hxxps://drive[.]google[.]com/drive/folders/ 1BHwUZC81xqwtAMcCYKDVmHIFQJF5_vPq

Analysis

max time kernel
61s
max time network
64s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
20-08-2024 21:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://drive.google.com/drive/folders/ 1BHwUZC81xqwtAMcCYKDVmHIFQJF5_vPq

Score

6^/10

discovery

Malware Config

Signatures

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
7	drive.google.com
10	drive.google.com

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
928	msedge.exe
928	msedge.exe
2000	msedge.exe
2000	msedge.exe
3800	identity_helper.exe
3800	identity_helper.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs

pid	Process
2000	msedge.exe
2000	msedge.exe
2000	msedge.exe
2000	msedge.exe
2000	msedge.exe
2000	msedge.exe

Suspicious use of FindShellTrayWindow 25 IoCs

pid	Process
2000	msedge.exe
2000	msedge.exe
2000	msedge.exe
2000	msedge.exe
2000	msedge.exe
2000	msedge.exe
2000	msedge.exe
2000	msedge.exe
2000	msedge.exe
2000	msedge.exe
2000	msedge.exe
2000	msedge.exe
2000	msedge.exe
2000	msedge.exe
2000	msedge.exe
2000	msedge.exe
2000	msedge.exe
2000	msedge.exe
2000	msedge.exe
2000	msedge.exe
2000	msedge.exe
2000	msedge.exe
2000	msedge.exe
2000	msedge.exe
2000	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
2000	msedge.exe
2000	msedge.exe
2000	msedge.exe
2000	msedge.exe
2000	msedge.exe
2000	msedge.exe
2000	msedge.exe
2000	msedge.exe
2000	msedge.exe
2000	msedge.exe
2000	msedge.exe
2000	msedge.exe
2000	msedge.exe
2000	msedge.exe
2000	msedge.exe
2000	msedge.exe
2000	msedge.exe
2000	msedge.exe
2000	msedge.exe
2000	msedge.exe
2000	msedge.exe
2000	msedge.exe
2000	msedge.exe
2000	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2000 wrote to memory of 1376	2000	msedge.exe	84
PID 2000 wrote to memory of 1376	2000	msedge.exe	84
PID 2000 wrote to memory of 3036	2000	msedge.exe	85
PID 2000 wrote to memory of 3036	2000	msedge.exe	85
PID 2000 wrote to memory of 3036	2000	msedge.exe	85
PID 2000 wrote to memory of 3036	2000	msedge.exe	85
PID 2000 wrote to memory of 3036	2000	msedge.exe	85
PID 2000 wrote to memory of 3036	2000	msedge.exe	85
PID 2000 wrote to memory of 3036	2000	msedge.exe	85
PID 2000 wrote to memory of 3036	2000	msedge.exe	85
PID 2000 wrote to memory of 3036	2000	msedge.exe	85
PID 2000 wrote to memory of 3036	2000	msedge.exe	85
PID 2000 wrote to memory of 3036	2000	msedge.exe	85
PID 2000 wrote to memory of 3036	2000	msedge.exe	85
PID 2000 wrote to memory of 3036	2000	msedge.exe	85
PID 2000 wrote to memory of 3036	2000	msedge.exe	85
PID 2000 wrote to memory of 3036	2000	msedge.exe	85
PID 2000 wrote to memory of 3036	2000	msedge.exe	85
PID 2000 wrote to memory of 3036	2000	msedge.exe	85
PID 2000 wrote to memory of 3036	2000	msedge.exe	85
PID 2000 wrote to memory of 3036	2000	msedge.exe	85
PID 2000 wrote to memory of 3036	2000	msedge.exe	85
PID 2000 wrote to memory of 3036	2000	msedge.exe	85
PID 2000 wrote to memory of 3036	2000	msedge.exe	85
PID 2000 wrote to memory of 3036	2000	msedge.exe	85
PID 2000 wrote to memory of 3036	2000	msedge.exe	85
PID 2000 wrote to memory of 3036	2000	msedge.exe	85
PID 2000 wrote to memory of 3036	2000	msedge.exe	85
PID 2000 wrote to memory of 3036	2000	msedge.exe	85
PID 2000 wrote to memory of 3036	2000	msedge.exe	85
PID 2000 wrote to memory of 3036	2000	msedge.exe	85
PID 2000 wrote to memory of 3036	2000	msedge.exe	85
PID 2000 wrote to memory of 3036	2000	msedge.exe	85
PID 2000 wrote to memory of 3036	2000	msedge.exe	85
PID 2000 wrote to memory of 3036	2000	msedge.exe	85
PID 2000 wrote to memory of 3036	2000	msedge.exe	85
PID 2000 wrote to memory of 3036	2000	msedge.exe	85
PID 2000 wrote to memory of 3036	2000	msedge.exe	85
PID 2000 wrote to memory of 3036	2000	msedge.exe	85
PID 2000 wrote to memory of 3036	2000	msedge.exe	85
PID 2000 wrote to memory of 3036	2000	msedge.exe	85
PID 2000 wrote to memory of 3036	2000	msedge.exe	85
PID 2000 wrote to memory of 928	2000	msedge.exe	86
PID 2000 wrote to memory of 928	2000	msedge.exe	86
PID 2000 wrote to memory of 3124	2000	msedge.exe	87
PID 2000 wrote to memory of 3124	2000	msedge.exe	87
PID 2000 wrote to memory of 3124	2000	msedge.exe	87
PID 2000 wrote to memory of 3124	2000	msedge.exe	87
PID 2000 wrote to memory of 3124	2000	msedge.exe	87
PID 2000 wrote to memory of 3124	2000	msedge.exe	87
PID 2000 wrote to memory of 3124	2000	msedge.exe	87
PID 2000 wrote to memory of 3124	2000	msedge.exe	87
PID 2000 wrote to memory of 3124	2000	msedge.exe	87
PID 2000 wrote to memory of 3124	2000	msedge.exe	87
PID 2000 wrote to memory of 3124	2000	msedge.exe	87
PID 2000 wrote to memory of 3124	2000	msedge.exe	87
PID 2000 wrote to memory of 3124	2000	msedge.exe	87
PID 2000 wrote to memory of 3124	2000	msedge.exe	87
PID 2000 wrote to memory of 3124	2000	msedge.exe	87
PID 2000 wrote to memory of 3124	2000	msedge.exe	87
PID 2000 wrote to memory of 3124	2000	msedge.exe	87
PID 2000 wrote to memory of 3124	2000	msedge.exe	87
PID 2000 wrote to memory of 3124	2000	msedge.exe	87
PID 2000 wrote to memory of 3124	2000	msedge.exe	87

