hxxps://drive[.]google[.]com/drive/folders/1A1WcU-ZaJi_GWB8VEiuGDLiJqLyMsdIp?usp=sharing

Analysis

max time kernel
432s
max time network
435s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
25/07/2024, 09:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://drive.google.com/drive/folders/1A1WcU-ZaJi_GWB8VEiuGDLiJqLyMsdIp?usp=sharing

Score

6^/10

discovery

Malware Config

Signatures

Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs

Web Service

T1102

flow	ioc
5	drive.google.com
18	drive.google.com
19	drive.google.com

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
1492	msedge.exe
1492	msedge.exe
2608	msedge.exe
2608	msedge.exe
1560	identity_helper.exe
1560	identity_helper.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs

pid	Process
2608	msedge.exe
2608	msedge.exe
2608	msedge.exe
2608	msedge.exe
2608	msedge.exe
2608	msedge.exe

Suspicious use of FindShellTrayWindow 26 IoCs

pid	Process
2608	msedge.exe
2608	msedge.exe
2608	msedge.exe
2608	msedge.exe
2608	msedge.exe
2608	msedge.exe
2608	msedge.exe
2608	msedge.exe
2608	msedge.exe
2608	msedge.exe
2608	msedge.exe
2608	msedge.exe
2608	msedge.exe
2608	msedge.exe
2608	msedge.exe
2608	msedge.exe
2608	msedge.exe
2608	msedge.exe
2608	msedge.exe
2608	msedge.exe
2608	msedge.exe
2608	msedge.exe
2608	msedge.exe
2608	msedge.exe
2608	msedge.exe
2608	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
2608	msedge.exe
2608	msedge.exe
2608	msedge.exe
2608	msedge.exe
2608	msedge.exe
2608	msedge.exe
2608	msedge.exe
2608	msedge.exe
2608	msedge.exe
2608	msedge.exe
2608	msedge.exe
2608	msedge.exe
2608	msedge.exe
2608	msedge.exe
2608	msedge.exe
2608	msedge.exe
2608	msedge.exe
2608	msedge.exe
2608	msedge.exe
2608	msedge.exe
2608	msedge.exe
2608	msedge.exe
2608	msedge.exe
2608	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2608 wrote to memory of 4456	2608	msedge.exe	84
PID 2608 wrote to memory of 4456	2608	msedge.exe	84
PID 2608 wrote to memory of 2588	2608	msedge.exe	85
PID 2608 wrote to memory of 2588	2608	msedge.exe	85
PID 2608 wrote to memory of 2588	2608	msedge.exe	85
PID 2608 wrote to memory of 2588	2608	msedge.exe	85
PID 2608 wrote to memory of 2588	2608	msedge.exe	85
PID 2608 wrote to memory of 2588	2608	msedge.exe	85
PID 2608 wrote to memory of 2588	2608	msedge.exe	85
PID 2608 wrote to memory of 2588	2608	msedge.exe	85
PID 2608 wrote to memory of 2588	2608	msedge.exe	85
PID 2608 wrote to memory of 2588	2608	msedge.exe	85
PID 2608 wrote to memory of 2588	2608	msedge.exe	85
PID 2608 wrote to memory of 2588	2608	msedge.exe	85
PID 2608 wrote to memory of 2588	2608	msedge.exe	85
PID 2608 wrote to memory of 2588	2608	msedge.exe	85
PID 2608 wrote to memory of 2588	2608	msedge.exe	85
PID 2608 wrote to memory of 2588	2608	msedge.exe	85
PID 2608 wrote to memory of 2588	2608	msedge.exe	85
PID 2608 wrote to memory of 2588	2608	msedge.exe	85
PID 2608 wrote to memory of 2588	2608	msedge.exe	85
PID 2608 wrote to memory of 2588	2608	msedge.exe	85
PID 2608 wrote to memory of 2588	2608	msedge.exe	85
PID 2608 wrote to memory of 2588	2608	msedge.exe	85
PID 2608 wrote to memory of 2588	2608	msedge.exe	85
PID 2608 wrote to memory of 2588	2608	msedge.exe	85
PID 2608 wrote to memory of 2588	2608	msedge.exe	85
PID 2608 wrote to memory of 2588	2608	msedge.exe	85
PID 2608 wrote to memory of 2588	2608	msedge.exe	85
PID 2608 wrote to memory of 2588	2608	msedge.exe	85
PID 2608 wrote to memory of 2588	2608	msedge.exe	85
PID 2608 wrote to memory of 2588	2608	msedge.exe	85
PID 2608 wrote to memory of 2588	2608	msedge.exe	85
PID 2608 wrote to memory of 2588	2608	msedge.exe	85
PID 2608 wrote to memory of 2588	2608	msedge.exe	85
PID 2608 wrote to memory of 2588	2608	msedge.exe	85
PID 2608 wrote to memory of 2588	2608	msedge.exe	85
PID 2608 wrote to memory of 2588	2608	msedge.exe	85
PID 2608 wrote to memory of 2588	2608	msedge.exe	85
PID 2608 wrote to memory of 2588	2608	msedge.exe	85
PID 2608 wrote to memory of 2588	2608	msedge.exe	85
PID 2608 wrote to memory of 2588	2608	msedge.exe	85
PID 2608 wrote to memory of 1492	2608	msedge.exe	86
PID 2608 wrote to memory of 1492	2608	msedge.exe	86
PID 2608 wrote to memory of 4080	2608	msedge.exe	87
PID 2608 wrote to memory of 4080	2608	msedge.exe	87
PID 2608 wrote to memory of 4080	2608	msedge.exe	87
PID 2608 wrote to memory of 4080	2608	msedge.exe	87
PID 2608 wrote to memory of 4080	2608	msedge.exe	87
PID 2608 wrote to memory of 4080	2608	msedge.exe	87
PID 2608 wrote to memory of 4080	2608	msedge.exe	87
PID 2608 wrote to memory of 4080	2608	msedge.exe	87
PID 2608 wrote to memory of 4080	2608	msedge.exe	87
PID 2608 wrote to memory of 4080	2608	msedge.exe	87
PID 2608 wrote to memory of 4080	2608	msedge.exe	87
PID 2608 wrote to memory of 4080	2608	msedge.exe	87
PID 2608 wrote to memory of 4080	2608	msedge.exe	87
PID 2608 wrote to memory of 4080	2608	msedge.exe	87
PID 2608 wrote to memory of 4080	2608	msedge.exe	87
PID 2608 wrote to memory of 4080	2608	msedge.exe	87
PID 2608 wrote to memory of 4080	2608	msedge.exe	87
PID 2608 wrote to memory of 4080	2608	msedge.exe	87
PID 2608 wrote to memory of 4080	2608	msedge.exe	87
PID 2608 wrote to memory of 4080	2608	msedge.exe	87

