hxxps://drive[.]google[.]com/drive/folders/1ih8Ut_A-Vulun4iuP2puKFzYhUIbHgO5?usp=sharing

Analysis

max time kernel
42s
max time network
42s
platform
windows11-21h2_x64
resource
win11-20240704-en
resource tags

arch:x64arch:x86image:win11-20240704-enlocale:en-usos:windows11-21h2-x64system
submitted
08-07-2024 05:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://drive.google.com/drive/folders/1ih8Ut_A-Vulun4iuP2puKFzYhUIbHgO5?usp=sharing

Score

6^/10

Malware Config

Signatures

Legitimate hosting services abused for malware hosting/C2 1 TTPs 4 IoCs

Web Service

T1102

flow	ioc
1	drive.google.com
7	drive.google.com
8	drive.google.com
9	drive.google.com

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
2292	msedge.exe
2292	msedge.exe
3760	msedge.exe
3760	msedge.exe
2704	identity_helper.exe
2704	identity_helper.exe
4980	msedge.exe
4980	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs

pid	Process
3760	msedge.exe
3760	msedge.exe
3760	msedge.exe
3760	msedge.exe
3760	msedge.exe
3760	msedge.exe
3760	msedge.exe

Suspicious use of FindShellTrayWindow 25 IoCs

pid	Process
3760	msedge.exe
3760	msedge.exe
3760	msedge.exe
3760	msedge.exe
3760	msedge.exe
3760	msedge.exe
3760	msedge.exe
3760	msedge.exe
3760	msedge.exe
3760	msedge.exe
3760	msedge.exe
3760	msedge.exe
3760	msedge.exe
3760	msedge.exe
3760	msedge.exe
3760	msedge.exe
3760	msedge.exe
3760	msedge.exe
3760	msedge.exe
3760	msedge.exe
3760	msedge.exe
3760	msedge.exe
3760	msedge.exe
3760	msedge.exe
3760	msedge.exe

