Overview

overview

6

Static

static

3

Drives.exe

windows7-x64

6

Drives.exe

windows10-2004-x64

6

Analysis

  • max time kernel
    149s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    23/05/2024, 13:49

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    Drives.exe

  • Size

    98KB

  • MD5

    f2511c5d9f605b9b65df1f61fd721dc5

  • SHA1

    7febb0e6d1f389f9b1f96e5cf73c404eb904100e

  • SHA256

    2513c9d51c454122b7038c444d44b88840b405fb4b0ec2be41eb48232e0878af

  • SHA512

    0cd12d236750cc7d04940a5f83537742eb3a2becd6e5f2875c06137ebcf90a83c1f218e8f59db5e6c1bd12e647d1d757a79e861b2b4c2161f13864ea788f8297

  • SSDEEP

    1536:S8hrA+e8LqjsgExLhIGZcgFq5LZ7qKw1hA4a:S4A+e8Lqo/xLdVFq517qKchA4

Score
6/10

Malware Config

Signatures

  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Modifies registry class 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 9 IoCs
  • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs
  • Suspicious use of FindShellTrayWindow 26 IoCs
  • Suspicious use of SendNotifyMessage 24 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Drives.exe
    "C:\Users\Admin\AppData\Local\Temp\Drives.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:4860
    • C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c getmac>GuiKeyChoQuyen.txt
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2144
      • C:\Windows\system32\getmac.exe
        getmac
        3⤵
          PID:1856
      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://discord.com/invite/jjQ2KApzp3
        2⤵
        • Enumerates system info in registry
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        • Suspicious use of WriteProcessMemory
        PID:3376
        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffa0ed646f8,0x7ffa0ed64708,0x7ffa0ed64718
          3⤵
            PID:3244
          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2136,15227386087849529948,13073865867969432263,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2148 /prefetch:2
            3⤵
              PID:4852
            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2136,15227386087849529948,13073865867969432263,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2444 /prefetch:3
              3⤵
              • Suspicious behavior: EnumeratesProcesses
              PID:3468
            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2136,15227386087849529948,13073865867969432263,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2904 /prefetch:8
              3⤵
                PID:336
              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,15227386087849529948,13073865867969432263,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3448 /prefetch:1
                3⤵
                  PID:2816
                • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,15227386087849529948,13073865867969432263,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3460 /prefetch:1
                  3⤵
                    PID:4472
                  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,15227386087849529948,13073865867969432263,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5076 /prefetch:1
                    3⤵
                      PID:3160
                    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=2136,15227386087849529948,13073865867969432263,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=4796 /prefetch:8
                      3⤵
                        PID:2392
                      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --field-trial-handle=2136,15227386087849529948,13073865867969432263,131072 --lang=en-US --service-sandbox-type=video_capture --mojo-platform-channel-handle=4820 /prefetch:8
                        3⤵
                        • Modifies registry class
                        • Suspicious behavior: EnumeratesProcesses
                        PID:5092
                      • C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
                        "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2136,15227386087849529948,13073865867969432263,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5848 /prefetch:8
                        3⤵
                          PID:4340
                        • C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
                          "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2136,15227386087849529948,13073865867969432263,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5848 /prefetch:8
                          3⤵
                          • Suspicious behavior: EnumeratesProcesses
                          PID:748
                        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,15227386087849529948,13073865867969432263,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5860 /prefetch:1
                          3⤵
                            PID:3356
                          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,15227386087849529948,13073865867969432263,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5584 /prefetch:1
                            3⤵
                              PID:3880
                            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,15227386087849529948,13073865867969432263,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5024 /prefetch:1
                              3⤵
                                PID:4188
                              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,15227386087849529948,13073865867969432263,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5844 /prefetch:1
                                3⤵
                                  PID:4560
                            • C:\Windows\System32\CompPkgSrv.exe
                              C:\Windows\System32\CompPkgSrv.exe -Embedding
                              1⤵
                                PID:896
                              • C:\Windows\System32\CompPkgSrv.exe
                                C:\Windows\System32\CompPkgSrv.exe -Embedding
                                1⤵
                                  PID:2904

                                Network

                                      MITRE ATT&CK Enterprise v15

                                      Replay Monitor

                                      Loading Replay Monitor...

                                      Downloads

                                      • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
                                        Filesize

                                        152B

                                        MD5

                                        612a6c4247ef652299b376221c984213

                                        SHA1

                                        d306f3b16bde39708aa862aee372345feb559750

                                        SHA256

                                        9d8e24c91cff338e56b518a533cb2e49a2803356bbf6e04892fb168a7ce2844a

                                        SHA512

                                        34a14d63abb1e3fe0f9927a94393043d458fe0624843e108d290266f554018e6379cba924cb5388735abdd6c5f1e2e318478a673f3f9b762815a758866d10973

                                        Download Submit

                                      • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
                                        Filesize

                                        152B

                                        MD5

                                        56641592f6e69f5f5fb06f2319384490

                                        SHA1

                                        6a86be42e2c6d26b7830ad9f4e2627995fd91069

                                        SHA256

                                        02d4984e590e947265474d592e64edde840fdca7eb881eebde3e220a1d883455

                                        SHA512

                                        c75e689b2bbbe07ebf72baf75c56f19c39f45d5593cf47535eb722f95002b3ee418027047c0ee8d63800f499038db5e2c24aff9705d830c7b6eaa290d9adc868

                                        Download Submit

                                      • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
                                        Filesize

