Analysis
-
max time kernel
147s -
max time network
143s -
platform
windows10-2004_x64 -
resource
win10v2004-20240704-en -
resource tags
-
submitted
08-07-2024 15:38
General
-
Target
https://drive.google.com/file/d/1ZlKJlkBYOFF-7yqWhxIAsk7zBhg8cmD8/view?usp=drivesdk
Malware Config
Signatures
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
-
Drops file in System32 directory 11 IoCs
-
Enumerates system info in registry 2 TTPs 3 IoCs
-
Modifies registry class 2 IoCs
-
Suspicious behavior: EnumeratesProcesses 16 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
-
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 8 IoCs
-
Suspicious use of AdjustPrivilegeToken 2 IoCs
-
Suspicious use of FindShellTrayWindow 34 IoCs
-
Suspicious use of SendNotifyMessage 24 IoCs
-
Suspicious use of SetWindowsHookEx 2 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://drive.google.com/file/d/1ZlKJlkBYOFF-7yqWhxIAsk7zBhg8cmD8/view?usp=drivesdk1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffb6e8d46f8,0x7ffb6e8d4708,0x7ffb6e8d47182⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2088,2547297637169264515,17929796143867417427,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2132 /prefetch:22⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2088,2547297637169264515,17929796143867417427,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2180 /prefetch:32⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2088,2547297637169264515,17929796143867417427,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2936 /prefetch:82⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,2547297637169264515,17929796143867417427,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3376 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,2547297637169264515,17929796143867417427,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3396 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,2547297637169264515,17929796143867417427,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5028 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2088,2547297637169264515,17929796143867417427,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5440 /prefetch:82⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2088,2547297637169264515,17929796143867417427,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5440 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,2547297637169264515,17929796143867417427,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5548 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,2547297637169264515,17929796143867417427,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5520 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,2547297637169264515,17929796143867417427,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4200 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,2547297637169264515,17929796143867417427,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5108 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2088,2547297637169264515,17929796143867417427,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5660 /prefetch:82⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,2547297637169264515,17929796143867417427,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5632 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2088,2547297637169264515,17929796143867417427,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5636 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2088,2547297637169264515,17929796143867417427,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1048 /prefetch:22⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵
-
C:\Windows\system32\mspaint.exe"C:\Windows\system32\mspaint.exe" "C:\Users\Admin\Downloads\Gordon with bike 14-6-24.jpg" /ForceBootstrapPaint3D1⤵
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s DsSvc1⤵
- Drops file in System32 directory
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s DeviceAssociationService1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\dashost.exedashost.exe {6232567f-c39c-487e-a3af12eb8053288f}2⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --default-search-provider=? --out-pipe-name=MSEdgeDefault7008e09ah594bh4ab4hb2c0h0608fad1048c1⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x120,0x124,0x128,0xfc,0x12c,0x7ffb6e8d46f8,0x7ffb6e8d4708,0x7ffb6e8d47182⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2184,10666083083557126677,1106742469354588057,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2244 /prefetch:22⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2184,10666083083557126677,1106742469354588057,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2296 /prefetch:32⤵
- Suspicious behavior: EnumeratesProcesses
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
152B
