hxxps://cdn[.]discordapp[.]com/attachments/1265453420102287371/1265695217315610716/wave-crack[.]zip?ex=66b43e47&is=66b2ecc7&hm=91b013bf59e72d4acfae07cbc9f57426981a09a6f4cd3c8cebf82aa0dfcd5583&

Analysis

max time kernel
1680s
max time network
1684s
platform
windows11-21h2_x64
resource
win11-20240802-en
resource tags

arch:x64arch:x86image:win11-20240802-enlocale:en-usos:windows11-21h2-x64system
submitted
07-08-2024 07:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://cdn.discordapp.com/attachments/1265453420102287371/1265695217315610716/wave-crack.zip?ex=66b43e47&is=66b2ecc7&hm=91b013bf59e72d4acfae07cbc9f57426981a09a6f4cd3c8cebf82aa0dfcd5583&

Score

3^/10

discovery

Malware Config

Signatures

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

NTFS ADS 1 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\wave-crack.zip:Zone.Identifier	msedge.exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

pid	Process
2480	msedge.exe
2480	msedge.exe
744	msedge.exe
744	msedge.exe
2312	msedge.exe
2312	msedge.exe
3712	identity_helper.exe
3712	identity_helper.exe
4468	msedge.exe
4468	msedge.exe
3976	msedge.exe
3976	msedge.exe
3976	msedge.exe
3976	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs

pid	Process
744	msedge.exe
744	msedge.exe
744	msedge.exe
744	msedge.exe
744	msedge.exe
744	msedge.exe
744	msedge.exe

Suspicious use of FindShellTrayWindow 36 IoCs

pid	Process
744	msedge.exe
744	msedge.exe
744	msedge.exe
744	msedge.exe
744	msedge.exe
744	msedge.exe
744	msedge.exe
744	msedge.exe
744	msedge.exe
744	msedge.exe
744	msedge.exe
744	msedge.exe
744	msedge.exe
744	msedge.exe
744	msedge.exe
744	msedge.exe
744	msedge.exe
744	msedge.exe
744	msedge.exe
744	msedge.exe
744	msedge.exe
744	msedge.exe
744	msedge.exe
744	msedge.exe
744	msedge.exe
744	msedge.exe
744	msedge.exe
744	msedge.exe
744	msedge.exe
744	msedge.exe
744	msedge.exe
744	msedge.exe
744	msedge.exe
744	msedge.exe
744	msedge.exe
744	msedge.exe

