hxxps://drive[.]google[.]com/drive/folders/1LQqYd9dSlNeSQsUBDpK6Gv71TRJ80kIy?usp=drive_link

Analysis

max time kernel
0s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
26-07-2024 07:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://drive.google.com/drive/folders/1LQqYd9dSlNeSQsUBDpK6Gv71TRJ80kIy?usp=drive_link

Score

6^/10

discovery

Malware Config

Signatures

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
9	drive.google.com
6	drive.google.com

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
948	msedge.exe
948	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1796 wrote to memory of 2664	1796	msedge.exe	84
PID 1796 wrote to memory of 2664	1796	msedge.exe	84
PID 1796 wrote to memory of 2796	1796	msedge.exe	85
PID 1796 wrote to memory of 2796	1796	msedge.exe	85
PID 1796 wrote to memory of 2796	1796	msedge.exe	85
PID 1796 wrote to memory of 2796	1796	msedge.exe	85
PID 1796 wrote to memory of 2796	1796	msedge.exe	85
PID 1796 wrote to memory of 2796	1796	msedge.exe	85
PID 1796 wrote to memory of 2796	1796	msedge.exe	85
PID 1796 wrote to memory of 2796	1796	msedge.exe	85
PID 1796 wrote to memory of 2796	1796	msedge.exe	85
PID 1796 wrote to memory of 2796	1796	msedge.exe	85
PID 1796 wrote to memory of 2796	1796	msedge.exe	85
PID 1796 wrote to memory of 2796	1796	msedge.exe	85
PID 1796 wrote to memory of 2796	1796	msedge.exe	85
PID 1796 wrote to memory of 2796	1796	msedge.exe	85
PID 1796 wrote to memory of 2796	1796	msedge.exe	85
PID 1796 wrote to memory of 2796	1796	msedge.exe	85
PID 1796 wrote to memory of 2796	1796	msedge.exe	85
PID 1796 wrote to memory of 2796	1796	msedge.exe	85
PID 1796 wrote to memory of 2796	1796	msedge.exe	85
PID 1796 wrote to memory of 2796	1796	msedge.exe	85
PID 1796 wrote to memory of 2796	1796	msedge.exe	85
PID 1796 wrote to memory of 2796	1796	msedge.exe	85
PID 1796 wrote to memory of 2796	1796	msedge.exe	85
PID 1796 wrote to memory of 2796	1796	msedge.exe	85
PID 1796 wrote to memory of 2796	1796	msedge.exe	85
PID 1796 wrote to memory of 2796	1796	msedge.exe	85
PID 1796 wrote to memory of 2796	1796	msedge.exe	85
PID 1796 wrote to memory of 2796	1796	msedge.exe	85
PID 1796 wrote to memory of 2796	1796	msedge.exe	85
PID 1796 wrote to memory of 2796	1796	msedge.exe	85
PID 1796 wrote to memory of 2796	1796	msedge.exe	85
PID 1796 wrote to memory of 2796	1796	msedge.exe	85
PID 1796 wrote to memory of 2796	1796	msedge.exe	85
PID 1796 wrote to memory of 2796	1796	msedge.exe	85
PID 1796 wrote to memory of 2796	1796	msedge.exe	85
PID 1796 wrote to memory of 2796	1796	msedge.exe	85
PID 1796 wrote to memory of 2796	1796	msedge.exe	85
PID 1796 wrote to memory of 2796	1796	msedge.exe	85
PID 1796 wrote to memory of 2796	1796	msedge.exe	85
PID 1796 wrote to memory of 2796	1796	msedge.exe	85
PID 1796 wrote to memory of 948	1796	msedge.exe	86
PID 1796 wrote to memory of 948	1796	msedge.exe	86
PID 1796 wrote to memory of 2196	1796	msedge.exe	87
PID 1796 wrote to memory of 2196	1796	msedge.exe	87
PID 1796 wrote to memory of 2196	1796	msedge.exe	87
PID 1796 wrote to memory of 2196	1796	msedge.exe	87
PID 1796 wrote to memory of 2196	1796	msedge.exe	87
PID 1796 wrote to memory of 2196	1796	msedge.exe	87
PID 1796 wrote to memory of 2196	1796	msedge.exe	87
PID 1796 wrote to memory of 2196	1796	msedge.exe	87
PID 1796 wrote to memory of 2196	1796	msedge.exe	87
PID 1796 wrote to memory of 2196	1796	msedge.exe	87
PID 1796 wrote to memory of 2196	1796	msedge.exe	87
PID 1796 wrote to memory of 2196	1796	msedge.exe	87
PID 1796 wrote to memory of 2196	1796	msedge.exe	87
PID 1796 wrote to memory of 2196	1796	msedge.exe	87
PID 1796 wrote to memory of 2196	1796	msedge.exe	87
PID 1796 wrote to memory of 2196	1796	msedge.exe	87
PID 1796 wrote to memory of 2196	1796	msedge.exe	87
PID 1796 wrote to memory of 2196	1796	msedge.exe	87
PID 1796 wrote to memory of 2196	1796	msedge.exe	87
PID 1796 wrote to memory of 2196	1796	msedge.exe	87

