hxxps://drive[.]google[.]com/file/d/11tpK2HprxRHmvYnC0uHvNCysyT1qDpaC/preview

Analysis

max time kernel
102s
max time network
103s
platform
windows11-21h2_x64
resource
win11-20240802-en
resource tags

arch:x64arch:x86image:win11-20240802-enlocale:en-usos:windows11-21h2-x64system
submitted
05/08/2024, 04:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://drive.google.com/file/d/11tpK2HprxRHmvYnC0uHvNCysyT1qDpaC/preview

Score

6^/10

discovery

Malware Config

Signatures

Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs

Web Service

T1102

flow	ioc
1	drive.google.com
5	drive.google.com
6	drive.google.com

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
2296	msedge.exe
2296	msedge.exe
1028	msedge.exe
1028	msedge.exe
4192	identity_helper.exe
4192	identity_helper.exe
3008	msedge.exe
3008	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs

pid	Process
1028	msedge.exe
1028	msedge.exe
1028	msedge.exe
1028	msedge.exe
1028	msedge.exe
1028	msedge.exe

Suspicious use of FindShellTrayWindow 25 IoCs

pid	Process
1028	msedge.exe
1028	msedge.exe
1028	msedge.exe
1028	msedge.exe
1028	msedge.exe
1028	msedge.exe
1028	msedge.exe
1028	msedge.exe
1028	msedge.exe
1028	msedge.exe
1028	msedge.exe
1028	msedge.exe
1028	msedge.exe
1028	msedge.exe
1028	msedge.exe
1028	msedge.exe
1028	msedge.exe
1028	msedge.exe
1028	msedge.exe
1028	msedge.exe
1028	msedge.exe
1028	msedge.exe
1028	msedge.exe
1028	msedge.exe
1028	msedge.exe

