hxxps://getwave[.]gg[.]com

Analysis

max time kernel
240s
max time network
285s
platform
windows11-21h2_x64
resource
win11-20240508-en
resource tags

arch:x64arch:x86image:win11-20240508-enlocale:en-usos:windows11-21h2-x64system
submitted
03-07-2024 16:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://getwave.gg.com

Score

1^/10

Malware Config

Signatures

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

pid	Process
3796	msedge.exe
3796	msedge.exe
2284	msedge.exe
2284	msedge.exe
1920	msedge.exe
1920	msedge.exe
2096	identity_helper.exe
2096	identity_helper.exe
3768	msedge.exe
3768	msedge.exe
3768	msedge.exe
3768	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 9 IoCs

pid	Process
2284	msedge.exe
2284	msedge.exe
2284	msedge.exe
2284	msedge.exe
2284	msedge.exe
2284	msedge.exe
2284	msedge.exe
2284	msedge.exe
2284	msedge.exe

Suspicious use of FindShellTrayWindow 25 IoCs

pid	Process
2284	msedge.exe
2284	msedge.exe
2284	msedge.exe
2284	msedge.exe
2284	msedge.exe
2284	msedge.exe
2284	msedge.exe
2284	msedge.exe
2284	msedge.exe
2284	msedge.exe
2284	msedge.exe
2284	msedge.exe
2284	msedge.exe
2284	msedge.exe
2284	msedge.exe
2284	msedge.exe
2284	msedge.exe
2284	msedge.exe
2284	msedge.exe
2284	msedge.exe
2284	msedge.exe
2284	msedge.exe
2284	msedge.exe
2284	msedge.exe
2284	msedge.exe