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://drive.google.com/drive/folders/1LQqYd9dSlNeSQsUBDpK6Gv71TRJ80kIy?usp=drive_link
1⤵
- Suspicious use of WriteProcessMemory
PID:1796
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffe1a3346f8,0x7ffe1a334708,0x7ffe1a334718
  2⤵
  PID:2664
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2036,15919880801851057142,17143613081890672204,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2076 /prefetch:2
  2⤵
  PID:2796
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2036,15919880801851057142,17143613081890672204,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2380 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:948
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2036,15919880801851057142,17143613081890672204,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2664 /prefetch:8
  2⤵
  PID:2196
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2036,15919880801851057142,17143613081890672204,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3304 /prefetch:1
  2⤵
  PID:1760
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2036,15919880801851057142,17143613081890672204,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3324 /prefetch:1
  2⤵
  PID:3600
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2036,15919880801851057142,17143613081890672204,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5436 /prefetch:8
  2⤵
  PID:4904
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2036,15919880801851057142,17143613081890672204,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5436 /prefetch:8
  2⤵
  PID:2716
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2036,15919880801851057142,17143613081890672204,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4016 /prefetch:1
  2⤵
  PID:3356
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2036,15919880801851057142,17143613081890672204,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5312 /prefetch:1
  2⤵
  PID:4904
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2036,15919880801851057142,17143613081890672204,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5356 /prefetch:1
  2⤵
  PID:2908
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2036,15919880801851057142,17143613081890672204,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3436 /prefetch:1
  2⤵
  PID:1836
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2036,15919880801851057142,17143613081890672204,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=3048 /prefetch:2
  2⤵
  PID:2388

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4448

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1824

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
1f9d180c0bcf71b48e7bc8302f85c28f

SHA1
ade94a8e51c446383dc0a45edf5aad5fa20edf3c

SHA256
a17d56c41d524453a78e3f06e0d0b0081e79d090a4b75d0b693ddbc39f6f7fdc

SHA512
282863df0e51288049587886ed37ad1cf5b6bfeed86454ea3b9f2bb7f0a1c591f3540c62712ebfcd6f1095e1977446dd5b13b904bb52b6d5c910a1efc208c785

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
60ead4145eb78b972baf6c6270ae6d72

SHA1
e71f4507bea5b518d9ee9fb2d523c5a11adea842

SHA256
b9e99e7387a915275e8fe4ac0b0c0cd330b4632814d5c9c446beb2755f1309a7

SHA512
8cdbafd2783048f5f54f22e13f6ef890936d5b986b0bb3fa86d2420a5bfecf7bedc56f46e6d5f126eae79f492315843c134c441084b912296e269f384a73ccde

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000017

Filesize
28KB

MD5
bfb4ad144233248db8f0b493c9f53943

SHA1
75f204ac49008ca945d35db03568db5ffa2ee27d

SHA256
57819395af403b8697d446c0ef64388fd0f4b33af5647bf8a79d0616cd903393

SHA512
0f5f4ffdc046a81da203998f22ce0f156036b3c14646faa1b1c30d6bd0cf5138b70b3d5ac60b2b6eed36d2beadc108b78119f757bea84705ac71a8f1b3d4dd6e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
ee8954522b8e874f6abcc16246db6b66

SHA1
e3bb1886e92fcacb1412b748536986d7d849425e

SHA256
83bc3476642b63e1422536ad40571b8b61d349174de79d482c8a637f1e79aa39

SHA512
6c8ca1ba8db6d7318720c004e44ce99d0db307206b2b22589e7f5b974f1b7ddea65e2dd5e0d0ede12d2b6709dc93138341b9b66c32503544612ae7e7ef1ca0ff

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
f200e344ee27b25c3d5fbcebdcb87a76

