Analysis
-
max time kernel
122s -
max time network
124s -
platform
windows11-21h2_x64 -
resource
win11-20240802-en -
resource tags
-
submitted
24-08-2024 16:25
General
-
Target
https://drive.google.com/drive/folders/1xSV04WtBMJWphJosdg6Cip2wcwcP9WSq
Malware Config
Signatures
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
-
Browser Information Discovery 1 TTPs
Enumerate browser information.
-
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Enumerates system info in registry 2 TTPs 3 IoCs
-
Modifies registry class 64 IoCs
-
NTFS ADS 2 IoCs
-
Suspicious behavior: EnumeratesProcesses 14 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
-
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 9 IoCs
-
Suspicious use of FindShellTrayWindow 35 IoCs
-
Suspicious use of SendNotifyMessage 12 IoCs
-
Suspicious use of SetWindowsHookEx 17 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://drive.google.com/drive/folders/1xSV04WtBMJWphJosdg6Cip2wcwcP9WSq1⤵
- Enumerates system info in registry
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ff813783cb8,0x7ff813783cc8,0x7ff813783cd82⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1956,12825989882354657364,8844803958953277679,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1972 /prefetch:22⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1956,12825989882354657364,8844803958953277679,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2368 /prefetch:32⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1956,12825989882354657364,8844803958953277679,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2684 /prefetch:82⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1956,12825989882354657364,8844803958953277679,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3260 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1956,12825989882354657364,8844803958953277679,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3272 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1956,12825989882354657364,8844803958953277679,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5204 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1956,12825989882354657364,8844803958953277679,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4608 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1956,12825989882354657364,8844803958953277679,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5248 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1956,12825989882354657364,8844803958953277679,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3256 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1956,12825989882354657364,8844803958953277679,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3296 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1956,12825989882354657364,8844803958953277679,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5728 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1956,12825989882354657364,8844803958953277679,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5836 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1956,12825989882354657364,8844803958953277679,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5968 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1956,12825989882354657364,8844803958953277679,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4720 /prefetch:82⤵