Suspicious use of SendNotifyMessage 12 IoCs

pid	Process
3760	msedge.exe
3760	msedge.exe
3760	msedge.exe
3760	msedge.exe
3760	msedge.exe
3760	msedge.exe
3760	msedge.exe
3760	msedge.exe
3760	msedge.exe
3760	msedge.exe
3760	msedge.exe
3760	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3760 wrote to memory of 2012	3760	msedge.exe	80
PID 3760 wrote to memory of 2012	3760	msedge.exe	80
PID 3760 wrote to memory of 3520	3760	msedge.exe	82
PID 3760 wrote to memory of 3520	3760	msedge.exe	82
PID 3760 wrote to memory of 3520	3760	msedge.exe	82
PID 3760 wrote to memory of 3520	3760	msedge.exe	82
PID 3760 wrote to memory of 3520	3760	msedge.exe	82
PID 3760 wrote to memory of 3520	3760	msedge.exe	82
PID 3760 wrote to memory of 3520	3760	msedge.exe	82
PID 3760 wrote to memory of 3520	3760	msedge.exe	82
PID 3760 wrote to memory of 3520	3760	msedge.exe	82
PID 3760 wrote to memory of 3520	3760	msedge.exe	82
PID 3760 wrote to memory of 3520	3760	msedge.exe	82
PID 3760 wrote to memory of 3520	3760	msedge.exe	82
PID 3760 wrote to memory of 3520	3760	msedge.exe	82
PID 3760 wrote to memory of 3520	3760	msedge.exe	82
PID 3760 wrote to memory of 3520	3760	msedge.exe	82
PID 3760 wrote to memory of 3520	3760	msedge.exe	82
PID 3760 wrote to memory of 3520	3760	msedge.exe	82
PID 3760 wrote to memory of 3520	3760	msedge.exe	82
PID 3760 wrote to memory of 3520	3760	msedge.exe	82
PID 3760 wrote to memory of 3520	3760	msedge.exe	82
PID 3760 wrote to memory of 3520	3760	msedge.exe	82
PID 3760 wrote to memory of 3520	3760	msedge.exe	82
PID 3760 wrote to memory of 3520	3760	msedge.exe	82
PID 3760 wrote to memory of 3520	3760	msedge.exe	82
PID 3760 wrote to memory of 3520	3760	msedge.exe	82
PID 3760 wrote to memory of 3520	3760	msedge.exe	82
PID 3760 wrote to memory of 3520	3760	msedge.exe	82
PID 3760 wrote to memory of 3520	3760	msedge.exe	82
PID 3760 wrote to memory of 3520	3760	msedge.exe	82
PID 3760 wrote to memory of 3520	3760	msedge.exe	82
PID 3760 wrote to memory of 3520	3760	msedge.exe	82
PID 3760 wrote to memory of 3520	3760	msedge.exe	82
PID 3760 wrote to memory of 3520	3760	msedge.exe	82
PID 3760 wrote to memory of 3520	3760	msedge.exe	82
PID 3760 wrote to memory of 3520	3760	msedge.exe	82
PID 3760 wrote to memory of 3520	3760	msedge.exe	82
PID 3760 wrote to memory of 3520	3760	msedge.exe	82
PID 3760 wrote to memory of 3520	3760	msedge.exe	82
PID 3760 wrote to memory of 3520	3760	msedge.exe	82
PID 3760 wrote to memory of 3520	3760	msedge.exe	82
PID 3760 wrote to memory of 2292	3760	msedge.exe	83
PID 3760 wrote to memory of 2292	3760	msedge.exe	83
PID 3760 wrote to memory of 4068	3760	msedge.exe	84
PID 3760 wrote to memory of 4068	3760	msedge.exe	84
PID 3760 wrote to memory of 4068	3760	msedge.exe	84
PID 3760 wrote to memory of 4068	3760	msedge.exe	84
PID 3760 wrote to memory of 4068	3760	msedge.exe	84
PID 3760 wrote to memory of 4068	3760	msedge.exe	84
PID 3760 wrote to memory of 4068	3760	msedge.exe	84
PID 3760 wrote to memory of 4068	3760	msedge.exe	84
PID 3760 wrote to memory of 4068	3760	msedge.exe	84
PID 3760 wrote to memory of 4068	3760	msedge.exe	84
PID 3760 wrote to memory of 4068	3760	msedge.exe	84
PID 3760 wrote to memory of 4068	3760	msedge.exe	84
PID 3760 wrote to memory of 4068	3760	msedge.exe	84
PID 3760 wrote to memory of 4068	3760	msedge.exe	84
PID 3760 wrote to memory of 4068	3760	msedge.exe	84
PID 3760 wrote to memory of 4068	3760	msedge.exe	84
PID 3760 wrote to memory of 4068	3760	msedge.exe	84
PID 3760 wrote to memory of 4068	3760	msedge.exe	84
PID 3760 wrote to memory of 4068	3760	msedge.exe	84
PID 3760 wrote to memory of 4068	3760	msedge.exe	84

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://drive.google.com/drive/folders/1ih8Ut_A-Vulun4iuP2puKFzYhUIbHgO5?usp=sharing
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3760
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ff92c7b3cb8,0x7ff92c7b3cc8,0x7ff92c7b3cd8
  2⤵
  PID:2012
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1884,618924852751077258,9320401041119625266,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1896 /prefetch:2
  2⤵
  PID:3520
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1884,618924852751077258,9320401041119625266,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2288 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2292
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1884,618924852751077258,9320401041119625266,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2752 /prefetch:8
  2⤵
  PID:4068
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1884,618924852751077258,9320401041119625266,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3272 /prefetch:1
  2⤵
  PID:1088
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1884,618924852751077258,9320401041119625266,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3408 /prefetch:1
  2⤵
  PID:2676
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1884,618924852751077258,9320401041119625266,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4656 /prefetch:1
  2⤵
  PID:700
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1884,618924852751077258,9320401041119625266,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5360 /prefetch:1
  2⤵
  PID:1516
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1884,618924852751077258,9320401041119625266,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3384 /prefetch:1
  2⤵
  PID:4680
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1884,618924852751077258,9320401041119625266,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3332 /prefetch:1
  2⤵
  PID:1188
- C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1884,618924852751077258,9320401041119625266,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5836 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2704
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1884,618924852751077258,9320401041119625266,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5324 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4980
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1884,618924852751077258,9320401041119625266,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3660 /prefetch:1
  2⤵
  PID:4764