Suspicious use of SendNotifyMessage 12 IoCs

pid	Process
1028	msedge.exe
1028	msedge.exe
1028	msedge.exe
1028	msedge.exe
1028	msedge.exe
1028	msedge.exe
1028	msedge.exe
1028	msedge.exe
1028	msedge.exe
1028	msedge.exe
1028	msedge.exe
1028	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1028 wrote to memory of 4696	1028	msedge.exe	81
PID 1028 wrote to memory of 4696	1028	msedge.exe	81
PID 1028 wrote to memory of 4960	1028	msedge.exe	82
PID 1028 wrote to memory of 4960	1028	msedge.exe	82
PID 1028 wrote to memory of 4960	1028	msedge.exe	82
PID 1028 wrote to memory of 4960	1028	msedge.exe	82
PID 1028 wrote to memory of 4960	1028	msedge.exe	82
PID 1028 wrote to memory of 4960	1028	msedge.exe	82
PID 1028 wrote to memory of 4960	1028	msedge.exe	82
PID 1028 wrote to memory of 4960	1028	msedge.exe	82
PID 1028 wrote to memory of 4960	1028	msedge.exe	82
PID 1028 wrote to memory of 4960	1028	msedge.exe	82
PID 1028 wrote to memory of 4960	1028	msedge.exe	82
PID 1028 wrote to memory of 4960	1028	msedge.exe	82
PID 1028 wrote to memory of 4960	1028	msedge.exe	82
PID 1028 wrote to memory of 4960	1028	msedge.exe	82
PID 1028 wrote to memory of 4960	1028	msedge.exe	82
PID 1028 wrote to memory of 4960	1028	msedge.exe	82
PID 1028 wrote to memory of 4960	1028	msedge.exe	82
PID 1028 wrote to memory of 4960	1028	msedge.exe	82
PID 1028 wrote to memory of 4960	1028	msedge.exe	82
PID 1028 wrote to memory of 4960	1028	msedge.exe	82
PID 1028 wrote to memory of 4960	1028	msedge.exe	82
PID 1028 wrote to memory of 4960	1028	msedge.exe	82
PID 1028 wrote to memory of 4960	1028	msedge.exe	82
PID 1028 wrote to memory of 4960	1028	msedge.exe	82
PID 1028 wrote to memory of 4960	1028	msedge.exe	82
PID 1028 wrote to memory of 4960	1028	msedge.exe	82
PID 1028 wrote to memory of 4960	1028	msedge.exe	82
PID 1028 wrote to memory of 4960	1028	msedge.exe	82
PID 1028 wrote to memory of 4960	1028	msedge.exe	82
PID 1028 wrote to memory of 4960	1028	msedge.exe	82
PID 1028 wrote to memory of 4960	1028	msedge.exe	82
PID 1028 wrote to memory of 4960	1028	msedge.exe	82
PID 1028 wrote to memory of 4960	1028	msedge.exe	82
PID 1028 wrote to memory of 4960	1028	msedge.exe	82
PID 1028 wrote to memory of 4960	1028	msedge.exe	82
PID 1028 wrote to memory of 4960	1028	msedge.exe	82
PID 1028 wrote to memory of 4960	1028	msedge.exe	82
PID 1028 wrote to memory of 4960	1028	msedge.exe	82
PID 1028 wrote to memory of 4960	1028	msedge.exe	82
PID 1028 wrote to memory of 4960	1028	msedge.exe	82
PID 1028 wrote to memory of 2296	1028	msedge.exe	83
PID 1028 wrote to memory of 2296	1028	msedge.exe	83
PID 1028 wrote to memory of 4644	1028	msedge.exe	84
PID 1028 wrote to memory of 4644	1028	msedge.exe	84
PID 1028 wrote to memory of 4644	1028	msedge.exe	84
PID 1028 wrote to memory of 4644	1028	msedge.exe	84
PID 1028 wrote to memory of 4644	1028	msedge.exe	84
PID 1028 wrote to memory of 4644	1028	msedge.exe	84
PID 1028 wrote to memory of 4644	1028	msedge.exe	84
PID 1028 wrote to memory of 4644	1028	msedge.exe	84
PID 1028 wrote to memory of 4644	1028	msedge.exe	84
PID 1028 wrote to memory of 4644	1028	msedge.exe	84
PID 1028 wrote to memory of 4644	1028	msedge.exe	84
PID 1028 wrote to memory of 4644	1028	msedge.exe	84
PID 1028 wrote to memory of 4644	1028	msedge.exe	84
PID 1028 wrote to memory of 4644	1028	msedge.exe	84
PID 1028 wrote to memory of 4644	1028	msedge.exe	84
PID 1028 wrote to memory of 4644	1028	msedge.exe	84
PID 1028 wrote to memory of 4644	1028	msedge.exe	84
PID 1028 wrote to memory of 4644	1028	msedge.exe	84
PID 1028 wrote to memory of 4644	1028	msedge.exe	84
PID 1028 wrote to memory of 4644	1028	msedge.exe	84

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://drive.google.com/file/d/11tpK2HprxRHmvYnC0uHvNCysyT1qDpaC/preview
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1028
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffb4b9c3cb8,0x7ffb4b9c3cc8,0x7ffb4b9c3cd8
  2⤵
  PID:4696
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1924,1262619702804901348,1755312438093244724,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1928 /prefetch:2
  2⤵
  PID:4960
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1924,1262619702804901348,1755312438093244724,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2384 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2296
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1924,1262619702804901348,1755312438093244724,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2820 /prefetch:8
  2⤵
  PID:4644
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1924,1262619702804901348,1755312438093244724,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3304 /prefetch:1
  2⤵
  PID:3260
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1924,1262619702804901348,1755312438093244724,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3328 /prefetch:1
  2⤵
  PID:4400
- C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1924,1262619702804901348,1755312438093244724,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5268 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4192
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1924,1262619702804901348,1755312438093244724,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4076 /prefetch:1
  2⤵
  PID:832
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1924,1262619702804901348,1755312438093244724,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5332 /prefetch:1
  2⤵
  PID:4428
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1924,1262619702804901348,1755312438093244724,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3312 /prefetch:1
  2⤵
  PID:2316
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1924,1262619702804901348,1755312438093244724,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5728 /prefetch:1
  2⤵
  PID:5004
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1924,1262619702804901348,1755312438093244724,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5352 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3008

