_018A4451
Source: C:\Users\user\Desktop\WaveInstaller.exe Code function: 0_2_018A1762 pushfd ; iretd 0_2_018A1779
Source: C:\Users\user\Desktop\WaveInstaller.exe Code function: 0_2_018A3F7A pushad ; iretd 0_2_018A3F89
Source: C:\Users\user\Desktop\WaveInstaller.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\WaveInstaller.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\WaveInstaller.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\WaveInstaller.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\WaveInstaller.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\WaveInstaller.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\WaveInstaller.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\WaveInstaller.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\WaveInstaller.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\WaveInstaller.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\WaveInstaller.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\WaveInstaller.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\WaveInstaller.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\WaveInstaller.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\WaveInstaller.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\WaveInstaller.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\WaveInstaller.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\WaveInstaller.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\WaveInstaller.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\WaveInstaller.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\WaveInstaller.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\WaveInstaller.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\WaveInstaller.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\WaveInstaller.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\WaveInstaller.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\WaveInstaller.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\WaveInstaller.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\WaveInstaller.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\WaveInstaller.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\WaveInstaller.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\WaveInstaller.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\WaveInstaller.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\WaveInstaller.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\WaveInstaller.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\WaveInstaller.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\WaveInstaller.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\WaveInstaller.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\WaveInstaller.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\WaveInstaller.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\WaveInstaller.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\WaveInstaller.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\WaveInstaller.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\WaveInstaller.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\WaveInstaller.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\WaveInstaller.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\WaveInstaller.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\WaveInstaller.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\WaveInstaller.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\WaveInstaller.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\WaveInstaller.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\WaveInstaller.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\WaveInstaller.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\WaveInstaller.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\WaveInstaller.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\WaveInstaller.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\WaveInstaller.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\WaveInstaller.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\WaveInstaller.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\WaveInstaller.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\WaveInstaller.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\WaveInstaller.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\WaveInstaller.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\WaveInstaller.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\WaveInstaller.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\WaveInstaller.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\WaveInstaller.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\WaveInstaller.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\WaveInstaller.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\WaveInstaller.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\WaveInstaller.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\WaveInstaller.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\WaveInstaller.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion
barindex
Uses Windows timers to delay execution
Source: C:\Users\user\Desktop\WaveInstaller.exe User Timer Set: Timeout: 125ms Jump to behavior
Source: C:\Users\user\Desktop\WaveInstaller.exe User Timer Set: Timeout: 10ms Jump to behavior
Source: C:\Users\user\Desktop\WaveInstaller.exe User Timer Set: Timeout: 1ms Jump to behavior
Source: C:\Users\user\Desktop\WaveInstaller.exe User Timer Set: Timeout: 985ms Jump to behavior
Source: C:\Users\user\Desktop\WaveInstaller.exe User Timer Set: Timeout: 1ms Jump to behavior
Source: C:\Users\user\Desktop\WaveInstaller.exe User Timer Set: Timeout: 125ms Jump to behavior
Source: C:\Users\user\Desktop\WaveInstaller.exe User Timer Set: Timeout: 1ms Jump to behavior
Source: C:\Users\user\Desktop\WaveInstaller.exe User Timer Set: Timeout: 1ms Jump to behavior
Source: C:\Users\user\Desktop\WaveInstaller.exe User Timer Set: Timeout: 1ms Jump to behavior
Allocates memory with a write watch (potentially for evading sandboxes)
Source: C:\Users\user\Desktop\WaveInstaller.exe Memory allocated: 15E0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\WaveInstaller.exe Memory allocated: 31A0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\WaveInstaller.exe Memory allocated: 2FA0000 memory reserve | memory write watch Jump to behavior
Potential time zone aware malware
Source: C:\Users\user\Desktop\WaveInstaller.exe System information queried: CurrentTimeZoneInformation Jump to behavior
Program does not show much activity (idle)
Source: all processes Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Program does not show much activity (idle)
Source: all processes Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Source: C:\Users\user\Desktop\WaveInstaller.exe Memory allocated: page read and write | page guard Jump to behavior
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\Desktop\WaveInstaller.exe Queries volume information: C:\Users\user\Desktop\WaveInstaller.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\WaveInstaller.exe Queries volume information: C:\Windows\Fonts\segoeui.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\WaveInstaller.exe Queries volume information: C:\Windows\Fonts\seguisb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\WaveInstaller.exe Queries volume information: C:\Windows\Fonts\seguisb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\WaveInstaller.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\UIAutomationTypes\v4.0_4.0.0.0__31bf3856ad364e35\UIAutomationTypes.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\WaveInstaller.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\UIAutomationProvider\v4.0_4.0.0.0__31bf3856ad364e35\UIAutomationProvider.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\WaveInstaller.exe Queries volume information: C:\Windows\Fonts\segoeui.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\WaveInstaller.exe Queries volume information: C:\Windows\Fonts\seguisb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\WaveInstaller.exe Queries volume information: C:\Windows\Fonts\segoeui.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\WaveInstaller.exe Queries volume information: C:\Windows\Fonts\seguisb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\WaveInstaller.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1502445 Sample: WaveInstaller.exe Startdate: 01/09/2024 Architecture: WINDOWS Score: 76 8 Multi AV Scanner detection for domain / URL 2->8 10 Antivirus detection for URL or domain 2->10 12 Multi AV Scanner detection for submitted file 2->12 14 2 other signatures 2->14 5 WaveInstaller.exe 2 2->5         started        process3 signatures4 16 Uses Windows timers to delay execution 5->16
No contacted IP infos