Suspicious use of SendNotifyMessage 12 IoCs

pid	Process
2284	msedge.exe
2284	msedge.exe
2284	msedge.exe
2284	msedge.exe
2284	msedge.exe
2284	msedge.exe
2284	msedge.exe
2284	msedge.exe
2284	msedge.exe
2284	msedge.exe
2284	msedge.exe
2284	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2284 wrote to memory of 4012	2284	msedge.exe	79
PID 2284 wrote to memory of 4012	2284	msedge.exe	79
PID 2284 wrote to memory of 1620	2284	msedge.exe	80
PID 2284 wrote to memory of 1620	2284	msedge.exe	80
PID 2284 wrote to memory of 1620	2284	msedge.exe	80
PID 2284 wrote to memory of 1620	2284	msedge.exe	80
PID 2284 wrote to memory of 1620	2284	msedge.exe	80
PID 2284 wrote to memory of 1620	2284	msedge.exe	80
PID 2284 wrote to memory of 1620	2284	msedge.exe	80
PID 2284 wrote to memory of 1620	2284	msedge.exe	80
PID 2284 wrote to memory of 1620	2284	msedge.exe	80
PID 2284 wrote to memory of 1620	2284	msedge.exe	80
PID 2284 wrote to memory of 1620	2284	msedge.exe	80
PID 2284 wrote to memory of 1620	2284	msedge.exe	80
PID 2284 wrote to memory of 1620	2284	msedge.exe	80
PID 2284 wrote to memory of 1620	2284	msedge.exe	80
PID 2284 wrote to memory of 1620	2284	msedge.exe	80
PID 2284 wrote to memory of 1620	2284	msedge.exe	80
PID 2284 wrote to memory of 1620	2284	msedge.exe	80
PID 2284 wrote to memory of 1620	2284	msedge.exe	80
PID 2284 wrote to memory of 1620	2284	msedge.exe	80
PID 2284 wrote to memory of 1620	2284	msedge.exe	80
PID 2284 wrote to memory of 1620	2284	msedge.exe	80
PID 2284 wrote to memory of 1620	2284	msedge.exe	80
PID 2284 wrote to memory of 1620	2284	msedge.exe	80
PID 2284 wrote to memory of 1620	2284	msedge.exe	80
PID 2284 wrote to memory of 1620	2284	msedge.exe	80
PID 2284 wrote to memory of 1620	2284	msedge.exe	80
PID 2284 wrote to memory of 1620	2284	msedge.exe	80
PID 2284 wrote to memory of 1620	2284	msedge.exe	80
PID 2284 wrote to memory of 1620	2284	msedge.exe	80
PID 2284 wrote to memory of 1620	2284	msedge.exe	80
PID 2284 wrote to memory of 1620	2284	msedge.exe	80
PID 2284 wrote to memory of 1620	2284	msedge.exe	80
PID 2284 wrote to memory of 1620	2284	msedge.exe	80
PID 2284 wrote to memory of 1620	2284	msedge.exe	80
PID 2284 wrote to memory of 1620	2284	msedge.exe	80
PID 2284 wrote to memory of 1620	2284	msedge.exe	80
PID 2284 wrote to memory of 1620	2284	msedge.exe	80
PID 2284 wrote to memory of 1620	2284	msedge.exe	80
PID 2284 wrote to memory of 1620	2284	msedge.exe	80
PID 2284 wrote to memory of 1620	2284	msedge.exe	80
PID 2284 wrote to memory of 3796	2284	msedge.exe	81
PID 2284 wrote to memory of 3796	2284	msedge.exe	81
PID 2284 wrote to memory of 1468	2284	msedge.exe	82
PID 2284 wrote to memory of 1468	2284	msedge.exe	82
PID 2284 wrote to memory of 1468	2284	msedge.exe	82
PID 2284 wrote to memory of 1468	2284	msedge.exe	82
PID 2284 wrote to memory of 1468	2284	msedge.exe	82
PID 2284 wrote to memory of 1468	2284	msedge.exe	82
PID 2284 wrote to memory of 1468	2284	msedge.exe	82
PID 2284 wrote to memory of 1468	2284	msedge.exe	82
PID 2284 wrote to memory of 1468	2284	msedge.exe	82
PID 2284 wrote to memory of 1468	2284	msedge.exe	82
PID 2284 wrote to memory of 1468	2284	msedge.exe	82
PID 2284 wrote to memory of 1468	2284	msedge.exe	82
PID 2284 wrote to memory of 1468	2284	msedge.exe	82
PID 2284 wrote to memory of 1468	2284	msedge.exe	82
PID 2284 wrote to memory of 1468	2284	msedge.exe	82
PID 2284 wrote to memory of 1468	2284	msedge.exe	82
PID 2284 wrote to memory of 1468	2284	msedge.exe	82
PID 2284 wrote to memory of 1468	2284	msedge.exe	82
PID 2284 wrote to memory of 1468	2284	msedge.exe	82
PID 2284 wrote to memory of 1468	2284	msedge.exe	82

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://getwave.gg.com
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2284
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x104,0x108,0x10c,0x100,0x110,0x7ff8c10c3cb8,0x7ff8c10c3cc8,0x7ff8c10c3cd8
  2⤵
  PID:4012
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1896,6339812250285992435,11087709102671280311,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1928 /prefetch:2
  2⤵
  PID:1620
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1896,6339812250285992435,11087709102671280311,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2380 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3796
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1896,6339812250285992435,11087709102671280311,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2736 /prefetch:8
  2⤵
  PID:1468
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1896,6339812250285992435,11087709102671280311,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3276 /prefetch:1
  2⤵
  PID:4360
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1896,6339812250285992435,11087709102671280311,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3292 /prefetch:1
  2⤵
  PID:4496
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1896,6339812250285992435,11087709102671280311,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4584 /prefetch:1
  2⤵
  PID:3136
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1896,6339812250285992435,11087709102671280311,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5020 /prefetch:1
  2⤵
  PID:3316
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1896,6339812250285992435,11087709102671280311,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5264 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1920
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1896,6339812250285992435,11087709102671280311,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5132 /prefetch:1
  2⤵
  PID:4872
- C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1896,6339812250285992435,11087709102671280311,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5636 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2096
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1896,6339812250285992435,11087709102671280311,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3888 /prefetch:1
  2⤵
  PID:992
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1896,6339812250285992435,11087709102671280311,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5264 /prefetch:1
  2⤵
  PID:1380
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1896,6339812250285992435,11087709102671280311,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5812 /prefetch:1
  2⤵
  PID:4148
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1896,6339812250285992435,11087709102671280311,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6028 /prefetch:1
  2⤵
  PID:1700
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1896,6339812250285992435,11087709102671280311,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=4836 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3768