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1956,12825989882354657364,8844803958953277679,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5144 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1956,12825989882354657364,8844803958953277679,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=5508 /prefetch:22⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\SysWOW64\DllHost.exeC:\Windows\SysWOW64\DllHost.exe /Processid:{06622D85-6856-4460-8DE1-A81921B41C4B}1⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\system32\rundll32.exe"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,Control_RunDLL C:\Windows\System32\srchadmin.dll ,1⤵
-
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe" -ServerName:MiniSearchUI.AppXj3y73at8fy1htwztzxs68sxx1v7cksp7.mca1⤵
- Suspicious use of SetWindowsHookEx
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
152B
MD5b4ae6009e2df12ce252d03722e8f4288
SHA144de96f65d69cbae416767040f887f68f8035928
SHA2567778069a1493fdb62e6326ba673f03d9a8f46bc0eea949aabbbbc00dcdaddf9d
SHA512bb810721e52c77793993470692bb2aab0466f13ed4576e4f4cfa6bc5fcfc59c13552299feb6dfd9642ea07b19a5513d90d0698d09ca1d15e0598133929c05fe1
-
Filesize
152B
MD54bf4b59c3deb1688a480f8e56aab059d
SHA1612c83e7027b3bfb0e9d2c9efad43c5318e731bb
SHA256867ab488aa793057395e9c10f237603cfb180689298871cdf0511132f9628c82
SHA5122ec6c89f9653f810e9f80f532abaff2a3c0276f6d299dce1b1eadf6a59e8072ed601a4f9835db25d4d2610482a00dd5a0852d0ef828678f5c5ed33fe64dddca9
-
Filesize
5KB
MD5d3f1d6188d412f3ee5d68a2b09d7a364
SHA1e05c9f03a9d187065cf8d2c3f7a8bcacdfdc9ded
SHA2568c383432afbd35a220808013a7d7cdd0afe2a6deb308aae1ead71d0e624354d7
SHA5128d944d6174b35cc5f9d9e5b150f560a8c80f95ad08304b0aec1011bacb69810c14becf39b66f1fe06ed2eb023f0a3c928caeda475cf410f54293ee6059726f99
-
Filesize
36KB
MD5eae5fc6db735938044a4741054dca29e
SHA15ad3a1d30f1123fda791830cd373b9d9041a5663
SHA256967e35cf9787773151cb0a3945617f4a25b0232c8af0b8b8db30797426c40d3f
SHA512a996760ff518a4781eb2d5b6074fad7645b1c06fb98d1dac86c919b67d0e04289790a7e45c57c22b8ac28421b46ed299ecb38d6d979711bc95bf804f47c8556a
-
Filesize
1KB
MD5ec67ca1f1dcd1cc0bcc9eaebd139cec5
SHA144a4a03bfa59ef4937d99ed1dacadf2c4091a14b
SHA25659332b2b69b97b8e26d2082d3964e586d6f1d8ef246e7ab8ed3a1e9f72ad4c97
SHA51217c17f765cead7f0b51b18b4cb32c700eb3974c2bdfc6087d4a3738a6304e21904836c33d1ed0a6e14e097a0ca3fedaf58d1fc4d15733eba3f34981dbd85153f
-
Filesize
1KB
MD560d5a98d0b199ed34e8a3e478c19c1bf
SHA1f8272bc72c95ff9aee2c48accc9cae54561ff105
SHA2569fbad82898076786d475dfa87246a9e5193123e22c6ac56824e621df970e6583
SHA5122df764d3b48ca255a1a8c2cb9b57b49be7dcf107754cdbb50a9cbb36bc133d09356648aa075fa57dec6f8f33a4c8abdbb011965c98aa94487f14996675ea6510
-
Filesize
111B
MD5807419ca9a4734feaf8d8563a003b048
SHA1a723c7d60a65886ffa068711f1e900ccc85922a6
SHA256aa10bf07b0d265bed28f2a475f3564d8ddb5e4d4ffee0ab6f3a0cc564907b631
SHA512f10d496ae75db5ba412bd9f17bf0c7da7632db92a3fabf7f24071e40f5759c6a875ad8f3a72bad149da58b3da3b816077df125d0d9f3544adba68c66353d206c
-
Filesize
5KB
MD5f3d49c598885f9715831b13a6d8a085b
SHA19f3164a13429f313a405b83d84b94a5104fef2b9
SHA25679a5ee010cd49fdbd493d564eb128f03030486694b7048c4a1463aa9622c7f23
SHA512f1e2dbc35e393f1cbcf1f586125021b00898322769258553dea6c46ac98bce49410a0b022e236178269e3f938039b9c068e6f857698f4458eb7be891af45d19b
-
Filesize
6KB
MD5785e37162cbd5fd1d44a7287420e209b
SHA1beb63f8ad06b96ea8476dea387c5b4836c2ae049
SHA25663a025041791307f972c80c724c9df8d749ba7c71beb4e8a2512649ed57a685f
SHA512b22c3fb4e428f81dd491b82adceabe57c022529635a88b5fdff45402615686e94a6f50b5ec1c54bd3d15d2fe471f06a8a35689b17c966715263b63312b41cc21
-
Filesize
6KB
MD5e534f9c5610d72fd4f77cc82798cd45a
SHA10d7c2df82f8b69123c0bbe150cb906bfdd628107
SHA256fb7ca293f6b6e6b5a821389ad6525bc6a80e3f78051262b2c4a0e364d13a9779