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3648

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1908

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
b297afa13018b3e24efaf2b905677172

SHA1
6d6d01d9b35901af0f4976d0819bab393e920f98

SHA256
e810acf7bb28b7577c33ad7b22b3b849858e45e9c16ba316b0ba945ef48337dc

SHA512
72dc4db9a40e9e0947c2d58835a75077d65f1f1939463aad5a81368be891890d8d19d1d9df858c957b5a43998ef6100b29710231496636cabc66a1e3a1cc6c2c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
3f42f939f0a7c91eef0187527bc7babc

SHA1
66d141ee21ab2de3a37f1d92e327aa184d828fd5

SHA256
64a131bb18bd4844b4ea4b6bc84727c638b94523be764dad0b1407394c457c6d

SHA512
18d62cb1f7d7229c37432e83f2356c865099caa9d43f716b465e8624d9288b1a3024bba84a1e83f6721c31a71eecdadf4118848ce4a63bf1230be4e16ead4178

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000019

Filesize
28KB

MD5
7f5a5d45ee4ea0bd1ccf5178c63f43c0

SHA1
71cafbec33de805f8c65c04ab40a7fc072420df1

SHA256
e47f30921e1d3fda22de0ed56c9847b80e379396ea95d3fe60e04cf9e4c9773a

SHA512
11dcabf8a16fd008783be04cf72e9ebcdc3b37a9a92c0769daa32fcec0a7ac5f1380d5e7636dca14eee05e5787419d2f5782726c94846c39085b325099c123d5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
1af1d690382f81acc8bcd7c0f750b2d3

SHA1
7c63ad9a4ff515160253930469877c3b73bf0288

SHA256
d6aefe4f878370ed9edb8024d3593d3573cc62a1f0be44093059904a2a41f4a2

SHA512
5fafe5dbf8e0cfd954fe8697711f17cd7679cd2352ef10b35dd48fc819c28170b7711995fa685ba9ac23085117cea298c0450a5038da8f33e79f001e6a67c99f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
4db37fc91bf89c3555663b9b0a025753

SHA1
e86878e54e124e7aa8b110874cae1f156d3c3774

SHA256
8d7b54e231f7134f9c637dc5187e2c8115887068593c0ba6297e1bf5b3bf8630

SHA512
e6176111ec9d985bdf8282adfce4f1771694bd70cca0ddcc2d1c3fa4c17cb060dbdbf5d410faeba00b66ef1d42ece382e0bc881fbe9991fba8097158f6b22e6b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
3090da6e1c2773eaaba4f58bff563543

SHA1
3e2e06796aa2bd9adb96dfb1fb9771807a595f7b

SHA256
12cc940246da43f666dbd11855df7cea9935db513a0d55c584d33f711ba5154f

SHA512
f8673d1860d2ed799768221d323d788384a51f4d03492851fdc2fba324fe0606de330d1ebb67f2fc08d14d4205b8015dfcd2a3221662c3cf91121116762e82c6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
f1c2448c19dfa1e7d1006326af35f84e

SHA1
e8cc828572ce681ba1d23bf604cb1ef8240aed2b

SHA256
d611e27c35d49ccf8a8d1173fbe77c34cd1fe9f062f9f043b8994d8d705f8ebc

SHA512
3a158a7e38fd40ea2afa06fbd610df03c1a517e84a8e85576635ec757cffba3aae47c9bf498a05739880f71ffa8f7e9358d85ffde175409837d90c5cebe7b959

Download Submit