Analysis
-
max time kernel
68s -
max time network
78s -
platform
windows10-2004_x64 -
resource
win10v2004-20231025-en -
resource tags
arch:x64arch:x86image:win10v2004-20231025-enlocale:en-usos:windows10-2004-x64system -
submitted
02-11-2023 12:49
Static task
static1
URLScan task
urlscan1
Behavioral task
behavioral1
Sample
https://1drv.ms/p/s!BOUMMcI-YzvKdb9P4lMFZ7iKSBk?e=-JphxUzSPU-AHnkDW916oA&at=9
Resource
win10v2004-20231025-en
General
-
Target
https://1drv.ms/p/s!BOUMMcI-YzvKdb9P4lMFZ7iKSBk?e=-JphxUzSPU-AHnkDW916oA&at=9
Malware Config
Signatures
-
Checks processor information in registry 2 TTPs 6 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 POWERPNT.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz POWERPNT.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString POWERPNT.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 POWERPNT.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz POWERPNT.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString POWERPNT.EXE -
Enumerates system info in registry 2 TTPs 9 IoCs
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS POWERPNT.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily POWERPNT.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU POWERPNT.EXE Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily POWERPNT.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU POWERPNT.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS POWERPNT.EXE -
Suspicious behavior: AddClipboardFormatListener 2 IoCs
pid Process 228 POWERPNT.EXE 1460 POWERPNT.EXE -
Suspicious behavior: EnumeratesProcesses 4 IoCs
pid Process 4368 msedge.exe 4368 msedge.exe 1564 msedge.exe 1564 msedge.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs
pid Process 1564 msedge.exe 1564 msedge.exe 1564 msedge.exe -
Suspicious use of FindShellTrayWindow 26 IoCs
pid Process 1564 msedge.exe 1564 msedge.exe 1564 msedge.exe 1564 msedge.exe 1564 msedge.exe 1564 msedge.exe 1564 msedge.exe 1564 msedge.exe 1564 msedge.exe 1564 msedge.exe 1564 msedge.exe 1564 msedge.exe 1564 msedge.exe 1564 msedge.exe 1564 msedge.exe 1564 msedge.exe 1564 msedge.exe 1564 msedge.exe 1564 msedge.exe 1564 msedge.exe 1564 msedge.exe 1564 msedge.exe 1564 msedge.exe 1564 msedge.exe 1564 msedge.exe 1564 msedge.exe -
Suspicious use of SendNotifyMessage 24 IoCs
pid Process 1564 msedge.exe 1564 msedge.exe 1564 msedge.exe 1564 msedge.exe 1564 msedge.exe 1564 msedge.exe 1564 msedge.exe 1564 msedge.exe 1564 msedge.exe 1564 msedge.exe 1564 msedge.exe 1564 msedge.exe 1564 msedge.exe 1564 msedge.exe 1564 msedge.exe 1564 msedge.exe 1564 msedge.exe 1564 msedge.exe 1564 msedge.exe 1564 msedge.exe 1564 msedge.exe 1564 msedge.exe 1564 msedge.exe 1564 msedge.exe -
Suspicious use of SetWindowsHookEx 12 IoCs
pid Process 228 POWERPNT.EXE 228 POWERPNT.EXE 228 POWERPNT.EXE 228 POWERPNT.EXE 1460 POWERPNT.EXE 1460 POWERPNT.EXE 1460 POWERPNT.EXE 1460 POWERPNT.EXE 1460 POWERPNT.EXE 1460 POWERPNT.EXE 1460 POWERPNT.EXE 1460 POWERPNT.EXE -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1564 wrote to memory of 4748 1564 msedge.exe 45 PID 1564 wrote to memory of 4748 1564 msedge.exe 45 PID 1564 wrote to memory of 3712 1564 msedge.exe 87 PID 1564 wrote to memory of 3712 1564 msedge.exe 87 PID 1564 wrote to memory of 3712 