hxxps://drive[.]google[.]com/file/d/1fwJdsnnK8CE52uB6ttf5BOyA6_zlBL57/view?usp=drive_link

Analysis

max time kernel
146s
max time network
142s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
30-07-2024 13:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://drive.google.com/file/d/1fwJdsnnK8CE52uB6ttf5BOyA6_zlBL57/view?usp=drive_link

Score

6^/10

discovery

Malware Config

Signatures

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
3	drive.google.com
5	drive.google.com

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Suspicious behavior: EnumeratesProcesses 11 IoCs

pid	Process
1784	msedge.exe
1784	msedge.exe
4396	msedge.exe
4396	msedge.exe
4396	msedge.exe
2704	identity_helper.exe
2704	identity_helper.exe
2172	msedge.exe
2172	msedge.exe
2172	msedge.exe
2172	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs

pid	Process
4396	msedge.exe
4396	msedge.exe
4396	msedge.exe
4396	msedge.exe
4396	msedge.exe
4396	msedge.exe
4396	msedge.exe

Suspicious use of FindShellTrayWindow 25 IoCs

pid	Process
4396	msedge.exe
4396	msedge.exe
4396	msedge.exe
4396	msedge.exe
4396	msedge.exe
4396	msedge.exe
4396	msedge.exe
4396	msedge.exe
4396	msedge.exe
4396	msedge.exe
4396	msedge.exe
4396	msedge.exe
4396	msedge.exe
4396	msedge.exe
4396	msedge.exe
4396	msedge.exe
4396	msedge.exe
4396	msedge.exe
4396	msedge.exe
4396	msedge.exe
4396	msedge.exe
4396	msedge.exe
4396	msedge.exe
4396	msedge.exe
4396	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
4396	msedge.exe
4396	msedge.exe
4396	msedge.exe
4396	msedge.exe
4396	msedge.exe
4396	msedge.exe
4396	msedge.exe
4396	msedge.exe
4396	msedge.exe
4396	msedge.exe
4396	msedge.exe
4396	msedge.exe
4396	msedge.exe
4396	msedge.exe
4396	msedge.exe
4396	msedge.exe
4396	msedge.exe
4396	msedge.exe
4396	msedge.exe
4396	msedge.exe
4396	msedge.exe
4396	msedge.exe
4396	msedge.exe
4396	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4396 wrote to memory of 4868	4396	msedge.exe	84
PID 4396 wrote to memory of 4868	4396	msedge.exe	84
PID 4396 wrote to memory of 4792	4396	msedge.exe	85
PID 4396 wrote to memory of 4792	4396	msedge.exe	85
PID 4396 wrote to memory of 4792	4396	msedge.exe	85
PID 4396 wrote to memory of 4792	4396	msedge.exe	85
PID 4396 wrote to memory of 4792	4396	msedge.exe	85
PID 4396 wrote to memory of 4792	4396	msedge.exe	85
PID 4396 wrote to memory of 4792	4396	msedge.exe	85
PID 4396 wrote to memory of 4792	4396	msedge.exe	85
PID 4396 wrote to memory of 4792	4396	msedge.exe	85
PID 4396 wrote to memory of 4792	4396	msedge.exe	85
PID 4396 wrote to memory of 4792	4396	msedge.exe	85
PID 4396 wrote to memory of 4792	4396	msedge.exe	85
PID 4396 wrote to memory of 4792	4396	msedge.exe	85
PID 4396 wrote to memory of 4792	4396	msedge.exe	85
PID 4396 wrote to memory of 4792	4396	msedge.exe	85
PID 4396 wrote to memory of 4792	4396	msedge.exe	85
PID 4396 wrote to memory of 4792	4396	msedge.exe	85
PID 4396 wrote to memory of 4792	4396	msedge.exe	85
PID 4396 wrote to memory of 4792	4396	msedge.exe	85
PID 4396 wrote to memory of 4792	4396	msedge.exe	85
PID 4396 wrote to memory of 4792	4396	msedge.exe	85
PID 4396 wrote to memory of 4792	4396	msedge.exe	85
PID 4396 wrote to memory of 4792	4396	msedge.exe	85
PID 4396 wrote to memory of 4792	4396	msedge.exe	85
PID 4396 wrote to memory of 4792	4396	msedge.exe	85
PID 4396 wrote to memory of 4792	4396	msedge.exe	85
PID 4396 wrote to memory of 4792	4396	msedge.exe	85
PID 4396 wrote to memory of 4792	4396	msedge.exe	85
PID 4396 wrote to memory of 4792	4396	msedge.exe	85
PID 4396 wrote to memory of 4792	4396	msedge.exe	85
PID 4396 wrote to memory of 4792	4396	msedge.exe	85
PID 4396 wrote to memory of 4792	4396	msedge.exe	85
PID 4396 wrote to memory of 4792	4396	msedge.exe	85
PID 4396 wrote to memory of 4792	4396	msedge.exe	85
PID 4396 wrote to memory of 4792	4396	msedge.exe	85
PID 4396 wrote to memory of 4792	4396	msedge.exe	85
PID 4396 wrote to memory of 4792	4396	msedge.exe	85
PID 4396 wrote to memory of 4792	4396	msedge.exe	85
PID 4396 wrote to memory of 4792	4396	msedge.exe	85
PID 4396 wrote to memory of 4792	4396	msedge.exe	85
PID 4396 wrote to memory of 1784	4396	msedge.exe	86
PID 4396 wrote to memory of 1784	4396	msedge.exe	86
PID 4396 wrote to memory of 1224	4396	msedge.exe	87
PID 4396 wrote to memory of 1224	4396	msedge.exe	87
PID 4396 wrote to memory of 1224	4396	msedge.exe	87
PID 4396 wrote to memory of 1224	4396	msedge.exe	87
PID 4396 wrote to memory of 1224	4396	msedge.exe	87
PID 4396 wrote to memory of 1224	4396	msedge.exe	87
PID 4396 wrote to memory of 1224	4396	msedge.exe	87
PID 4396 wrote to memory of 1224	4396	msedge.exe	87
PID 4396 wrote to memory of 1224	4396	msedge.exe	87
PID 4396 wrote to memory of 1224	4396	msedge.exe	87
PID 4396 wrote to memory of 1224	4396	msedge.exe	87
PID 4396 wrote to memory of 1224	4396	msedge.exe	87
PID 4396 wrote to memory of 1224	4396	msedge.exe	87
PID 4396 wrote to memory of 1224	4396	msedge.exe	87
PID 4396 wrote to memory of 1224	4396	msedge.exe	87
PID 4396 wrote to memory of 1224	4396	msedge.exe	87
PID 4396 wrote to memory of 1224	4396	msedge.exe	87
PID 4396 wrote to memory of 1224	4396	msedge.exe	87
PID 4396 wrote to memory of 1224	4396	msedge.exe	87
PID 4396 wrote to memory of 1224	4396	msedge.exe	87