Suspicious use of SendNotifyMessage 12 IoCs

pid	Process
744	msedge.exe
744	msedge.exe
744	msedge.exe
744	msedge.exe
744	msedge.exe
744	msedge.exe
744	msedge.exe
744	msedge.exe
744	msedge.exe
744	msedge.exe
744	msedge.exe
744	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 744 wrote to memory of 4924	744	msedge.exe	79
PID 744 wrote to memory of 4924	744	msedge.exe	79
PID 744 wrote to memory of 4596	744	msedge.exe	80
PID 744 wrote to memory of 4596	744	msedge.exe	80
PID 744 wrote to memory of 4596	744	msedge.exe	80
PID 744 wrote to memory of 4596	744	msedge.exe	80
PID 744 wrote to memory of 4596	744	msedge.exe	80
PID 744 wrote to memory of 4596	744	msedge.exe	80
PID 744 wrote to memory of 4596	744	msedge.exe	80
PID 744 wrote to memory of 4596	744	msedge.exe	80
PID 744 wrote to memory of 4596	744	msedge.exe	80
PID 744 wrote to memory of 4596	744	msedge.exe	80
PID 744 wrote to memory of 4596	744	msedge.exe	80
PID 744 wrote to memory of 4596	744	msedge.exe	80
PID 744 wrote to memory of 4596	744	msedge.exe	80
PID 744 wrote to memory of 4596	744	msedge.exe	80
PID 744 wrote to memory of 4596	744	msedge.exe	80
PID 744 wrote to memory of 4596	744	msedge.exe	80
PID 744 wrote to memory of 4596	744	msedge.exe	80
PID 744 wrote to memory of 4596	744	msedge.exe	80
PID 744 wrote to memory of 4596	744	msedge.exe	80
PID 744 wrote to memory of 4596	744	msedge.exe	80
PID 744 wrote to memory of 4596	744	msedge.exe	80
PID 744 wrote to memory of 4596	744	msedge.exe	80
PID 744 wrote to memory of 4596	744	msedge.exe	80
PID 744 wrote to memory of 4596	744	msedge.exe	80
PID 744 wrote to memory of 4596	744	msedge.exe	80
PID 744 wrote to memory of 4596	744	msedge.exe	80
PID 744 wrote to memory of 4596	744	msedge.exe	80
PID 744 wrote to memory of 4596	744	msedge.exe	80
PID 744 wrote to memory of 4596	744	msedge.exe	80
PID 744 wrote to memory of 4596	744	msedge.exe	80
PID 744 wrote to memory of 4596	744	msedge.exe	80
PID 744 wrote to memory of 4596	744	msedge.exe	80
PID 744 wrote to memory of 4596	744	msedge.exe	80
PID 744 wrote to memory of 4596	744	msedge.exe	80
PID 744 wrote to memory of 4596	744	msedge.exe	80
PID 744 wrote to memory of 4596	744	msedge.exe	80
PID 744 wrote to memory of 4596	744	msedge.exe	80
PID 744 wrote to memory of 4596	744	msedge.exe	80
PID 744 wrote to memory of 4596	744	msedge.exe	80
PID 744 wrote to memory of 4596	744	msedge.exe	80
PID 744 wrote to memory of 2480	744	msedge.exe	81
PID 744 wrote to memory of 2480	744	msedge.exe	81
PID 744 wrote to memory of 2292	744	msedge.exe	82
PID 744 wrote to memory of 2292	744	msedge.exe	82
PID 744 wrote to memory of 2292	744	msedge.exe	82
PID 744 wrote to memory of 2292	744	msedge.exe	82
PID 744 wrote to memory of 2292	744	msedge.exe	82
PID 744 wrote to memory of 2292	744	msedge.exe	82
PID 744 wrote to memory of 2292	744	msedge.exe	82
PID 744 wrote to memory of 2292	744	msedge.exe	82
PID 744 wrote to memory of 2292	744	msedge.exe	82
PID 744 wrote to memory of 2292	744	msedge.exe	82
PID 744 wrote to memory of 2292	744	msedge.exe	82
PID 744 wrote to memory of 2292	744	msedge.exe	82
PID 744 wrote to memory of 2292	744	msedge.exe	82
PID 744 wrote to memory of 2292	744	msedge.exe	82
PID 744 wrote to memory of 2292	744	msedge.exe	82
PID 744 wrote to memory of 2292	744	msedge.exe	82
PID 744 wrote to memory of 2292	744	msedge.exe	82
PID 744 wrote to memory of 2292	744	msedge.exe	82
PID 744 wrote to memory of 2292	744	msedge.exe	82
PID 744 wrote to memory of 2292	744	msedge.exe	82

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://cdn.discordapp.com/attachments/1265453420102287371/1265695217315610716/wave-crack.zip?ex=66b43e47&is=66b2ecc7&hm=91b013bf59e72d4acfae07cbc9f57426981a09a6f4cd3c8cebf82aa0dfcd5583&
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:744
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffe42c73cb8,0x7ffe42c73cc8,0x7ffe42c73cd8
  2⤵
  PID:4924
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1752,1492559089789906038,5101382284493335362,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1920 /prefetch:2
  2⤵
  PID:4596
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1752,1492559089789906038,5101382284493335362,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2348 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2480
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1752,1492559089789906038,5101382284493335362,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2432 /prefetch:8
  2⤵
  PID:2292
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1752,1492559089789906038,5101382284493335362,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3204 /prefetch:1
  2⤵
  PID:4272
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1752,1492559089789906038,5101382284493335362,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3224 /prefetch:1
  2⤵
  PID:1756
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1752,1492559089789906038,5101382284493335362,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4984 /prefetch:1
  2⤵
  PID:4516
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1752,1492559089789906038,5101382284493335362,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5016 /prefetch:1
  2⤵
  PID:3612
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1752,1492559089789906038,5101382284493335362,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1928 /prefetch:1
  2⤵
  PID:2880
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1752,1492559089789906038,5101382284493335362,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3340 /prefetch:1
  2⤵
  PID:492
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1752,1492559089789906038,5101382284493335362,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5440 /prefetch:1
  2⤵
  PID:1828
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1752,1492559089789906038,5101382284493335362,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5564 /prefetch:8
  2⤵
  - NTFS ADS
  - Suspicious behavior: EnumeratesProcesses
  PID:2312
- C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1752,1492559089789906038,5101382284493335362,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6268 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3712
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1752,1492559089789906038,5101382284493335362,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5312 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4468
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1752,1492559089789906038,5101382284493335362,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=5848 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3976

