Analysis
-
max time kernel
1680s -
max time network
1789s -
platform
windows11-21h2_x64 -
resource
win11-20240709-en -
resource tags
arch:x64arch:x86image:win11-20240709-enlocale:en-usos:windows11-21h2-x64system -
submitted
10-07-2024 21:07
Static task
static1
URLScan task
urlscan1
Behavioral task
behavioral1
Sample
https://key.getwave.gg/
Resource
win11-20240709-en
General
-
Target
https://key.getwave.gg/
Malware Config
Signatures
-
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
msedge.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe -
Suspicious behavior: EnumeratesProcesses 12 IoCs
Processes:
msedge.exemsedge.exeidentity_helper.exemsedge.exemsedge.exepid process 2216 msedge.exe 2216 msedge.exe 5044 msedge.exe 5044 msedge.exe 1376 identity_helper.exe 1376 identity_helper.exe 3168 msedge.exe 3168 msedge.exe 1952 msedge.exe 1952 msedge.exe 1952 msedge.exe 1952 msedge.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs
Processes:
msedge.exepid process 5044 msedge.exe 5044 msedge.exe 5044 msedge.exe 5044 msedge.exe 5044 msedge.exe 5044 msedge.exe -
Suspicious use of FindShellTrayWindow 25 IoCs
Processes:
msedge.exepid process 5044 msedge.exe 5044 msedge.exe 5044 msedge.exe 5044 msedge.exe 5044 msedge.exe 5044 msedge.exe 5044 msedge.exe 5044 msedge.exe 5044 msedge.exe 5044 msedge.exe 5044 msedge.exe 5044 msedge.exe 5044 msedge.exe 5044 msedge.exe 5044 msedge.exe 5044 msedge.exe 5044 msedge.exe 5044 msedge.exe 5044 msedge.exe 5044 msedge.exe 5044 msedge.exe 5044 msedge.exe 5044 msedge.exe 5044 msedge.exe 5044 msedge.exe -
Suspicious use of SendNotifyMessage 12 IoCs
Processes:
msedge.exepid process 5044 msedge.exe 5044 msedge.exe 5044 msedge.exe 5044 msedge.exe 5044 msedge.exe 5044 msedge.exe 5044 msedge.exe 5044 msedge.exe 5044 msedge.exe 5044 msedge.exe 5044 msedge.exe 5044 msedge.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
msedge.exedescription pid process target process PID 5044 wrote to memory of 3468 5044 msedge.exe msedge.exe PID 5044 wrote to memory of 3468 5044 msedge.exe msedge.exe PID 5044 wrote to memory of 4460 5044 msedge.exe msedge.exe PID 5044 wrote to memory of 4460 5044 msedge.exe msedge.exe PID 5044 wrote to memory of 4460 5044 msedge.exe msedge.exe PID 5044 wrote to memory of 4460 5044 msedge.exe msedge.exe PID 5044 wrote to memory of 4460 5044 msedge.exe msedge.exe PID 5044 wrote to memory of 4460 5044 msedge.exe msedge.exe PID 5044 wrote to memory of 4460 5044 msedge.exe msedge.exe PID 5044 wrote to memory of 4460 5044 msedge.exe msedge.exe PID 5044 wrote to memory of 4460 5044 msedge.exe msedge.exe PID 5044 wrote to memory of 4460 5044 msedge.exe msedge.exe PID 5044 wrote to memory of 4460 5044 msedge.exe msedge.exe PID 5044 wrote to memory of 4460 5044 msedge.exe msedge.exe PID 5044 wrote to memory of 4460 5044 msedge.exe msedge.exe PID 5044 wrote to memory of 4460 5044 msedge.exe msedge.exe PID 5044 wrote to memory of 4460 5044 msedge.exe msedge.exe PID 5044 wrote to memory of 4460 5044 msedge.exe msedge.exe PID 5044 wrote to memory of 4460 5044 msedge.exe msedge.exe PID 5044 wrote to memory of 4460 5044 msedge.exe msedge.exe PID 5044 wrote to memory of 4460 5044 msedge.exe msedge.exe PID 5044 wrote to memory of 4460 5044 msedge.exe msedge.exe PID 5044 wrote to memory of 4460 5044 msedge.exe msedge.exe PID 5044 wrote to memory of 4460 5044 msedge.exe msedge.exe PID 5044 wrote to memory of 4460 5044 msedge.exe msedge.exe PID 5044 wrote to memory of 4460 5044 msedge.exe msedge.exe PID 5044 wrote to memory of 4460 5044 msedge.exe msedge.exe PID 5044 wrote to memory of 4460 5044 msedge.exe msedge.exe PID 5044 wrote to memory of 4460 5044 msedge.exe msedge.exe PID 5044 wrote to memory of 4460 5044 msedge.exe msedge.exe PID 5044 wrote to memory of 4460 5044 msedge.exe msedge.exe PID 5044 wrote to memory of 4460 5044 msedge.exe msedge.exe PID 5044 wrote to memory of 4460 5044 msedge.exe msedge.exe PID 5044 wrote to memory of 4460 5044 msedge.exe msedge.exe PID 5044 wrote to memory of 