Analysis
-
max time kernel
50s -
max time network
55s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
-
submitted
03-09-2024 18:02
General
-
Target
https://drive.google.com/drive/folders/1OfIvMJQ4I6f2Ltflq3zVIj7TloqDtJ2b?usp=sharing
Malware Config
Signatures
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
-
Browser Information Discovery 1 TTPs
Enumerate browser information.
-
Enumerates system info in registry 2 TTPs 3 IoCs
-
Modifies registry class 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 8 IoCs
-
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs
-
Suspicious use of FindShellTrayWindow 33 IoCs
-
Suspicious use of SendNotifyMessage 24 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://drive.google.com/drive/folders/1OfIvMJQ4I6f2Ltflq3zVIj7TloqDtJ2b?usp=sharing1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffe26cb46f8,0x7ffe26cb4708,0x7ffe26cb47182⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2280,18157486427479158897,3894674351014982344,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2440 /prefetch:22⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2280,18157486427479158897,3894674351014982344,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2496 /prefetch:32⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2280,18157486427479158897,3894674351014982344,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2840 /prefetch:82⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2280,18157486427479158897,3894674351014982344,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3344 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2280,18157486427479158897,3894674351014982344,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3360 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2280,18157486427479158897,3894674351014982344,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5164 /prefetch:82⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2280,18157486427479158897,3894674351014982344,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5164 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2280,18157486427479158897,3894674351014982344,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4132 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2280,18157486427479158897,3894674351014982344,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5268 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2280,18157486427479158897,3894674351014982344,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3384 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2280,18157486427479158897,3894674351014982344,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3468 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2280,18157486427479158897,3894674351014982344,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5588 /prefetch:82⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2280,18157486427479158897,3894674351014982344,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5936 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2280,18157486427479158897,3894674351014982344,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5484 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
152B
MD5e4f80e7950cbd3bb11257d2000cb885e
SHA110ac643904d539042d8f7aa4a312b13ec2106035
SHA2561184ee8d32d0edecddd93403fb888fad6b3e2a710d37335c3989cc529bc08124
SHA5122b92c9807fdcd937e514d4e7e1cc7c2d3e3aa162099b7289ceac2feea72d1a4afbadf1c09b3075d470efadf9a9edd63e07ea7e7a98d22243e45b3d53473fa4f0
-
Filesize
152B
MD52dc1a9f2f3f8c3cfe51bb29b078166c5
SHA1eaf3c3dad3c8dc6f18dc3e055b415da78b704402
SHA256dcb76fa365c2d9ee213b224a91cdd806d30b1e8652d72a22f2371124fa4479fa
SHA512682061d9cc86a6e5d99d022da776fb554350fc95efbf29cd84c1db4e2b7161b76cd1de48335bcc3a25633079fb0bd412e4f4795ed6291c65e9bc28d95330bb25
-
Filesize
1KB
MD508e907a5a100f5d60be56294cb46b5cd
SHA1583e4df5b2021543845afff7b91adeb00acd0af6
SHA25646137b99cc6f80e3ba95a9738fb2a07ef5a05036a78c3065c34305d0076b228c
SHA512bf1ff45a2649db3175b7c6d14ee86b688db290345740180382ae7543bff0d0eee8f6d78d8c33ec99c00035bd117ea58827583383b0b6e9af3a1957e82ee2f73a
-
Filesize
5KB
MD5469e1856426d3fdac35f6228032656fa
SHA1f97d59c337869717910cc3cf35767fd23e01b560
SHA256fa619ec84094c70bd62f1eee798505e4b48d56c8b5bc4dabfb4a34fcfb175e4e
SHA5121ab4db00ce7b5bee708ec94b737165a472a865261033f22eae8777cb687a6f579d3b77daa67bca04b1bd64d53c5a8c13ccacc7591f30f22683952c60f44bc774
-
Filesize
6KB
MD52ea742c4bf52f265c1b080c6e9d70c5a
SHA1a821201455aa0827f902e5b6937d753a70c9ea9b
SHA2562a1eefaaee278d7c5e57e53b03050ba1c0e322b7fc8aabd05d504224af60410c
SHA51209e2a74bfad56d5ecb6896a0904f9d374c3fdb76ae0cfea6abb3c1fb32a71841d8746d0aafcf1d962b575fadd938aab14b16346d3622e578f0e94ebcb5f3af2e
-
Filesize
6KB
MD57d69762ad0fee2ec7c44e6e61c0f39ed
SHA177c722faa6ab63ad50e178819fc9fd015f75348a
SHA256b06a832c2c5e14261dab0f06eb7566c2e446d60ebbb0f37414bf736cd862d372
SHA51252660a3df11d1f622bac1f21de723b7e5e511b882f57c361d0edc9bd31e6deb05ca0890663670e0a3aad1ee2ba873b3d226aa7cfee8f51a1d030401495c271e0
-
Filesize
1KB
MD57aca23080d1a28110c24cafa2769be44
SHA1d8416a5bd5da7aa4f4df4c44cb3474e37d408a6d
SHA256af1bf9932d815ac970f78f7c9f0ef5dbb68620fc56316b8234d72f4ab2298e37
SHA51273d0214100d6642a08cce0e70a55059948db43eb015a7294a708cabe9df83d1c1d385e18fc0d83fb78c6eaf4ad22202529d3c05cb97d2c28183c539a43715437
-
Filesize
1KB
MD5b388ce2c59b925eb4672a8f07c43aece
SHA1c13f8d853a240138ccab6aecbd7cc92451596475
SHA2568c1d4cdc699be5f5d51bb89e321bd233514d51cdc149adb93dc032d5bf2f9d3b
SHA51268ae335db6c7671a2578137c580504c023bd18fa4be39de33974f7172069f049473137b0d8d8eca2d8cbb4425b29db5cd7acd1963c5c0dc43f7e1818960cbdf7
-
Filesize
16B
MD56752a1d65b201c13b62ea44016eb221f
SHA158ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA2560861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA5129cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389
-
Filesize
10KB
MD5d5732b1b6bcdfa9bb5a515cef200a44a
SHA1f1fa6f20e86cd683768d4d337e8e2e1c8399b860
SHA2568acd4d17206ae6d06a1cc9c81e76a6a4c10392d1800fae086dd9c20986f039ef
SHA5129285a4b86741f441c4c60d5b8b5f7036ec645eea3945b298efa8bd2fe208719217ebf30411e1d0e3e751c6a3b8ce41ca44c8e4489b06eb694ad6f4e94fc7bab2
-
Filesize
10KB
MD5524d3145ffb98f8da1b25f040912b3da
SHA1f4ae5977ea21a60545126c168862e88ce871c02a
SHA256189c9a1c33fcd8fbdd230533d115f7216512860dbadbec1a8d3aa79a82d0f5a8
SHA512a6b8d8f1edf9dce3986024d195bd288818dd8ffd3f100529886da6c33e6ccd9be997c9730c5016ec38a923250e6cd95365bd1bdcb45c1d4664bee80067f40d1f
-
Filesize
1.4MB
MD53b0c3ff14053122a16568f3500cf4475
SHA1c850a1855cd360de66eb500274e3e1d39932e909
SHA25601f4420e977299db07ce9b0182f69bbd97aae999ed3e36b00b8941a9ad47225f
SHA512575a9ef1e195744c308ac37a60d55ce9157ace7ca2fdd8fc7303a5d9f8f806e936139a720e6c0f5e022abf22bcf924003c5bdc7e2d10c0ebcdf16858bb137342