1564 msedge.exe 87 PID 1564 wrote to memory of 3712 1564 msedge.exe 87 PID 1564 wrote to memory of 3712 1564 msedge.exe 87 PID 1564 wrote to memory of 3712 1564 msedge.exe 87 PID 1564 wrote to memory of 3712 1564 msedge.exe 87 PID 1564 wrote to memory of 3712 1564 msedge.exe 87 PID 1564 wrote to memory of 3712 1564 msedge.exe 87 PID 1564 wrote to memory of 3712 1564 msedge.exe 87 PID 1564 wrote to memory of 3712 1564 msedge.exe 87 PID 1564 wrote to memory of 3712 1564 msedge.exe 87 PID 1564 wrote to memory of 3712 1564 msedge.exe 87 PID 1564 wrote to memory of 3712 1564 msedge.exe 87 PID 1564 wrote to memory of 3712 1564 msedge.exe 87 PID 1564 wrote to memory of 3712 1564 msedge.exe 87 PID 1564 wrote to memory of 3712 1564 msedge.exe 87 PID 1564 wrote to memory of 3712 1564 msedge.exe 87 PID 1564 wrote to memory of 3712 1564 msedge.exe 87 PID 1564 wrote to memory of 3712 1564 msedge.exe 87 PID 1564 wrote to memory of 3712 1564 msedge.exe 87 PID 1564 wrote to memory of 3712 1564 msedge.exe 87 PID 1564 wrote to memory of 3712 1564 msedge.exe 87 PID 1564 wrote to memory of 3712 1564 msedge.exe 87 PID 1564 wrote to memory of 3712 1564 msedge.exe 87 PID 1564 wrote to memory of 3712 1564 msedge.exe 87 PID 1564 wrote to memory of 3712 1564 msedge.exe 87 PID 1564 wrote to memory of 3712 1564 msedge.exe 87 PID 1564 wrote to memory of 3712 1564 msedge.exe 87 PID 1564 wrote to memory of 3712 1564 msedge.exe 87 PID 1564 wrote to memory of 3712 1564 msedge.exe 87 PID 1564 wrote to memory of 3712 1564 msedge.exe 87 PID 1564 wrote to memory of 3712 1564 msedge.exe 87 PID 1564 wrote to memory of 3712 1564 msedge.exe 87 PID 1564 wrote to memory of 3712 1564 msedge.exe 87 PID 1564 wrote to memory of 3712 1564 msedge.exe 87 PID 1564 wrote to memory of 3712 1564 msedge.exe 87 PID 1564 wrote to memory of 3712 1564 msedge.exe 87 PID 1564 wrote to memory of 3712 1564 msedge.exe 87 PID 1564 wrote to memory of 3712 1564 msedge.exe 87 PID 1564 wrote to memory of 4368 1564 msedge.exe 88 PID 1564 wrote to memory of 4368 1564 msedge.exe 88 PID 1564 wrote to memory of 4072 1564 msedge.exe 89 PID 1564 wrote to memory of 4072 1564 msedge.exe 89 PID 1564 wrote to memory of 4072 1564 msedge.exe 89 PID 1564 wrote to memory of 4072 1564 msedge.exe 89 PID 1564 wrote to memory of 4072 1564 msedge.exe 89 PID 1564 wrote to memory of 4072 1564 msedge.exe 89 PID 1564 wrote to memory of 4072 1564 msedge.exe 89 PID 1564 wrote to memory of 4072 1564 msedge.exe 89 PID 1564 wrote to memory of 4072 1564 msedge.exe 89 PID 1564 wrote to memory of 4072 1564 msedge.exe 89 PID 1564 wrote to memory of 4072 1564 msedge.exe 89 PID 1564 wrote to memory of 4072 1564 msedge.exe 89 PID 1564 wrote to memory of 4072 1564 msedge.exe 89 PID 1564 wrote to memory of 4072 1564 msedge.exe 89 PID 1564 wrote to memory of 4072 1564 msedge.exe 89 PID 1564 wrote to memory of 4072 1564 msedge.exe 89 PID 1564 wrote to memory of 4072 1564 msedge.exe 89 PID 1564 wrote to memory of 4072 1564 msedge.exe 89 PID 1564 wrote to memory of 4072 1564 msedge.exe 89 PID 1564 wrote to memory of 4072 1564 msedge.exe 89
Processes
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://1drv.ms/p/s!BOUMMcI-YzvKdb9P4lMFZ7iKSBk?e=-JphxUzSPU-AHnkDW916oA&at=91⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1564 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffe935f46f8,0x7ffe935f4708,0x7ffe935f47182⤵PID:4748