4460 5044 msedge.exe msedge.exe PID 5044 wrote to memory of 4460 5044 msedge.exe msedge.exe PID 5044 wrote to memory of 4460 5044 msedge.exe msedge.exe PID 5044 wrote to memory of 4460 5044 msedge.exe msedge.exe PID 5044 wrote to memory of 4460 5044 msedge.exe msedge.exe PID 5044 wrote to memory of 4460 5044 msedge.exe msedge.exe PID 5044 wrote to memory of 4460 5044 msedge.exe msedge.exe PID 5044 wrote to memory of 4460 5044 msedge.exe msedge.exe PID 5044 wrote to memory of 2216 5044 msedge.exe msedge.exe PID 5044 wrote to memory of 2216 5044 msedge.exe msedge.exe PID 5044 wrote to memory of 2172 5044 msedge.exe msedge.exe PID 5044 wrote to memory of 2172 5044 msedge.exe msedge.exe PID 5044 wrote to memory of 2172 5044 msedge.exe msedge.exe PID 5044 wrote to memory of 2172 5044 msedge.exe msedge.exe PID 5044 wrote to memory of 2172 5044 msedge.exe msedge.exe PID 5044 wrote to memory of 2172 5044 msedge.exe msedge.exe PID 5044 wrote to memory of 2172 5044 msedge.exe msedge.exe PID 5044 wrote to memory of 2172 5044 msedge.exe msedge.exe PID 5044 wrote to memory of 2172 5044 msedge.exe msedge.exe PID 5044 wrote to memory of 2172 5044 msedge.exe msedge.exe PID 5044 wrote to memory of 2172 5044 msedge.exe msedge.exe PID 5044 wrote to memory of 2172 5044 msedge.exe msedge.exe PID 5044 wrote to memory of 2172 5044 msedge.exe msedge.exe PID 5044 wrote to memory of 2172 5044 msedge.exe msedge.exe PID 5044 wrote to memory of 2172 5044 msedge.exe msedge.exe PID 5044 wrote to memory of 2172 5044 msedge.exe msedge.exe PID 5044 wrote to memory of 2172 5044 msedge.exe msedge.exe PID 5044 wrote to memory of 2172 5044 msedge.exe msedge.exe PID 5044 wrote to memory of 2172 5044 msedge.exe msedge.exe PID 5044 wrote to memory of 2172 5044 msedge.exe msedge.exe
Processes
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://key.getwave.gg/1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:5044 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7fff58633cb8,0x7fff58633cc8,0x7fff58633cd82⤵PID:3468
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1856,163142599126475409,1404053899051272710,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1832 /prefetch:22⤵PID:4460
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1856,163142599126475409,1404053899051272710,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2064 /prefetch:32⤵
- Suspicious behavior: EnumeratesProcesses
PID:2216 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1856,163142599126475409,1404053899051272710,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2636 /prefetch:82⤵PID:2172
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1856,163142599126475409,1404053899051272710,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3312 /prefetch:12⤵PID:780
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1856,163142599126475409,1404053899051272710,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3304 /prefetch:12⤵PID:344
-
C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1856,163142599126475409,1404053899051272710,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5772 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:1376 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1856,163142599126475409,1404053899051272710,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5080 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:3168 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1856,163142599126475409,1404053899051272710,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5696 /prefetch:12⤵PID:564
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1856,163142599126475409,1404053899051272710,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5024 /prefetch:12⤵PID:568
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1856,163142599126475409,1404053899051272710,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3332 /prefetch:12⤵PID:4388
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1856,163142599126475409,1404053899051272710,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1864 /prefetch:12⤵PID:4428