SHA5128d42d59595996421af4388870dc0a794828bd455065df425804266285849d2303f8015eeaf4b491836c89dc3be488a9f0401d27bc1379084a3f5c50f7660ba51
-
Filesize
1KB
MD5fbc7e511bb61acc153102b2dab173e1f
SHA14189442be0137592464179a3fad3c8b45ba61a45
SHA256d368a8d1d82bfcb0d3f9d3e3e01064033cbc13babee9e27a744fbe777060f95d
SHA5120ee1fca4f7b266079ca5b2d2192fb254e1b3b49fd6f83d798e328f95e7af2c153be09755c202429e0bcd8ee47ea515b1ebb4973a93a93b400ddda0bb18615ca7
-
Filesize
1KB
MD5cceb377af34726982c01fd6a0b6700fe
SHA1cf12a0273f431b655f7013996a61e9f39c6a4eb7
SHA2560a46f91b3c3a1931b413d234133110c363eed5b8637b4c032c016ece6f3270a8
SHA512431f34c99455316d81150c4a3d8d653bbe566df5a6a1fd7c6da4621570d720c5f3bc510b35bd86d76596caa574e6fb22a860a4c4483cc1049930eb2895f4990c
-
Filesize
701B
MD5f91f7cfaafd192ddaa4d72525a4e18b4
SHA1ce3fafef19d3a1357d007529c819cc0d2a5e018c
SHA256ce1e7f996295e97cfb283c3671052058da5802bda3c2a2e1c5add16fc2663701
SHA5129ebce72b4a1c1612af8f539044c31d93c21e4625b548d1e7d6113c034eefae40253d0f2e6b30078a8c430437d1c9a2a5112101d2b05826ff0a3d819d54b94b46
-
Filesize
16B
MD546295cac801e5d4857d09837238a6394
SHA144e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA2560f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA5128969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23
-
Filesize
16B
MD5206702161f94c5cd39fadd03f4014d98
SHA1bd8bfc144fb5326d21bd1531523d9fb50e1b600a
SHA2561005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167
SHA5120af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145
-
Filesize
10KB
MD5e97bdbbad938c2bb6f3bc86aed4725fd
SHA130a87173eef6d22338bce75a26b9bc829d5d9dd4
SHA256738de07b8c1a4e5d45106d88c3ff61345b0d7b412d993b2b131b34abedbb9aed
SHA512ec22655a755e1e25c01dc26364356210183149eea4e997f4ad84f02dd9b92e6cbb98f1fc7f177cb56460cfbf54f465e6ac94721cedfa9aba9decb744b57fba8d
-
Filesize
11KB
MD5d36aee8e22a89acb55fd01aa9e6fb05e
SHA104549570b1c7d8e8acac6e01594c2e85f30da7de
SHA25663fb5e9c5bb619ed3ee02d46a34dcf361f1f285466e75178bef2f0ff9b01f117
SHA512df978c2170524162f3b1a141a0d937181a7bbcb2742a3597f3b697d0bdae2e00218e83bf4e70499cdd5e129638874a5c1d49fa87c17922842c80cf4d4dded407
-
Filesize
11KB
MD52f68529e086c7bd52d98893cf1bf0c5f
SHA130622a6ff6b6fab5237cc00a171d51f7b102f542
SHA25692ee2a14b7eeb435e14b89a061b36668baafc03a2fc3bbb1f396b92ad610fb57
SHA51220ec3d9dfced76e776736b8ff34e81bcced063906f116bd4e689bfbc8fa1077e62f7eab35f50f0517a6b92da284d1cb13713892b7d77ed15e67f72284580aaa0
-
Filesize
11KB
MD52b0b55bf8cebaa1e3811bf82fb5f7ffd
SHA124e303436f68cfc8367310907403fb94605d49f8
SHA256547fcd7e0c3e330d68bbafc6c76a8ee273b054ec5c8e1fe605d762adfe97ccc9
SHA512efa71befe2ca64645d46beb98a2ab49497c716b17965a30f08c6ec3be2038256a6ad9b0428c00363ea24e315b7a568ad1780e476fbd0999f934068dba513241b
-
Filesize
11KB
MD5c11cb8f13f961e691dbceb21bedc6715
SHA1e747d1e45de5d95aa08db22ea55d72720a5dfd1e
SHA256859963e68c86b75e71be553fd89211dedea38a2444b983ad590644c3785fd79f
SHA512a36c711a436f0ab766b32b62d600b9f24ef1d2409d6d6dd043785ecb027ab10cff58642d05520ff35416a8d7d3dabe9c79b7578795b5fe4003d4032b0c6fbe3d
-
Filesize
186B
MD5990d99c434c0c514096104c6ed1425f9
SHA1d752f0b5f6d0bcdc4c7dc52b767d219ef5c6316c
SHA2564125ebdaa6bb0200b5c44734ac0c6ca88b2b3f5f6f86b574ff5ad2ac19bbb496
SHA512d812771f4f314f260b3887954af9b88273b622227618bd19bc309fdb9e851c612c28e401fe474d1c4c8c1a64bd29098cdec29b3c4c39c207eb6bc702b5f580c7
-
Filesize
625B
MD5f5e5434b2f457843b30e6c9de6bf7acd
SHA12648b3bc1fe3c04ca44e060f638d4def6341465b
SHA256cf57f9bf5be2a9db0530ae88a71edd27ad338de96545c75ba258a016980b19dd
SHA512ec848d21e13e9c616d92689adc7d34d505813e033a375c6b1114463dc8c26cf964ce759c8e525a77df679b622cab7789e3ae3a7c8c862ddec12a2407a62069d5