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2176,569580680144104456,6035260241987653755,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2188 /prefetch:22⤵PID:3712
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2176,569580680144104456,6035260241987653755,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2264 /prefetch:32⤵
- Suspicious behavior: EnumeratesProcesses
PID:4368
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2176,569580680144104456,6035260241987653755,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2648 /prefetch:82⤵PID:4072
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2176,569580680144104456,6035260241987653755,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3320 /prefetch:12⤵PID:4040
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2176,569580680144104456,6035260241987653755,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3340 /prefetch:12⤵PID:3492
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2176,569580680144104456,6035260241987653755,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4804 /prefetch:12⤵PID:2168
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:1508
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:4864
-
C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE"C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE" /s "C:\Users\Admin\Desktop\ConvertFromBlock.ppsx" /ou ""1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:228
-
C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE"C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE" /s "C:\Users\Admin\Desktop\PopGet.ppsx" /ou ""1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:1460
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
152B
MD5aed593b08b94f34dd8f68fd369652ac2
SHA13ce2a17e426e09c2fd9a8d2ab191fe29248f2d95
SHA2565c0cdd5dc1bccf7e3ffa8568fdd2fe35f3edc85832f3d11331aced965aaeeba7
SHA51216b34c29d8ea3793f7d4491847d2fecae2c6c9d7b7b1ec16d1367828d0a4da4cdbf912c2040bc0ca98ac32cd701355ddd16b4865629d51bae2527e1a05411137
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize144B
MD5d6dd20b75982530547f5b6259cad816f
SHA1eef73f7acd6e8412aef79b53a9351220ca8b623a
SHA256019d9a551514b23ec5be796e456d599d420c2b90b8a2a50ab4c9b3a4b74a4264
SHA5125d6e81c4a8a11d146c3ca77f170c9fb45dec8b9e936060514a12f214a07de4a6c242cc6507507cd36772801580d124741675939ea0430ba09869bfea4f7afcb5
-
Filesize
328B
MD5e2e3466b1135b5f00535fc8f300d24a6
SHA14771bbfc244732f4231733732499e2b909f4ff09
SHA2565fb0b063c27e783132d8b07f07c653ecc1671511b74150ad941d6f860834ba8e
SHA512594a43f8cfb7d8dcac4542cfa2c2917c73bbfbf7f33e3ceef2025e636bce447460b277fc788e87ba65c0f312ab3de1f3b8f5cd5a0e1c465fab251e2f1070a2fa
-
Filesize
6KB
MD563a7835a3280af7332f7f9c12294fb92
SHA12ebdea26a92b3407242dd44ea28b3a2913c0e63d
SHA25636b3747ad894a9514486744bee7ad59b0e1a001b3bba0967b17b5866ed0d9b92
SHA51236a92d10a8560b76d20fa5512770ac557b65995120d85eb705d18026223a0b2370f3b1ae85a2323a47398977df9c6bbb84cca05e21cb8a38012bb933794ab289
-
Filesize
5KB
MD5fca8c0b65ad0ba494f1cb9aa67028a3b
SHA1119c957755b440549b6db31c1c6cb6e3a994ba18
SHA256cf2cc8c513e0253f6cd7230f0aceddda879f4ffc467d44e8d678cc46fdcad9cd
