Analysis
-
max time kernel
145s -
max time network
143s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
-
submitted
13-08-2024 07:21
General
-
Target
https://drive.google.com/drive/folders/1ZW4g-K1VkqY170EXQQbkc8XII_9156LB
Malware Config
Signatures
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs
-
Browser Information Discovery 1 TTPs
Enumerate browser information.
-
Enumerates system info in registry 2 TTPs 3 IoCs
-
Modifies registry class 2 IoCs
-
Suspicious behavior: EnumeratesProcesses 12 IoCs
-
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs
-
Suspicious use of FindShellTrayWindow 33 IoCs
-
Suspicious use of SendNotifyMessage 24 IoCs
-
Suspicious use of SetWindowsHookEx 1 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://drive.google.com/drive/folders/1ZW4g-K1VkqY170EXQQbkc8XII_9156LB1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff9984b46f8,0x7ff9984b4708,0x7ff9984b47182⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2176,12956575866391877640,18351240302881378384,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2184 /prefetch:22⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2176,12956575866391877640,18351240302881378384,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2272 /prefetch:32⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2176,12956575866391877640,18351240302881378384,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2712 /prefetch:82⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2176,12956575866391877640,18351240302881378384,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3380 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2176,12956575866391877640,18351240302881378384,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3396 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2176,12956575866391877640,18351240302881378384,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5464 /prefetch:82⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2176,12956575866391877640,18351240302881378384,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5464 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2176,12956575866391877640,18351240302881378384,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5336 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2176,12956575866391877640,18351240302881378384,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5312 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2176,12956575866391877640,18351240302881378384,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3420 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2176,12956575866391877640,18351240302881378384,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3524 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2176,12956575866391877640,18351240302881378384,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5280 /prefetch:82⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2176,12956575866391877640,18351240302881378384,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5680 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2176,12956575866391877640,18351240302881378384,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6120 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2176,12956575866391877640,18351240302881378384,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=5876 /prefetch:22⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
152B
MD5111c361619c017b5d09a13a56938bd54
SHA1e02b363a8ceb95751623f25025a9299a2c931e07
SHA256d7be4042a1e3511b0dbf0ab5c493245e4ac314440a4ae0732813db01a21ef8bc
SHA512fc16a4ad0b56899b82d05114d7b0ca8ee610cdba6ff0b6a67dea44faf17b3105109335359b78c0a59c9011a13152744a7f5d4f6a5b66ea519df750ef03f622b2
-
Filesize
152B
MD5983cbc1f706a155d63496ebc4d66515e
SHA1223d0071718b80cad9239e58c5e8e64df6e2a2fe
SHA256cc34b8f8e3f4bfe4c9a227d88f56ea2dd276ca3ac81df622ff5e9a8ec46b951c
SHA512d9cf2ca46d9379902730c81e615a3eb694873ffd535c6bb3ded2dc97cdbbfb71051ab11a07754ed6f610f04285605b702b5a48a6cfda3ee3287230c41c9c45cd
-
Filesize
36KB
MD5eae5fc6db735938044a4741054dca29e