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://drive.google.com/drive/folders/1A1WcU-ZaJi_GWB8VEiuGDLiJqLyMsdIp?usp=sharing
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2608
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff8104646f8,0x7ff810464708,0x7ff810464718
  2⤵
  PID:4456
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2216,7016044713004227532,11485269160521322152,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2224 /prefetch:2
  2⤵
  PID:2588
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2216,7016044713004227532,11485269160521322152,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2300 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1492
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2216,7016044713004227532,11485269160521322152,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2904 /prefetch:8
  2⤵
  PID:4080
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2216,7016044713004227532,11485269160521322152,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3376 /prefetch:1
  2⤵
  PID:4484
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2216,7016044713004227532,11485269160521322152,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3428 /prefetch:1
  2⤵
  PID:1528
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2216,7016044713004227532,11485269160521322152,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5244 /prefetch:1
  2⤵
  PID:1280
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2216,7016044713004227532,11485269160521322152,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5260 /prefetch:1
  2⤵
  PID:1696
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2216,7016044713004227532,11485269160521322152,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5544 /prefetch:8
  2⤵
  PID:2436
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2216,7016044713004227532,11485269160521322152,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5544 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1560
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2216,7016044713004227532,11485269160521322152,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5744 /prefetch:1
  2⤵
  PID:3116
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2216,7016044713004227532,11485269160521322152,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5700 /prefetch:1
  2⤵
  PID:3624

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1572

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3640

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
75c9f57baeefeecd6c184627de951c1e

SHA1
52e0468e13cbfc9f15fc62cc27ce14367a996cff

SHA256
648ba270261690bb792f95d017e134d81a612ef4fc76dc41921c9e5b8f46d98f

SHA512
c4570cc4bb4894de3ecc8eee6cd8bfa5809ea401ceef683557fb170175ff4294cc21cdc6834db4e79e5e82d3bf16105894fff83290d26343423324bc486d4a15

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
10fa19df148444a77ceec60cabd2ce21

SHA1
685b599c497668166ede4945d8885d204fd8d70f

SHA256
c3b5deb970d0f06a05c8111da90330ffe25da195aafa4e182211669484d1964b

SHA512
3518ce16fef66c59e0bdb772db51aeaa9042c44ca399be61ca3d9979351f93655393236711cf2b1988d5f90a5b9318a7569a8cef3374fc745a8f9aa8323691ef