SHA51270ccea5be82db202670717f1c95abfba282cd9b533080b0e224816287e9bc3427e941284891420e0a7127aa80187157c09f1fcbf3debe8f37cca9de3ed2e9ff6
-
Filesize
24KB
MD577acb485b0929ea91728c8e36aee14e6
SHA1cda2fbf28027e0c375f1c08a169a61c8bec543ef
SHA256fe1ae003dccb7ec0a5a1159c856b43514e198412380d07fe9e1e6de749095afa
SHA512d3c6c431ce93ebaa689d98c958ba57470d86971c044598af0ae906b3884398a0c78de70231f1c02b56e37d8e5ae17cf745ef8d507ea9362b850a9faf76ec5566
-
Filesize
10KB
MD52cd177f0410e1e6e19ae14af963dd011
SHA1f38a65414bd07dda079847f5ca49110c44c30916
SHA256a2e0bb950d5a34de7137bc29b48cf5841da33b79f31f4649bbdd5d388d25d9e2
SHA512a6ea86f149c37a2cd1a7ac13a9cdc0cfad06e89a9388b841c932879e0fea4108eb7af3cec9061af7e3a3dcba100509e3095424f0ca5f4f6b825497dcd8c6dacc
-
C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\officeclient.microsoft.com\AE404D4A-C0E1-4F35-8E6A-ECB6B13EC5CE
Filesize156KB
MD59ca2dba84464dbce1db2becb8d2400c1
SHA1d2c9ba17d4b72d1067d4f6756053ad829ca5e006
SHA256f0d53c8de21bce5db847dd2a0fb56907e7a35ac22255c6fbec9a38b5ce9975d0
SHA5128e1ae6f833906907647e902d771e507c7d56eb63b731f2fd47058ee2f3255eaf36b585c839d38439bfef595abcf73b22297cbca32959e5e160fe965f0a0da5e1
-
Filesize
368KB
MD5e88c98c508c7fe1bad80758b1546c739
SHA1f62a20952272c0b3b8a5895f3de713add11f4e74
SHA256711cd4ea6387e57facb1e0a0219d117f1bb201c5377be8f0d0ebfed20f9a32a9
SHA512d5e27760c6c366350a0b29da1a47e0a0b61bcb0546764fc8f6d838927ed05b3b836717e5dfc91bff3bacbd96dbc3c66d29672c21480f8b67f4bb525f1bee2e3d
-
Filesize
24KB
MD5a6064fc9ce640751e063d9af443990da
SHA1367a3a7d57bfb3e9a6ec356dfc411a5f14dfde2a
SHA2565f72c11fd2fa88d8b8bfae1214551f8d5ee07b8895df824fa717ebbcec118a6c
SHA5120e42dd8e341e2334eda1e19e1a344475ed3a0539a21c70ba2247f480c706ab8e2ff6dbeb790614cbde9fb547699b24e69c85c54e99ed77a08fe7e1d1b4b488d0
-
Filesize
1KB
MD5025d6c5855bb52ce8a5234013c062c34
SHA198d5152d73b465baae246476dfa96055c1520ade
SHA256da989fc1f295515d476e643a87ee14a607985325712ad09db6a5602e60e616c2
SHA5125a4958f8fdf8d24678c676c2856509e815c8073ee8ab064f0fddb38fd43522cb6cd78c29605775b85e66e2ff958250299426e95157bc894a12363ade9162ff12
-
C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\089d66ba04a8cec4bdc5267f42f39cf84278bb67.tbres
Filesize2KB
MD5bd4810d467d6aa13586e98487c524f89
SHA1a07820b033d4e89662105a741b093d31c3ff6bda
SHA256dc21d75665ba7bb85cd8a747f86fdba513877d7ad193770007228287ac0496d2
SHA512f8c179d815d9449d3537c58f35fe8df6b076747d482ef6e764fdfd34279e76d3c2c1568bfb754e36d0c63b905d3dc671d8dcbaefae2360a46ea8d63caaf8ac71
-
C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\9cd93bc6dcf544bae69531052e64647ec02f2bb4.tbres
Filesize4KB
MD57bb5b60a1ead248840fb4213684cbc7b
SHA1fedbe9d17892b5633dcec6f3fefe9ab9f9815d3a
SHA2564dd3ceedb55915e4a1dbc5d0db22434f72e4ce8fc7f1e3687b54aa61ad129468
SHA51242584e4cf662d493acbbebbbd19f6b92855902ea93924fece3b1323976c8044101b7c49cb2efd2e2f478f5e1c288d7ba3065c7f16192c0044b51f5a0c0fd87c3
-
C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\f3df91c436730d7a37c58d5f25d9bf4a56fa3a34.tbres
Filesize4KB
MD5124b2989a531cfab711bc82411e1e560
SHA113528377c626c7aed37388591a398ffc554cd481
SHA2561f5554c0b877219b1aebbf8102bc0a633e998bd91852f86df9638c099c49919c
SHA51288363f21054f9eac3accd0c5aa94357cf49048db507cd6d695bb79ea40e88364efd3e713d55b5b9502a29f25e3270950fbb3d52f70b79bda748493c15433cb96