                                        840B

                                        MD5

                                        79e4e9d618ae8d42e3514f09ad4f64dc

                                        SHA1

                                        09a06ca019c730cba187c46f375df9a69abe090e

                                        SHA256

                                        fd51a07e74e92b17f4751b57c6aeee925907a1ae248a85ecaa13f9e12071379e

                                        SHA512

                                        0fe7580d3d6433fca94432d061c4ba459d42425f8287d486a986f3cb4d81066a815de5e86d44c1ec1ca9b7969afcfbae9ffa9d41075430f106607e4725e3a96b

                                        Download Submit

                                      • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State
                                        Filesize

                                        255B

                                        MD5

                                        ff9f825925f89085b6c4809612c14b39

                                        SHA1

                                        3cd291d4b9d7bfff93177f074aa75d7034ce0d4e

                                        SHA256

                                        118d159f05b7fb0b7424c2374470d9e77857047f4a0663e944e2363ecf04b0fa

                                        SHA512

                                        735ec4fd0c01534dd09a61b341ed00a0bbb7488c1e267d736041d96e0f6a62c8b4090ded41986464cf82b472831c6d10f9fbf688e20340f6c293ba5332e05d58

                                        Download Submit

                                      • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
                                        Filesize

                                        5KB

                                        MD5

                                        79cb85ea7bb2f2a4d02c9d76b1eb15e1

                                        SHA1

                                        1b3362ad911e8c6224b1700172cbc204943d7566

                                        SHA256

                                        0ae7ee3c70f36e29a21c2d4bff955a25e7079bac62f7f0b2b073d97ae75d0e64

                                        SHA512

                                        c8a1a93ef7f32818aa477ea1b7aad743b7f03a02f9b601cfd0a3749e0bd050f97227835aee7a7489746485f8f782b7b6831356a8307d2f1a7a4ca328cb02c53e

                                        Download Submit

                                      • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
                                        Filesize

                                        6KB

                                        MD5

                                        8d3ec2f3f84f1d86132701ee3a26109e

                                        SHA1

                                        9e6ef642a444c77b2daad7639ad2710e11c9721c

                                        SHA256

                                        b9cfc4a64d953e149a3b9aa371655fcf351486eff791227c33f0e00cf0c057fe

                                        SHA512

                                        2ea39408e61d526a686b652e2a362c07f3cbbbe51bcada13e98c67630485d8b73c81c6776b3b9b059470bdc156d5b8977bd1b5ee0df43922609ac93b75d143f5

                                        Download Submit

                                      • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
                                        Filesize

                                        6KB

                                        MD5

                                        d4fb1c63faabbe2b07f6f718f98c0ccb

                                        SHA1

                                        8fbeebbfe5da4f197b73548d2ab2c1699c9b96b8

                                        SHA256

                                        5c22c010880699d163109675ca74ca60b8996693e23f9ca00b3062960ec23f5a

                                        SHA512

                                        e12abc9bc50731b3c8757e447fc2768f9e73c7690ff5cb8ae7270e88590e70802b6c82b1cf54d835adec22cb3173cc421b81307ad6627df9a5a0de1ff84e653e

                                        Download Submit

                                      • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
                                        Filesize

                                        16B

                                        MD5

                                        6752a1d65b201c13b62ea44016eb221f

                                        SHA1

                                        58ecf154d01a62233ed7fb494ace3c3d4ffce08b

                                        SHA256

                                        0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

                                        SHA512

                                        9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

                                        Download Submit

                                      • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
                                        Filesize

                                        11KB

                                        MD5

                                        f473b2adff37cf30ad007b639439972a

                                        SHA1

                                        d5855fb1c63369f7302c392baa649dd048c30b7a

                                        SHA256

                                        b15acecfbf4ca95dd5f987f23c71dbff7be0a5bead1a12b9c1bf006138d17756

                                        SHA512

                                        a7258ee4217a484faf6a93a93765a8a1e05a3432149aff4b2da99e4ff61d9d2654f4d059aa627d229b8e725275175168d13a2ed92e2c483a7a4eb101ba18033a

                                        Download Submit

                                      • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\bce18291-e0d2-4fa3-91c3-c0b05e7db572.tmp
                                        Filesize

                                        11KB

                                        MD5

                                        ed5b7b7e64747dc40b406df357515d9f

                                        SHA1

                                        30771c0e3891d8f3d932b8d03613fe883123349a

                                        SHA256

                                        199ce1e733b4770d1d6946157c314122e40dfd4f534d76567e2f20c740481a9f

                                        SHA512

                                        2b8b389db2a385a37cd94f5c314829062421d179012ca2b81e912d9c173d41e1ad7254f32c6722840ae0008c53a70fc20542e5c4e26239881e4ffd80fb69a049

                                        Download Submit

                                      • C:\Users\Admin\AppData\Local\Temp\GuiKeyChoQuyen.txt
                                        Filesize

                                        242B

                                        MD5

                                        aad0db38433a15070b0cb18ec3b28034

                                        SHA1

                                        f5e4d94d1e3e23520003ad134cf0d145b8513fcf

                                        SHA256

                                        6d28e059a0997355fce3c022d8a55085f36aaea7e1f39e536059986fe771a9d2

                                        SHA512

                                        1ac6d84699cf3e472bfc9b345fe5b279a68fd4cb5808f16c7d3caffeefe030862c80d4bc3ca4fcd4ef550b57f4b2d4d9d6f9acd839c5f71dffb4f93d93f55f34

                                        Download Submit