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000017

Filesize
28KB

MD5
bfb4ad144233248db8f0b493c9f53943

SHA1
75f204ac49008ca945d35db03568db5ffa2ee27d

SHA256
57819395af403b8697d446c0ef64388fd0f4b33af5647bf8a79d0616cd903393

SHA512
0f5f4ffdc046a81da203998f22ce0f156036b3c14646faa1b1c30d6bd0cf5138b70b3d5ac60b2b6eed36d2beadc108b78119f757bea84705ac71a8f1b3d4dd6e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
896fe912c7ac5aa1b1c02c6513c52f94

SHA1
8ed6aeae731ecdbfd8563c1a3fff4a7e66e2818a

SHA256
1317c993938ef947e4d48ac1292577c5797b2cb58ed65d68efecdc2782c1a192

SHA512
214f347329ef4181207d4d47b99327d5f87d32029dc2a840c4ed8c86664c72384145cdefc91167eff3ce64a67b2804b388724c96f439f969415f50c8042d6b5a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
4KB

MD5
d4f6312da01e0496414aec0c52bad6b5

SHA1
7dcf6d2a2562a687b45aab09d3a69e17df2f0442

SHA256
b301c122dcb0ad98faa9aa643e4c812232eac954a8ed0492be40b4f9cbf753be

SHA512
1a36b5d3a0e555856fc9d61557a41ebc77f5f724e30269ad259749c509107d3f5a8a88b6d4770974313e19686baefcf4c667cac6c238435979d00b0a7d3ff78b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
c6aea7bb73f333ac35d43a0e32d17532

SHA1
653ccb035edcfc3559bc79d1d69613788806add9

SHA256
8097bad29aecdea890797e1e5c443a09c720741f486b6ae6ae47c3bff7b88904

SHA512
b414177337c3b5d44e92246dd9c6912ecec2cf574060d175dc131c227a6886d17abb3731c64432dd1fca1a0d6c4817960e6cb8db9be8f80152c990db1846433d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
e9a25437ba8dd468922521c79b7e8880

SHA1
bd64670a23eb51ca4dac774c1d0d221ace7bc489

SHA256
86af000ab94870de94c7cde5d9824743b53710fbe8d2e5c6f2a8a259f2fc58e1

SHA512
12e94ad69e74191c3c14d1308a0a85242fec6972cf2b96b612ee9ec5a742d9f61a7787d4b6d4279f7ad7e191226e9ae3ae0cd0508e4a57e398ab84eca4e55fdb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
52836c6ecb6ed0a0ff4af04e05784cc5

SHA1
a44d65d6fcce7e44ff0235179a63d14187afd53b

SHA256
08cc57b6dee2c9a18f8061bdc84908761ce4f684761e9f84e7986cbf12e6a22c

SHA512
5b081ae1ca42c4b1b3ecdf3bea55ca14e49a45b634bc434c2019dc2507342fc6d92098783e0e210a2f5df6b742218e40bb4d4bd74cdc80631bb545dd15902e1a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
e783ab6091affb0fda74a35c49a0797b

SHA1
e7ec0c8cfa2df0eca6c18c1608d12ea89bc13b68

SHA256
d0db3826a096ac76c36931818704ae42de5382d5664028f094d2981517928a27

SHA512
78253bde8bf0ace17a207949c35b3c1c972076fe619f105622544744c1a500fcbeee850e4626ed7d7c693946b1b78321e9705d920c9c75eb5f17cb4138d33f21

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe57e06d.TMP

Filesize
1KB

MD5
1b817a85e3e49bc3c4fb3dbabf516aa1

SHA1
d6ff32d58b304cef793521961a2ea35e50dc4c60

SHA256
9637c8c5f2a6fe8f1f4b839b312b3eb418b9da298763b2a6433185b0c7ee5833

SHA512
4e0573cc2acbcee4713423c6760b5947638d7e4f3b3bcfaf3cb2f8544c43ce894f044d66f285b7b8e4a73de3430b8a1bbf90e54b090d46b4fe28fa99bbef5b95

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
a6948d53872efb0d72c411992948f061

SHA1
b9cae2900c1d97abf8701f0705a758e15b11383c

SHA256
ed52739450f2ba0832c606609211f1c217171925baf321c335bc6f5e95752f94

SHA512
13b3577cf9398dc876f58b19302464ae0c19ff87b1121e4d57820673c49a3a776d3c7f641dfc7bfdb11c1beac3bd35f3af414af2c98cacdcd5066b5c14c7bf46

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
792911b072528911304291e674243b93

SHA1
c8708afdc91d3d579bfc3588a8b020705fd47f18

SHA256
3a168c7e78dfb2e610a4991ae70ef21138f825aec0b72d1f314866f13737131f

SHA512
ce80383d3f9a6d460b595539f28a8a253bd2caee0c92d3861b636595b3b1700072e85792c806971e8db617a56a6171e08996088cdc2d30b6bafb3958c830ef51

Download Submit