hxxps://docs[.]google[.]com/presentation/d/1kBGV7_6Cfu4nbAfJWqR-5LXVIXIrJv3vsq_EHYbtiYw/pub

Analysis

max time kernel
15s
max time network
21s
platform
windows11-21h2_x64
resource
win11-20240802-en
resource tags

arch:x64arch:x86image:win11-20240802-enlocale:en-usos:windows11-21h2-x64system
submitted
05-09-2024 12:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://docs.google.com/presentation/d/1kBGV7_6Cfu4nbAfJWqR-5LXVIXIrJv3vsq_EHYbtiYw/pub

Score

3^/10

discovery

Malware Config

Signatures

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
1964	msedge.exe
1964	msedge.exe
1768	msedge.exe
1768	msedge.exe
4956	msedge.exe
4956	msedge.exe
2288	identity_helper.exe
2288	identity_helper.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs

pid	Process
1768	msedge.exe
1768	msedge.exe
1768	msedge.exe

Suspicious use of FindShellTrayWindow 26 IoCs

pid	Process
1768	msedge.exe
1768	msedge.exe
1768	msedge.exe
1768	msedge.exe
1768	msedge.exe
1768	msedge.exe
1768	msedge.exe
1768	msedge.exe
1768	msedge.exe
1768	msedge.exe
1768	msedge.exe
1768	msedge.exe
1768	msedge.exe
1768	msedge.exe
1768	msedge.exe
1768	msedge.exe
1768	msedge.exe
1768	msedge.exe
1768	msedge.exe
1768	msedge.exe
1768	msedge.exe
1768	msedge.exe
1768	msedge.exe
1768	msedge.exe
1768	msedge.exe
1768	msedge.exe