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1856,163142599126475409,1404053899051272710,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=2520 /prefetch:22⤵
- Suspicious behavior: EnumeratesProcesses
PID:1952
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:1376
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:5112
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s NPSMSvc1⤵PID:1900
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
152B
MD5c0f062e1807aca2379b4e5a1e7ffbda8
SHA1076c2f58dfb70eefb6800df6398b7bf34771c82d
SHA256f80debea5c7924a92b923901cd2f2355086fe0ce4be21e575d3d130cd05957ca
SHA51224ae4ec0c734ef1e1227a25b8d8c4262b583de1101f2c9b336ac67d0ce9b3de08f2b5d44b0b2da5396860034ff02d401ad739261200ae032daa4f5085c6d669e
-
Filesize
152B
MD56f3725d32588dca62fb31e116345b5eb
SHA10229732ae5923f45de70e234bae88023521a9611
SHA256b81d7e414b2b2d039d3901709a7b8d2f2f27133833ecf80488ba16991ce81140
SHA51231bacf4f376c5bad364889a16f8ac61e5881c8e45b610cc0c21aa88453644524525fd4ccf85a87f73c0565c072af857e33acffbbca952df92fedddd21f169325
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize72B
MD5b37a000418a289b62e1686b34900a104
SHA19b69876452dce0d230c49e2fdd559c2c85ee9068
SHA256d38d23f99f549d1a2067b47966eadf694d2449765f53ebbac314368499735725
SHA5124ea129f48449eaabbcb89552b70c76480ce8fd1cab261b0b3729d9a77fbc95798c6a939f503dfdd8e94f4698ed53484c3c49e5581533b975ffbe5cdf6d34fb05
-
Filesize
655B
MD5de354a77e0e3a5d459559aab8e24fd9f
SHA121ad974283fa7599f7063fd39414e1c8a089c8e5
SHA2565cfa8f2c8714669d5a36858c52d06f8a08d5e08eac3640b21a2798cb03cddfdd
SHA5120a4230df565ab347425a4f1ae5bf45f3e3e6d4729fbd07c992a69de50da526a4306a7415cc84238c9f956283e95922aa7f638bc951c050ff3105619d8088fc71
-
Filesize
182B
MD580cab8c4fc68ab237dcd54c0596bca34
SHA19f4b81dfca2bc093f7c805ebda26593166475308
SHA25670d52665ea3389a62a9cacd16d360eea62a8757c6c35140fe4d1778811c68ae9
SHA512e7e4f463545d3acfd1a397760722326d86974e0f404fe0cda674a9cfa998856ca1b7d3e67591502fd42c5a70050e45f525aa7cdc794f0c95541b7f19d6c49a71
-
Filesize
5KB
MD54245c6cf6937c99d46913e3081b7333b
SHA1f227712a10f4817e553c98350cb74fa1e7cfd757
SHA2568c3a6d2ffb29ea54d8c428e94083da9333a96909d329331bc690937d0cdf0a2b
SHA51230476eb1b918fe18be54793da9a3ba60cf56684ec20cbe8375dee04b83db8653be18219c9a39e6d32d8ee7581c8f6d721227f82d5ef018b76932af8281923a26
-
Filesize
6KB
MD52216b8eef46362803646f43eba5193f4
SHA10d829ff38f089df73cec42f3c457207ef5ae46e7
SHA25654c1be4d5510e32cb0cd9598e219bd0fe273395c4606eca52d2250bd9cdc7563
SHA512bed2153e0a8c1a10bea0f4ad1f9fa2ffa6ec6605e0be9fc97c60de4a92b90bdf91507ff0bceaff5efaf32c8300200083bb4480a607df7c97f8c8b14af1d7e154
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\b0889f85-0fbb-4c37-9551-06ef74c9822a.tmp
Filesize5KB
MD534c2c4dfa2343517ffd5b4f336851f2c
SHA16e060de9b4367161fec86150691fa7b67dd1074b
SHA25697407f1e7d3502b4379317b9252d1bf584e101ae6ec43ba44d8c65fe6a0fb43d
SHA51226b4af326dfbcb2402e004e45ca9a551ea65d986ae111b9790acdbdda2fc6a04f8397d38840b05f576620a2844e895c8c4bc70ce00b0ba958f1c54f9f1e8ef7d
-
Filesize
16B
MD56752a1d65b201c13b62ea44016eb221f
SHA158ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA2560861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA5129cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389
-
Filesize
11KB
MD538c79ad5e55abfb01460fa10674eb8cc
SHA19168997632024b6891043dced0f062bb49201ec3
SHA256cb2925c7219919b38f50a8b9a10f13d4b1576bd1a4879b664d9084e940a40b03
SHA51210ebac444d083dd05fd628da210cb2449b1b74ecf1dfd282f4e2b7710ac68dcbb0b703e48b6f1677cf66e80c9ba0c066ba65de9a3d3b01b9d0016b6813575460
-
Filesize
11KB
MD577184cfdcd71993947e475478caed6fc
SHA11d6958a673cbb2c072f3a6abfb36836fe08c8085
SHA256c0dd8efbf333a02f76a9a78e4864dcb686169d0776f9c84282961db4550f5d70
SHA512ec8c9b2abacda5a94b1827369b8913c53de10405b993ed342f0ea450689bacfeb264e2cbd2cfb77df727403578a915b3ca60ac21d8c6ea1eb92045847c5dcb80
-
MD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e