MD5e81c757cdb64c4fd5c91e6ade1a16308
SHA119dc7ff5e8551a2b08874131d962b697bb84ad9b
SHA25682141d451d07bdb68991f33c59129214dd6d3d10158aeb7a1dc81efbc5fb12b3
SHA512ba8de0b3b04fec5a96d361459dde0941b1b70f5be231fdec94806efa3ecf1e8faf8e27b1800fa606dc4a82e29d4cf5109b94109e5ad242ddf9f4671e2acbcfbd
-
Filesize
152B
MD52e57ec8bd99545e47a55d581964d0549
SHA1bd7055ea7df7696298a94dedfc91136e3b530db8
SHA256a50ba35608edc2f3360cc71be0d4b29bba0e3382d1f08f24df5322ce2ad2443c
SHA5126b9b73d983c472149629c842e16e4f7c2f8a0a3bb6dd64837ef647db810ef1beb3a02b15dc1eec2c5de8aee6b3ca195c7d26c432705061c5b0ec7841a5bbf106
-
Filesize
3KB
MD572cec983c183036a66adcd65427553ce
SHA1834a217173dbb5449db6307420adc6658218e464
SHA25677cadd98cd7443acffe1e4895cf2bc971e30d3fabcd505b8bedd03b5426a0ced
SHA512f23ff58c967de2f645803c8b2c8a28b490126efc5c80c0da3e70c6a878ee5b0fa0f47d9c93f4f8d2bc89fed16ad2b5f1ee149982acb5509d3cbd741f9ce4e64b
-
Filesize
408B
MD5acf75a6a225b4b98d60fcefcfae3ad80
SHA12af68173bf070ef9c7332a425066262dfebd5068
SHA256ff12b179bb0829893b05ff14ea21234b3aef9b93f6fd8815b712963ad00a6fc1
SHA512578d4e185911f25b5cd7fc1ca5e050f9f27e17a46b41896f48eb134b6d6d286feea728b9f12d7e8a3dbf332678a0503c28103f3c021f144c35008ab4962a8fa4
-
Filesize
3KB
MD5335fce1f1d7870a5615bf44981663781
SHA12ac020eaa16e055ca12b43a4d1e144b0d0572082
SHA256384fb8d143c5fcb15ea53f9fbb559b6505db47e1639195e7cf5198f850d32014
SHA512bd9c8b9924fd023087e9af5a42b6a0e17f42d4bfecaa7096c6875522b8f50cf882b9e58b4bf0f830fa9850aeff4ea5bad1738440e421fdacf5fda8ce4ddf4d1e
-
Filesize
6KB
MD5e351a8c4accb41f77d2213d7dff68c75
SHA12bcf9058f68a8b1c0726619347441457f5174123
SHA256a61eb103cdb76c0966a4dc4915688959070efa852059735a2c44654b88a5af31
SHA5128fbb6f585642caaaebb91ae398c62146053ea7879af8e0dc11af1d7b1469b0491dfbe17374b0c9cd99f0acebba70249307cff0a6d58646c2b15f0367cbc92c9a
-
Filesize
7KB
MD5a66112bebbc659b5fdc820e0c066507c
SHA15d97c107c2b5647fdbded5dcacf8e4fea663c4b8
SHA25602cc92b408f62ef172d797df7d2fc20ce471d3e202813435ad6d273100de7460
SHA512a30d6ab00266aa07e50cedf5d3042b727e1f2eabbff7f1174a467ac12f16923ac0f45b4769c194ef392dcda07754fafddcef2e529169522e8facf31191992d3e
-
Filesize
6KB
MD5472434d22c3233d3d9bc3764bd5b588e
SHA138e64b745431c0a5082c81bb0ed038136de3fe00
SHA25652ef24a3c0fc2c8f8496daf7196ffc7976840207c909d541af95716b4c6ae973
SHA5124c33f8f03c03f491e001a5af7e3eedd4011ebbd7a966a1a2785eb725c33c545acdcba480ced31e18ace8150f24a132af58b4e890a3a07f0542d629ca59e16406
-
Filesize
7KB
MD553dc6517c08c81a5ca9fa14b1aaa5d0b
SHA1816a14c13471058645decdefdad90e9d18dce652
SHA256f7d8888083594991d4bc88b959f305c0f23c382574ad8a8407e6395cf5bf2d69
SHA5122f09867b074851addcd1847a84a72884a3cd4be0363afead9cf5f2d03c64f73c5828c485eaf91ab71db9f89ec1595e0e6bc74434efdf4f15cafe5f6d781e0f18
-
Filesize
6KB
MD5ab12c47c4e5b0a34a62c325790278325
SHA19b1226fb19f67d1d2094e0b49433773fa48b258b
SHA256c97004e1768267a7837918e0d01143c7a89ae66df6a64d9e894481f0b43b1e8a
SHA5122518107760c8858562f2b3917ca8c6e829818f4acb870d8b619cceb70e048677fc718c2a835a9ef8541c51277a425d5b9e27b7a099ca520a5dd4b404b99d542b
-
Filesize
16B
MD56752a1d65b201c13b62ea44016eb221f
SHA158ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA2560861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA5129cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389
-
Filesize
12KB
MD51e165b1e3b999f06cd1e8aaf35e0406e
SHA1622a2304af4c5f770a9e2077711aeaa20809be1b
SHA2560459448f6b040f32978477fea9c6713b8d9dd4bbdc77d87bf8a0082b380f6487
SHA512e7909e4245f3851c3fdbbb439a3c0f6d0a4d52bec030444d4697ff0654c9ffcefeb1060efdca53486911db7a58b15add91ee6cc25095f534b55c1fa7dca77a7b
-
Filesize
12KB
MD566d399e7dcbe1d509f4ff8322f3a993d
SHA199468cb7681478ab6a5eb1283169819e38cf8e71
SHA2564231c67a753b588d40fa8787965822be5d8b899fa1c3b6ee5bb3f1ea54644239
SHA512b2f5f3ab328d9c53a18f0577a2c68a7ac2448e7195f0361b9129be99b83ce3009a83ca974ca59722ca39974817cac5a472e7a846b81a7e4fb0f8f21d9950dc44
-
Filesize
12KB
MD5f1269d928c9b78ee402dab91d54514a7
SHA18497bc833898a2f822febb4a7cb68324d3a58d67
SHA25656e74889819a12b73576676ba81ccb5cad5b2db8e68ddbb8c49576361dc2b4c7
SHA5126af885e05bd5f4dab4ee7a4319e1dda86d43c76cdfc5c78ddea5fb6da5629aaa155f154279b3cb07aed618a2a333ecae28dbded9ef12fdc3cd714b41380d3fd3
-
Filesize
11KB
MD51a8aacf19f6528466a8b908fb3399d3e
SHA151ef6f9e924c3cd0454d779279760df05d7ee357
SHA256ba94857d8690cc9fcbc3af546799225b16a9d1eaa52bb0329a2307873556b54d
SHA5129e85fa229fdc249e15dde9b845a6ac25a420b1538b0f7e7dbae923ab52bcca3ce74dab205059d33c494da8d5e57c4de1a8324df4809f87811f0f1710580feb4a
-
Filesize
2.9MB
MD500a899ff07e7fcc9ccc094616c19f563
SHA112e092192d7bb7808e9b323596f87680d700a69b
SHA2563b3dfdb680421b93243bc82d486f77704cae12e6e220557929bab96726bbef28
SHA512024ede7ac932aa7b423a80846299f94c59728d7464076e6366008b20f0f4b45fee8f300c5d7fc3b205c4c4bb19676f7a18a05172fcccc99f6e720da012e6e474
-
Filesize
64KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
64KB