Suspicious use of SendNotifyMessage 12 IoCs

pid	Process
1768	msedge.exe
1768	msedge.exe
1768	msedge.exe
1768	msedge.exe
1768	msedge.exe
1768	msedge.exe
1768	msedge.exe
1768	msedge.exe
1768	msedge.exe
1768	msedge.exe
1768	msedge.exe
1768	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1768 wrote to memory of 1032	1768	msedge.exe	78
PID 1768 wrote to memory of 1032	1768	msedge.exe	78
PID 1768 wrote to memory of 4100	1768	msedge.exe	79
PID 1768 wrote to memory of 4100	1768	msedge.exe	79
PID 1768 wrote to memory of 4100	1768	msedge.exe	79
PID 1768 wrote to memory of 4100	1768	msedge.exe	79
PID 1768 wrote to memory of 4100	1768	msedge.exe	79
PID 1768 wrote to memory of 4100	1768	msedge.exe	79
PID 1768 wrote to memory of 4100	1768	msedge.exe	79
PID 1768 wrote to memory of 4100	1768	msedge.exe	79
PID 1768 wrote to memory of 4100	1768	msedge.exe	79
PID 1768 wrote to memory of 4100	1768	msedge.exe	79
PID 1768 wrote to memory of 4100	1768	msedge.exe	79
PID 1768 wrote to memory of 4100	1768	msedge.exe	79
PID 1768 wrote to memory of 4100	1768	msedge.exe	79
PID 1768 wrote to memory of 4100	1768	msedge.exe	79
PID 1768 wrote to memory of 4100	1768	msedge.exe	79
PID 1768 wrote to memory of 4100	1768	msedge.exe	79
PID 1768 wrote to memory of 4100	1768	msedge.exe	79
PID 1768 wrote to memory of 4100	1768	msedge.exe	79
PID 1768 wrote to memory of 4100	1768	msedge.exe	79
PID 1768 wrote to memory of 4100	1768	msedge.exe	79
PID 1768 wrote to memory of 4100	1768	msedge.exe	79
PID 1768 wrote to memory of 4100	1768	msedge.exe	79
PID 1768 wrote to memory of 4100	1768	msedge.exe	79
PID 1768 wrote to memory of 4100	1768	msedge.exe	79
PID 1768 wrote to memory of 4100	1768	msedge.exe	79
PID 1768 wrote to memory of 4100	1768	msedge.exe	79
PID 1768 wrote to memory of 4100	1768	msedge.exe	79
PID 1768 wrote to memory of 4100	1768	msedge.exe	79
PID 1768 wrote to memory of 4100	1768	msedge.exe	79
PID 1768 wrote to memory of 4100	1768	msedge.exe	79
PID 1768 wrote to memory of 4100	1768	msedge.exe	79
PID 1768 wrote to memory of 4100	1768	msedge.exe	79
PID 1768 wrote to memory of 4100	1768	msedge.exe	79
PID 1768 wrote to memory of 4100	1768	msedge.exe	79
PID 1768 wrote to memory of 4100	1768	msedge.exe	79
PID 1768 wrote to memory of 4100	1768	msedge.exe	79
PID 1768 wrote to memory of 4100	1768	msedge.exe	79
PID 1768 wrote to memory of 4100	1768	msedge.exe	79
PID 1768 wrote to memory of 4100	1768	msedge.exe	79
PID 1768 wrote to memory of 4100	1768	msedge.exe	79
PID 1768 wrote to memory of 1964	1768	msedge.exe	80
PID 1768 wrote to memory of 1964	1768	msedge.exe	80
PID 1768 wrote to memory of 3500	1768	msedge.exe	81
PID 1768 wrote to memory of 3500	1768	msedge.exe	81
PID 1768 wrote to memory of 3500	1768	msedge.exe	81
PID 1768 wrote to memory of 3500	1768	msedge.exe	81
PID 1768 wrote to memory of 3500	1768	msedge.exe	81
PID 1768 wrote to memory of 3500	1768	msedge.exe	81
PID 1768 wrote to memory of 3500	1768	msedge.exe	81
PID 1768 wrote to memory of 3500	1768	msedge.exe	81
PID 1768 wrote to memory of 3500	1768	msedge.exe	81
PID 1768 wrote to memory of 3500	1768	msedge.exe	81
PID 1768 wrote to memory of 3500	1768	msedge.exe	81
PID 1768 wrote to memory of 3500	1768	msedge.exe	81
PID 1768 wrote to memory of 3500	1768	msedge.exe	81
PID 1768 wrote to memory of 3500	1768	msedge.exe	81
PID 1768 wrote to memory of 3500	1768	msedge.exe	81
PID 1768 wrote to memory of 3500	1768	msedge.exe	81
PID 1768 wrote to memory of 3500	1768	msedge.exe	81
PID 1768 wrote to memory of 3500	1768	msedge.exe	81
PID 1768 wrote to memory of 3500	1768	msedge.exe	81
PID 1768 wrote to memory of 3500	1768	msedge.exe	81

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://docs.google.com/presentation/d/1kBGV7_6Cfu4nbAfJWqR-5LXVIXIrJv3vsq_EHYbtiYw/pub
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1768
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0x48,0x10c,0x7ffe1fd13cb8,0x7ffe1fd13cc8,0x7ffe1fd13cd8
  2⤵
  PID:1032
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1908,1315299920322574879,18410209942432918218,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1920 /prefetch:2
  2⤵
  PID:4100
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1908,1315299920322574879,18410209942432918218,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2364 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1964
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1908,1315299920322574879,18410209942432918218,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2568 /prefetch:8
  2⤵
  PID:3500
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,1315299920322574879,18410209942432918218,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3248 /prefetch:1
  2⤵
  PID:8
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,1315299920322574879,18410209942432918218,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3272 /prefetch:1
  2⤵
  PID:1544
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1908,1315299920322574879,18410209942432918218,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2936 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4956
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,1315299920322574879,18410209942432918218,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4664 /prefetch:1
  2⤵
  PID:3348
- C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1908,1315299920322574879,18410209942432918218,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5800 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2288

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3440

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4988

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
4c3889d3f0d2246f800c495aec7c3f7c

SHA1
dd38e6bf74617bfcf9d6cceff2f746a094114220

SHA256
0a4781bca132edf11500537cbf95ff840c2b6fd33cd94809ca9929f00044bea4

SHA512
2d6cb23e2977c0890f69751a96daeb71e0f12089625f32b34b032615435408f21047b90c19de09f83ef99957681440fdc0c985e079bb196371881b5fdca68a37