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://drive.google.com/file/d/1fwJdsnnK8CE52uB6ttf5BOyA6_zlBL57/view?usp=drive_link
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4396
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffac95846f8,0x7ffac9584708,0x7ffac9584718
  2⤵
  PID:4868
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2104,1604083293227242053,7871079110684776935,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2112 /prefetch:2
  2⤵
  PID:4792
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2104,1604083293227242053,7871079110684776935,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2312 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1784
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2104,1604083293227242053,7871079110684776935,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2588 /prefetch:8
  2⤵
  PID:1224
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,1604083293227242053,7871079110684776935,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3304 /prefetch:1
  2⤵
  PID:2308
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,1604083293227242053,7871079110684776935,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3320 /prefetch:1
  2⤵
  PID:3268
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,1604083293227242053,7871079110684776935,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4648 /prefetch:1
  2⤵
  PID:640
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,1604083293227242053,7871079110684776935,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5400 /prefetch:1
  2⤵
  PID:1420
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,1604083293227242053,7871079110684776935,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5416 /prefetch:1
  2⤵
  PID:1448
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2104,1604083293227242053,7871079110684776935,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5720 /prefetch:8
  2⤵
  PID:2000
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2104,1604083293227242053,7871079110684776935,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5720 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2704
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,1604083293227242053,7871079110684776935,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5436 /prefetch:1
  2⤵
  PID:2288
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,1604083293227242053,7871079110684776935,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5084 /prefetch:1
  2⤵
  PID:4456
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2104,1604083293227242053,7871079110684776935,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=3028 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2172