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://drive.google.com/drive/folders/ 1BHwUZC81xqwtAMcCYKDVmHIFQJF5_vPq
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2000
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffdd39046f8,0x7ffdd3904708,0x7ffdd3904718
  2⤵
  PID:1376
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2128,10136050292855925719,1864845265182458068,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2136 /prefetch:2
  2⤵
  PID:3036
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2128,10136050292855925719,1864845265182458068,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2208 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:928
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2128,10136050292855925719,1864845265182458068,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2972 /prefetch:8
  2⤵
  PID:3124
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,10136050292855925719,1864845265182458068,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3364 /prefetch:1
  2⤵
  PID:3492
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,10136050292855925719,1864845265182458068,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3372 /prefetch:1
  2⤵
  PID:2256
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2128,10136050292855925719,1864845265182458068,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5204 /prefetch:8
  2⤵
  PID:3188
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2128,10136050292855925719,1864845265182458068,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5204 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3800
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,10136050292855925719,1864845265182458068,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3724 /prefetch:1
  2⤵
  PID:4044
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,10136050292855925719,1864845265182458068,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2544 /prefetch:1
  2⤵
  PID:3144
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,10136050292855925719,1864845265182458068,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3468 /prefetch:1
  2⤵
  PID:4088
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,10136050292855925719,1864845265182458068,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5816 /prefetch:1
  2⤵
  PID:1264

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1912

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:456

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
d7114a6cd851f9bf56cf771c37d664a2

SHA1
769c5d04fd83e583f15ab1ef659de8f883ecab8a

SHA256
d2c75c7d68c474d4b8847b4ba6cfd09fe90717f46dd398c86483d825a66e977e

SHA512
33bdae2305ae98e7c0de576de5a6600bd70a425e7b891d745cba9de992036df1b3d1df9572edb0f89f320e50962d06532dae9491985b6b57fd37d5f46f7a2ff8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
719923124ee00fb57378e0ebcbe894f7

SHA1
cc356a7d27b8b27dc33f21bd4990f286ee13a9f9

SHA256
aa22ab845fa08c786bd3366ec39f733d5be80e9ac933ed115ff048ff30090808

SHA512
a207b6646500d0d504cf70ee10f57948e58dab7f214ad2e7c4af0e7ca23ce1d37c8c745873137e6c55bdcf0f527031a66d9cc54805a0eac3678be6dd497a5bbc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000016