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
c4a10f6df4922438ca68ada540730100

SHA1
4c7bfbe3e2358a28bf5b024c4be485fa6773629e

SHA256
f286c908fea67163f02532503b5555a939f894c6f2e683d80679b7e5726a7c02

SHA512
b4d407341989e0bbbe0cdd64f7757bea17f0141a89104301dd7ffe45e7511d3ea27c53306381a29c24df68bdb9677eb8c07d4d88874d86aba41bb6f0ce7a942c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
120B

MD5
f71c6bc96ef979c8ba2a75d3d6bfcf44

SHA1
450bcb9c5a5fddfdc128719732c78f9bb8e5e090

SHA256
27aab225357768fcb559f59e110d2cb87115b7d14da6677e7e37f30cd9eed51c

SHA512
3b4dd4875935600b026f7adf3a87cd48721d38ea64fc5c0a6d24f4b9f8ba060838d7e7de9877ab8f7582bdb8ee829904453f2983c4dee15517bb632c31f1d26b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
1KB

MD5
8e9b38260a389d8502a82d9e88c3abe1

SHA1
66bfe38f9cd2ed15cf9703679a69be64ff9beea4

SHA256
4ada9a0bd6a229f2134673e005b780f170ac191db1825b13d210ffc391459ffd

SHA512
8ac5c81d0c702bc69d62b3c85deb021ea4b478238bb255b79d18eb7fd0175a20aace6c8ec806faae7a06de2d1bfa5c74dba1d12df24789bd389cfa3f18e02c9f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
9d5e1c64946155dea26ea7141a6f9af2

SHA1
1fefa409158b3fe8577a39cc48b91457bfdff0a2

SHA256
311a060d933c6c994a397f691167ba5323ae1aeb1dbf4035182d4d2271e04ce7

SHA512
77be969e63d8754499f122942e39a38707a016a2df04552a7149829f2fa4019e606bac1dbebee527291255f2616491bbefd6dfaee30e15a1ccf3dd3afaef34dc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
2846a597a2276b39f4439ef59b5cd6be

SHA1
1c59bda2ba31a163b0ea31b151c36a2abe4b5c71

SHA256
0d320756a90de14758ff3bbf217b3d3fed8a8cc679cb98e8dfb34d79214cbbdc

SHA512
46aafd807d86e9c2618ce5e005d18e5dfa07a723fedab6b5a141255b214fda7851b1b9b9786333ba7d65ee802d677854469b87456e32d4b773de95f0a324cd01

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
aa055bd49906fde84271d4d737170ae8

SHA1
2e146a0347809f6ade2f8e7b53e696cd5dcba331

SHA256
635c859d7b1f02a03b963fb51ebdf9164f94e7f15b0a3b827c3b175acd8bc5bc

SHA512
600187f8f2bd37c96cc97b05212c425091c66afb4bb50ba5d960af8622224cc68ebd7542b4e7ab691e7c6278c830d42a97dc8d74a356cc139a586f522d950c3b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
e00929cf003ea0b5e6ddbcf00ddc3b6d

SHA1
f0f4bbf2c98a5f7c462ad4598c34dec139d06d72

SHA256
3915e65a370c8ee7e59d25e44d0d3f44159cedf3cd35107d12ade01360581cfb

SHA512
9a257f79af0a3fbb3c78116199c8efba702e1e16c3867768d8350fb6e845655608aa1d24bb4110c870d79c185ad824bbd4f9806777cdfcffc9a28fc23f7aa2b6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
ee7685dea05d6d53b3bf98a7e1c4592d

SHA1
00dfdd6fee8fde30c15b049a9b2ef3bb3a255487

SHA256
de9457ffdf9c14c08353128d5d230ec7435e4600657765716108b7df69982dda

SHA512
ca1d4844d5aeaed4c2d35fe6b7b81d914d67e1d81c94fc40b487a66fbd09ba351b0f87806ad12743fe8c4d3cb7be1c6cdc272c72f4df376852734c64a0725711

Download Submit