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4228

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3220

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
a8e4bf11ed97b6b312e938ca216cf30e

SHA1
ff6b0b475e552dc08a2c81c9eb9230821d3c8290

SHA256
296db8c9361efb62e23be1935fd172cfe9fbcd89a424f34f347ec3cc5ca5afad

SHA512
ce1a05df2619af419ed3058dcbd7254c7159d333356d9f1d5e2591c19e17ab0ac9b6d3e625e36246ad187256bee75b7011370220ef127c4f1171879014d0dd76

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
23da8c216a7633c78c347cc80603cd99

SHA1
a378873c9d3484e0c57c1cb6c6895f34fee0ea61

SHA256
03dbdb03799f9e37c38f6d9d498ad09f7f0f9901430ff69d95aa26cae87504d3

SHA512
d34ae684e8462e3f2aba2260f2649dee01b4e2138b50283513c8c19c47faf039701854e1a9cbf21d7a20c28a6306f953b58ffb9144ead067f5f73650a759ff17

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
216B

MD5
2eae8f371a663acacf22fc5ac5a82b50

SHA1
8f4b770bdde953efe4daae7a65a8a6f2d06e8e60

SHA256
9c0a6be5b1429d78e0cf7555cec5166cb2e61a8f19214e091c74de8d7d9f713f

SHA512
d815ed1ee208bcabc54a5489ffa90ee6fe00fb247bea8179a9714721daf2ddd23c743e7cbefa00e76ba1f2fd0cd5580903843f120b5cec7be3ead8fbaee627af

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
180B

MD5
00a455d9d155394bfb4b52258c97c5e5

SHA1
2761d0c955353e1982a588a3df78f2744cfaa9df

SHA256
45a13c77403533b12fbeeeb580e1c32400ca17a32e15caa8c8e6a180ece27fed

SHA512
9553f8553332afbb1b4d5229bbf58aed7a51571ab45cbf01852b36c437811befcbc86f80ec422f222963fa7dabb04b0c9ae72e9d4ff2eeb1e58cde894fbe234f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
89a9d68fed26df43abdbeeb3aaba904f

SHA1
36f0487c57b4f28788696fb1c5c3a5826fe4911c

SHA256
ecafb417805c7b0a09eb04a466df91e9b976711fc296169663d2a3ab8de1571e

SHA512
b7e642616b6c3f30b1aeea83cbeef4d0ff28d01b03e6027d6fbf9a81c6792597431f6ba4e72a6ce7e71c9874d44a473d46073f17e93268612be4f22b54b896f1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
3201f96727793b7e6c12725742b99228

SHA1
7c412a84021efa12591943612acc727dabeb5626

SHA256
d4c18b034d3c8c4067421d13531d3bd9cd38d6627b2257bba647006c2ee1eb11

SHA512
91c053878f0db07aa53c424b12c35d605b8f404feb1a15368c3b1abc4ace718be7e13c48720f788bd4a8d9125b8bae8a55a9c3e12c7ea46ac3e4c68876bc9dd5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
014852c6dc711933daf47d6bad0fcb61

SHA1
0a274170a4acfb2838801aa0f9dfebb712fd96e9

SHA256
cd00bdfb5949f0406ebbe0edbce9bac86bd7452aad54fe650d6b520d26cc67b7

SHA512
e9fca8d3401f8f843002cc6d6fa6e8f4c5adb75b046c10c2cc82db6902159fbf3e6d52057742e95a91b081f5ec7c603b2b50748c7918513a4b32af3757af5fd0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
50b9a5acb59b6b3e087945b292efc56c

SHA1
24721a11066bb1bae738ebf00793c1dbb4a9968d

SHA256
da0647d636e9407a9cab450001490484cf866a8b77b7268d8d5d7d67f5bf24d4

SHA512
e55d4eebb121399ce93543551b45813bad004deb4bfda01b21da2e8152f5f0f0f99eecbea1013ee126497b07fb6390caed6e7f68cf9afeeecda02ebe31e32ffa

Download Submit