SHA1
e981a763b24695ddf3106c93174c3aa6ef3692a7

SHA256
ec459a1e8dcc6dc881d5574d772ba3db84fdbbc18b8818403e6450f00a7845af

SHA512
0ae17ed8bbb0da0f1c25dacb167c8f479185b869536425c27fb36149c5e0adf81411cde27a602502138c3fefbcd8d84e9172ab243c0409c2dc201052a6ad2ed1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
4KB

MD5
b4c60f431ee0b6626a9d16fd54515687

SHA1
91a852e17c7e70a5c8bfbd6f5352dd653b5e0fc8

SHA256
205b855070173494626f97d6725a98a652b470b16ef8ef16d6f9a326973b8560

SHA512
de0fc551a8902611eed251b109c7f0cddfc77c4e4fe94f4b2ba1e7e3455cc140465335696993855de547cd2cf8cea16d4209c066a1d014e8082c850448e1d0c9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
b1c8bc6f0f979adae6f3f6e6fd50c9dd

SHA1
0d961c7468cb19d85ee4c8c55f6b8dc929910cdc

SHA256
2ccb36174ba305c87a568be3bb74c1f28a70bb67f85829c50cccde0bb0cf67e6

SHA512
b3a7418a73b69cf2538958f09c4ebe6410d93c22f490fa8f54c8bdc8569a736dbf1558fc5bfad66083af794582e1edb6ab08f96e6da5d81763aa3783d818523b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
ca8d9943c2f6d182519a2fc583ccd47b

SHA1
0346bdcecea9a0fd6fa0b2882c76010e3f33e2bb

SHA256
79311662ca9dbc065795da7a014912c94b822720da9d2e156d86de21e60cbed3

SHA512
cd293b7d02d18cc44f2f072e675708dfcf168420917f3b7eeaa762be0ebf05f7fc82510addc748dae3eed82bdf9e5a502ca998c0d275fd7f0f13d53a1dfe9a02

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
0e520965c17d5f3bcad81d2c6bc7cbd3

SHA1
5812b1216434cdfa22250762bac02167c1c48d18

SHA256
bc270bc5744130a6b85c290aeb25b8332044b83782fd3039608062df986a325e

SHA512
f9947670b05c2341a7b41aa24ca76c46e2e00a28332d8575007881b981b49a1922f18c9fddb88594ea3232ccf6de6716f54004d4fcbd6c390c6b90e0044ac7a9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
d7d679fe4393e2e20d8a43baa84cf9f4

SHA1
46a8fe9621592925701d952ccb578fcfcfd03f7a

SHA256
3902f48ee55d9da75527addd4a51a574eac5ff32713a9d2c221f09912fd98f08

SHA512
2eaba90f7d7ab745225321382c0a59b0c0cd659545e162eb0c0e9ada695ed311a4adbaf1d50e78fe46c91db920af55f036c92c7a02e90628bd0c64a3811fd29b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
c7bb4cb22a8a4d0faad7b2b11042f0ee

SHA1
3e400700d064b29d7919927ddc4015f84a673a94

SHA256
893d30d28e25211a79a2e1a0b0c3d5d21b98c464efcd78a8bf53f9230df3b9fb

SHA512
17563f7fd222e72f74569da147ea96e354998960cdd224756876f5ba932e22314278c471cec6ac42717ee1812b372272e1ec46af08d5c5641854183ee010b230

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe57c7b5.TMP

Filesize
1KB

MD5
0f5d0b319a489ece926c55b2e6eb166d

SHA1
7b7f0e8d0119b7070fbe64a31a7f7e218865be01

SHA256
8ded2d9ed7f3dd7afd32e1fcd6bb47994c320d03b2b15bd06cfe5295dedd75c8

SHA512
5e2e2a8273d9e15483558be4c74f3b27a44f95b73bd9c16d8abc8ba0c5760c6d3872f719141ccf1d0871bb5f2682e89ce96bee666f86f14c92ce91779906de57

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
a72c49645a0e5295dac498185ce7b941

SHA1
3b826e8dc9db8400e8ab03bc5d0af00e92fc01ee

SHA256
49d3e5c1547453cfc16e306262ca62b5b134750ab22833c6bf96bc0a56a13f10

SHA512
9db8ddc0a3ed147818cdf8422d715b3dc05208e28aa91d171086251f55eb5445c7558461a2406ed12263ddd38e39204dcb511ac182dc760a4ad7b625311d945a

Download Submit