SHA15ad3a1d30f1123fda791830cd373b9d9041a5663
SHA256967e35cf9787773151cb0a3945617f4a25b0232c8af0b8b8db30797426c40d3f
SHA512a996760ff518a4781eb2d5b6074fad7645b1c06fb98d1dac86c919b67d0e04289790a7e45c57c22b8ac28421b46ed299ecb38d6d979711bc95bf804f47c8556a
-
Filesize
1KB
MD500e28990932c247cd70339dd03ffbfb5
SHA132a5499bfe9307f8a53dadfe722d682573e5d9a6
SHA256372742899c6b280691dca1855ed2cb7bf3ead0af3b9cbec7224f470f736ec765
SHA512e2d52ac139d726a66c85e50e17008a60e67c89a57cc8c63ed7182bdb54911fa0992694d442c91fe7a76b33755ee5d5d084c3b4312ce602ffafb06d14fbcb3711
-
Filesize
1KB
MD51f1cd90aa1fb5a6c47a2fbc4874c516a
SHA116aa749db7244d9451bb961918a0a3b434a37352
SHA256d5d54be0f7fa128a16d20bf554a9995bd9a7b90e9039f0a6a2bc87ddfcacf177
SHA512860888f22662efe9f8bd665e97be33e0e0d9f56b5f4ea458bd595b98417605dca37d18d6d8952b610f067d27899d4633e17011a53b08e23107a485e4d64b9d96
-
Filesize
4KB
MD575235117c4fb2bee72c510056d639799
SHA13c9e92e94b00bc13b1657eafa85346cf0fd798c1
SHA2562e2ad2d60255dd7c19b55a17cd1e63bdbedf7ec224c8697888828cc4965945ee
SHA512a68110ae3c98e76fa68a0f31434b31d61d73edac5e823ca834c4542cb8823ed668d065737cce888e96f0678d3ac322cd9d396e80ed9799dba10eeea558199046
-
Filesize
4KB
MD5f813c5b2fc698fcc1fb032b2408950ae
SHA1d47416d2bd62924b5e9cbf6db8fd9bfdba103f17
SHA2566e59fa5df8c32d62c53e99fba78e8bdf444a29838b11b502990c6c25c1225b2a
SHA512367ceb5fae4290bc20422f5ccb85470d37b8f8b07f5e853052324c5e26ec81975e84c0e8ad5ad5483dcae11ea5774bcf00bdd680076d109d2151c95658ee6dff
-
Filesize
6KB
MD5e5b4791e5b7c0761bd92490ed6367ad6
SHA12432d243c59fb87dcb58224d038fdd5bc6b39a90
SHA256aa5710eb7e4b43ec7ab8e357664a09f80dd493f86171598a310c9b4697c2435e
SHA512fd98a3fe5a9ebdcd9f0fea62dbdda44d7cd6905387283ed66f07a636a4cc5a676e06ea3e39260989b30698145a373c8949fcbf835fc0f29e4d2dd820992dd9c5
-
Filesize
6KB
MD5642c01c77b98ea49281fd1361a2d8e80
SHA1507de89ed6eebb694d271dd7d04e928fea7ea370
SHA256f33616ac6004720511d7bb6e4e234c961174c9deb30ab3591eafb8b12d37d9fd
SHA512b34a576c050b8ca249ce8ee1981589a32526431bc331fe5e7a6c86995aae883af4834c3bf951bc8bd9f93986e86fcc5ece29952f32a99c0b4714699627f0a7c5
-
Filesize
6KB
MD58e1fac76a774ae8ccc35db220edb232a
SHA19d52036f1003ebe304dcfd03f5a23579c33ed4b3
SHA25618de0288bb491009c1ee7a549f3a3f86c82c563cd628abd92f09a42245832937
SHA512ee2b687928d9dd349c3e78a758a710fc32d3958a606169c9832f822f11ce8db26e77b9609d70639756b0b73066a04d313c785a76470a1dcbea8979fef8e1d6bd
-
Filesize
1KB
MD5e49cc7cf3a6a733a5671c91d91256db4
SHA1139223c916e6f8da88adcbe1a5498ebbf3a626c0
SHA2566389b731bd89a2ec2c305a1d06aececc987856ec1ea34bd5852615e1549261cc
SHA512fa22cfab8d8e6ef707fda489c970e66cb6e3824e4d385097d4ff15a2803ae9938642925e49b560b9e0eeabdebe6364ec1e5ca6513b161465b7081d6714953a93
-
Filesize
1KB
MD5d95c758d22f8012cd460a55defc6b086
SHA134025875c5310df6dafcf74fd24884a53474236d
SHA256653d9dccefeb81b737b4bd8e963130325897ffbea6c31b94453708cd5cde802f
SHA512a41e6bb954b5ccdafd4ee43d1f3c7da8ac18a5c27e3810fe23659b2b45e510ad5387691794372437b68e26815e3a02411c005c35a265290115d8332cc33ce68a
-
Filesize
16B
MD56752a1d65b201c13b62ea44016eb221f
SHA158ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA2560861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA5129cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389
-
Filesize
11KB
MD5d909d1293e7432abff3a95138ad2959f
SHA1c72e49540c1d7e13fed9c992264d180b6beea03d
SHA2569544808a880eb913d301168fd953f3ccfcbbd9f4a11eadb27f74bc6b1ef4ed2b
SHA5122030bf7e8e9e5af0b4f32059d1e65a76eba149b71d57af450360ff5325c8631094f0880df3435f7f39a8c5c24b0679c9d5e6f9b7449faf7cc3b70b578ba1aacd
-
Filesize
11KB
MD5e8c7cdc729f360a05d43c9672fb59e56
SHA1e3e9052b6199c1020e7d9f0020c143b7d78292fb
SHA256e75791cf49ef3184b2245bbc67f3271afda25426547c51368e0c4d312e5840ce
SHA512e57963efe3a41e66d6d5761690f4a2591360f3d53d4a20e92b260be7b3f97481cfac31a5d31837bd89d65e1adc9c6cf4c13ec51cc464f08f22a60040cef6b809
-
Filesize
1.2MB
MD5fdcaac4ac865ecb56c7447ed5ec0fce9
SHA1f85fc8fb457ee2078f1fbecc241fc41844ebb842
SHA2563a68eaa557d7d815ed491ad02db982f42a6e52ddb7964f77c1ee7e1719dc9a34
SHA512cb79552cce35f8f997cc1c6951513fba601e66a168e64b89974baa206ed9d653f2b06a9eff4bcf9a3916de93cf551957216cef7f017840c9a22009e8aa528ad2