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4492

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3216

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
b4ae6009e2df12ce252d03722e8f4288

SHA1
44de96f65d69cbae416767040f887f68f8035928

SHA256
7778069a1493fdb62e6326ba673f03d9a8f46bc0eea949aabbbbc00dcdaddf9d

SHA512
bb810721e52c77793993470692bb2aab0466f13ed4576e4f4cfa6bc5fcfc59c13552299feb6dfd9642ea07b19a5513d90d0698d09ca1d15e0598133929c05fe1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
4bf4b59c3deb1688a480f8e56aab059d

SHA1
612c83e7027b3bfb0e9d2c9efad43c5318e731bb

SHA256
867ab488aa793057395e9c10f237603cfb180689298871cdf0511132f9628c82

SHA512
2ec6c89f9653f810e9f80f532abaff2a3c0276f6d299dce1b1eadf6a59e8072ed601a4f9835db25d4d2610482a00dd5a0852d0ef828678f5c5ed33fe64dddca9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
186B

MD5
094ab275342c45551894b7940ae9ad0d

SHA1
2e7ce26fe2eb9be641ae929d0c9cc0dfa26c018e

SHA256
ef1739b833a1048ee1bd55dcbac5b1397396faca1ad771f4d6c2fe58899495a3

SHA512
19d0c688dc1121569247111e45de732b2ab86c71aecdde34b157cfd1b25c53473ed3ade49a97f8cb2ddc4711be78fa26c9330887094e031e9a71bb5c29080b0d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
f85fd49e16196896585fce3fb278e4d4

SHA1
cee793cf170f879fdc90d624178e146c40e56c97

SHA256
6ac48cb9738d5a7a4f846ddafc76b54ccebd78d7447eb0bd2de9fe08eadcf165

SHA512
775e45a871897f047a06ca0ace5a0dbce68992dd58163fdeca626c0b674def1862702c43252c23d2abe26a0cb34087293f6cbaa57013bf78cc479b4b021d65cc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
502230e1fa6982d4784d36e1b733deea

SHA1
dfa1ada8c8c63003e51a3ed43a6901ae4530e187

SHA256
9ce6faed88c9bbce9c25bda7db40c743bcee1dfde8162ba3c8b170f277684423

SHA512
e300b4a12a27adc1693b7cb7304b7714e8fad2552ab381ee7b2467b3dca8b862f239e65f30bef85844e1acb00452a9a5ba5790ef7fa9150914cdaa293df4ebb5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
72a52a70e7e434177ca2834e3ceeb36c

SHA1
79aa5b5d4d115b7fd03416b86c0a8298ab36044f

SHA256
e42dd21a7657540f67a02dfa09fb3fcf52b7e5133af8cb0678398eb06e3b9ef1

SHA512
cd78221f5c369643933be716594e1a357f7ce7436dde85a734b7b8f40574201d2410d2ee2ae37d80c0b3304384e2f5d1e73a0518a7b4460a502568ad392ffb71

Download Submit
C:\Users\Admin\Downloads\wave-crack.zip

Filesize
14.0MB

MD5
d019aeb1083489eb74966c22135a994c

SHA1
fc46905adc87de7514f3c7e2d362777407b80aaa

SHA256
f9d82cf6982aa8048ea57431bcd865fa1caa8e63cd630422845d4fbc85f58c31

SHA512
a26cbed9c2ba123859739e8b9d55ac11f5cfbd90302b3ad26c430571ab695276d14d3ad4c9885ae80360d7fae74a0d5e623bd945e68a683c28c4681d0c1ef5be

Download Submit
C:\Users\Admin\Downloads\wave-crack.zip:Zone.Identifier

Filesize
26B

MD5
fbccf14d504b7b2dbcb5a5bda75bd93b

SHA1
d59fc84cdd5217c6cf74785703655f78da6b582b

SHA256
eacd09517ce90d34ba562171d15ac40d302f0e691b439f91be1b6406e25f5913

SHA512
aa1d2b1ea3c9de3ccadb319d4e3e3276a2f27dd1a5244fe72de2b6f94083dddc762480482c5c2e53f803cd9e3973ddefc68966f974e124307b5043e654443b98

Download Submit