Filesize
28KB

MD5
bfb4ad144233248db8f0b493c9f53943

SHA1
75f204ac49008ca945d35db03568db5ffa2ee27d

SHA256
57819395af403b8697d446c0ef64388fd0f4b33af5647bf8a79d0616cd903393

SHA512
0f5f4ffdc046a81da203998f22ce0f156036b3c14646faa1b1c30d6bd0cf5138b70b3d5ac60b2b6eed36d2beadc108b78119f757bea84705ac71a8f1b3d4dd6e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
d0204a6d39e775ec686c5f0748946a48

SHA1
f3b1f6f2537ade4536de70fde8ee42f0c7a79030

SHA256
ea4ecdac0e07760bd3d50be453e662084463f15773c2caa262e738440e6eae58

SHA512
0c6497cc785f7121294f1b54e7ae7a195adef20d38a7343686b3c5125f14af7680166df0b74130c6ef6048cfa0b3a6f0f583335f2d3c2b42820e7d19d31f641b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
79a620923dfa5f8b8322bb3f63c21497

SHA1
65415d38dcd456a4bdc84c9043d51aa08581041a

SHA256
3b472d110878f929adf6aaf3d87d34e2add795e4867ee652ae579abdbf2eccb8

SHA512
07e02999c415c4935a63b353433bb16fd92e9592cfabc4b0cc2f8eddfd814ff52b150af64b75b01f4a5b63428bf5a6781340a15ce91b4d1f4e551358db6d45e3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
04483dac12af3b4face7f3e7dacac2fc

SHA1
6c621d5d5074aeb3c9a0c8365c731213c0d1ebec

SHA256
a7a2110a145a43ebeb1586b4b6d0080f8ddc77e26f2b49e9e09c5a11a78ce34f

SHA512
39f4a4c380ab08b188f7158282febad9689fcc5ace96fedcdc65c10d6bb642d76a3bb7cb9229a7bb5ba4caf3f64d5d11e7a0aaacec04a3c139075ce3d627c5c8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
0b060f6a54f4513dac7e4c7e193ccdf6

SHA1
b9d79054dc9155b736cd4fe7ec9f31c7276b9aad

SHA256
71f1626e329def6390f33edd1e99d52e703d22b51f58e4d0eeb6e1a8d878b9f5

SHA512
20a6a25fececfffffaafe331a9fd041d610ca4a83e016dbceaad9e3cd5af1d172a9f9f6594c12cab48b58d5b12da1e7ed36dcb7bd70794982048f48d34af0cb4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
875B

MD5
3928dfbc51ac027035e1a09d8b8eb047

SHA1
f39123f5ba57e1c838000f05f3fa3107a730be73

SHA256
2305d19509cca59c971b53312a8b32b0257cb46d26d24cf43089d995414dcb55

SHA512
65015b394a86fa3d29d3e802258e213520320794932340c8b2d14387a81331581be36c70df5c60151a6ebeb31afebcb7bd6d36f90c2699bf8b0717ea7196db8d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
b0e7bb4f3bfe4273ab37b0dc779d9ecd

SHA1
654861312c5dbae492dbe393b5389ce45d0c9c5f

SHA256
3e72204466173a0b267d9a7af5dfa98591f45fc472c9fac9242d92cf2ed220e5

SHA512
3416624e64122a1a65d995013e52f15a3bc19a1a99b5a7ae7fd88e46b4b399cecb19649676c8d65f9d23f0bd482f4b78b90ea33601e7bd7d7310d1022527621b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe58021e.TMP

Filesize
203B

MD5
5dd4ff80f2dad8d9d086c1ee34a90752

SHA1
4bf684394b1e3a6a11974563c02bc7a0a80bae6d

SHA256
45f25bc70ef9427e1ec72dd5bdd7af78f25c1e6fdfd65535dfa9eda9c7cac6ca

SHA512
13d2e5dd843bff17a364eda78fe1c6ac23d1daa242655609595a2962ff5353484eb5998d6b4ffb6edd24cc824497b117555166559be6dfce58a7e857fdc711f9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
deb10b85179235b2a9b1f634b6700eae

SHA1
e72c11ae3182dfc008465f6dabf5791d74f68886

SHA256
a6afaf08021965ba3d3c3a290be48c2a12267515f3d178067f6f6067d3e7e99a

SHA512
87fcfcdde9d5cfe797cdb3bb277eab69dbc855308942fd806736631e58e3d9f913b52cd333ac7cac0278e1e987e5e567a0a04f6d9e126a2741d9920b9305b0e7

Download Submit