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4760

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2796

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
75c9f57baeefeecd6c184627de951c1e

SHA1
52e0468e13cbfc9f15fc62cc27ce14367a996cff

SHA256
648ba270261690bb792f95d017e134d81a612ef4fc76dc41921c9e5b8f46d98f

SHA512
c4570cc4bb4894de3ecc8eee6cd8bfa5809ea401ceef683557fb170175ff4294cc21cdc6834db4e79e5e82d3bf16105894fff83290d26343423324bc486d4a15

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
10fa19df148444a77ceec60cabd2ce21

SHA1
685b599c497668166ede4945d8885d204fd8d70f

SHA256
c3b5deb970d0f06a05c8111da90330ffe25da195aafa4e182211669484d1964b

SHA512
3518ce16fef66c59e0bdb772db51aeaa9042c44ca399be61ca3d9979351f93655393236711cf2b1988d5f90a5b9318a7569a8cef3374fc745a8f9aa8323691ef

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
408B

MD5
d5114b2657249b60983fa20fb7c905dd

SHA1
edb7a10230620cfd4d9ccedc059a08a3a0b529ed

SHA256
98129865707052eb85072bc0a162cf1c365448714dcaa18c72ec1b8056daf8b3

SHA512
c9d52fee197b3086901896104920c6d3deb6e948290aaa0d838192847afda6afd27d3654c818ad754a0d903fe0002880864731c1d92dab3422686db9e2d1546b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
3KB

MD5
005a1689522ce106dadc952d74247e6d

SHA1
e20de568ef954a74635ce3c155ff88bcb7ee9fd5

SHA256
098489156efc7939144268fc30f0abf0b988587e9a6cbecd594e37c412688976

SHA512
97b821712d3507eb271c367161a077a2ed1cd978a554e22fa2db9149fd3198a947ead9ee19b089e58d9b7d203b623cd5c8d2ecee9b769b02615e693b14559eff

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
3KB

MD5
61110b6e083a0729b82163ec33b2c18a

SHA1
719926ab4123dc08a676faf826e07ea09a6796c5

SHA256
81ccf0aa4533a32e9f45fc4f457d1889a55f15cb1a55700c8e0b4bb6d1f5aca9

SHA512
946797bc4ffe9dc15f2447ce5a73a07a1392f86af4af722a457c79d65ab30e9cf7e213e468dff45baafe2492d06d3bb3ba20dacd32b4acc1ff67efaf0d00f87e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
643f47c07bed4c753009e1a78f0fddbf

SHA1
ed8281023d4727e380ad661dd43ccaf82aab3337

SHA256
9e4117c208181de8410e70c6ef9b94f5bdcbb66670309dedaf70e3f0225e0e02

SHA512
3cd5fc3ddda6f6925548006086227a14e09a9d3b65d613166b7934dd98804b418932526e2a05037c9476868f02fd2ca388df1cff80ee640286c74cc026e4556e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
3a6287364c6195008790a82fff9eaecf

SHA1
20aaa72c48996da6acb271dbb2801fd95701040a

SHA256
8239fb36debd9aff0ad18c07aa044f846f45112d02f1e8001fe2a746e5921f14

SHA512
f5c46c3b3939a36627fd9b24a3b8d90864f133ef7f0fefad07bccdee88fcdbdce2b798089b220ddb12ff74ec6dd8c0a479dad2d09f1f46433798f6b06424f72c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
b80b484a159bf989bf79fe8a5cf47c93

SHA1
2199295fb33e38e18da3fd78f9cdb1fda48ac62b

SHA256
70819c6c001c52e61b4bc402902364f7e08e0cdffe9c1afe1f1f84eafe6c6039

SHA512
350e2306d6fd00539e8ecb53f411deeb59a9d95c58832cc32ec4d4cd17ba758f2f95f5da211184499c17f1acd2bebb770ef435d7b5a9b3bb8cf36f5b37731779

Download Submit