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2280

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3488

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
302c3de891ef3a75b81a269db4e1cf22

SHA1
5401eb5166da78256771e8e0281ca2d1f471c76f

SHA256
1d1640e5755779c90676290853d2e3ca948f57cf5fb1df4b786e277a97757f58

SHA512
da18e7d40376fd13255f3f67a004c3a7f408466bd7ce92e36a4d0c20441279fe4b1b6e0874ab74c494663fb97bd7992b5e7c264b3fc434c1e981326595263d33

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
c9efc5ba989271670c86d3d3dd581b39

SHA1
3ad714bcf6bac85e368b8ba379540698d038084f

SHA256
c2e16990b0f6f23efdcecd99044993a4c2b8ba87bd542dd8f6256d69e24b93b3

SHA512
c1bc0dc70ab827b54feb64ad069d21e1c3c28d57d126b08314a9670437881d77dba02b5cca57ef0f2aa7f8e7d4d163fbd2c6f246ea2d51ce201d61a89015e8b7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
336B

MD5
61ed1792fdfe4120f669c007d251db79

SHA1
881c3db552187843254ef1f9c13af2b03c4d5a35

SHA256
02a2fa791205f0608dcf388c7822187360873f2a73892ae4e0d4105e349be561

SHA512
b6eb7e9ee33954166aee75570087c45b494d3f9fa8f8c226cba06aa737183291f26861a0f6087fd3c6d766876c069b2fcc0ffcf13d5036dd03e9ebc235a322c1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
2KB

MD5
8565897cb26cea4fe61483527b2f997c

SHA1
ca639d38a1e36567ba42fe9f0cec54538b0cdc2f

SHA256
b921e3ceafbdd097c37600df996a1eacea11838fe6d1dcb695b13377580024f8

SHA512
e8abc7982901d4bd0a79ce0152782c287fadfe772b7f26c2961b40f53d54e59074886392dd9c4a214fb76b2b9ad5a7560872f1fc9af78a0275ea822acaef80e3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
2515ff44ab9647e1a5d907b7fbcfbda5

SHA1
c7fb9bbdcf5bb605af24d00a67911ce1e0dde60a

SHA256
072dcb57ba5d9f2ef24a35f96ba424e06c94aee79531633715d15927b23b518b

SHA512
5f54f84de32d1134113152d347528ee1bc735dfd7f78ab14dbe19dd56c019cff89749dd0edf5b08d83380b0b50961ce527e37874fc57cf072a09bcb6d430771c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
f7620a6ba54e6797e46823a614e617da

SHA1
9670d4e9f858251449a6dc666b929e179355f6bb

SHA256
c8c30090db759e8ca2d4f9c64fe07aebc67f8dbbda3d029d21ca0ec11deceb6f

SHA512
593dd064fca0d9c7b108b22b4551f568849e866ec1549efaf621081f989b24316b4054701eef6c0e2fefb4b450551edfb933921aad7c8b55617a695c07783f3b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
7aae3ed3891db97ab8e5a8b84f00666c

SHA1
6528fa43e5b37140b75b00f27e63ece5b1a51062

SHA256
f5ce95879ce56de0d1d0812c89cc9c1bdae2c398a13506e980f1196ed9ab06a5

SHA512
e33bf274919e2812c35797c29f2678361ba93d8423599cafecf748cee87a0b5edfccb92df1aad9c525b6cea910451c22bab1b21bcf2adff84bc3dec1226567fd

Download Submit