hxxps://drive[.]google[.]com/file/d/1_KH-GaCiRg6cZNGyYBob3vgReWSAB5rO/view?usp=drive_link

Analysis

max time kernel
14s
max time network
18s
platform
windows11-21h2_x64
resource
win11-20240802-en
resource tags

arch:x64arch:x86image:win11-20240802-enlocale:en-usos:windows11-21h2-x64system
submitted
06-09-2024 10:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://drive.google.com/file/d/1_KH-GaCiRg6cZNGyYBob3vgReWSAB5rO/view?usp=drive_link

Score

6^/10

discovery

Malware Config

Signatures

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
1	drive.google.com
4	drive.google.com

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
3364	msedge.exe
3364	msedge.exe
3680	msedge.exe
3680	msedge.exe
1496	identity_helper.exe
1496	identity_helper.exe
1840	msedge.exe
1840	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs

pid	Process
3680	msedge.exe
3680	msedge.exe
3680	msedge.exe
3680	msedge.exe
3680	msedge.exe
3680	msedge.exe

Suspicious use of FindShellTrayWindow 26 IoCs

pid	Process
3680	msedge.exe
3680	msedge.exe
3680	msedge.exe
3680	msedge.exe
3680	msedge.exe
3680	msedge.exe
3680	msedge.exe
3680	msedge.exe
3680	msedge.exe
3680	msedge.exe
3680	msedge.exe
3680	msedge.exe
3680	msedge.exe
3680	msedge.exe
3680	msedge.exe
3680	msedge.exe
3680	msedge.exe
3680	msedge.exe
3680	msedge.exe
3680	msedge.exe
3680	msedge.exe
3680	msedge.exe
3680	msedge.exe
3680	msedge.exe
3680	msedge.exe
3680	msedge.exe

Suspicious use of SendNotifyMessage 12 IoCs

pid	Process
3680	msedge.exe
3680	msedge.exe
3680	msedge.exe
3680	msedge.exe
3680	msedge.exe
3680	msedge.exe
3680	msedge.exe
3680	msedge.exe
3680	msedge.exe
3680	msedge.exe
3680	msedge.exe
3680	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3680 wrote to memory of 1684	3680	msedge.exe	80
PID 3680 wrote to memory of 1684	3680	msedge.exe	80
PID 3680 wrote to memory of 3640	3680	msedge.exe	82
PID 3680 wrote to memory of 3640	3680	msedge.exe	82
PID 3680 wrote to memory of 3640	3680	msedge.exe	82
PID 3680 wrote to memory of 3640	3680	msedge.exe	82
PID 3680 wrote to memory of 3640	3680	msedge.exe	82
PID 3680 wrote to memory of 3640	3680	msedge.exe	82
PID 3680 wrote to memory of 3640	3680	msedge.exe	82
PID 3680 wrote to memory of 3640	3680	msedge.exe	82
PID 3680 wrote to memory of 3640	3680	msedge.exe	82
PID 3680 wrote to memory of 3640	3680	msedge.exe	82
PID 3680 wrote to memory of 3640	3680	msedge.exe	82
PID 3680 wrote to memory of 3640	3680	msedge.exe	82
PID 3680 wrote to memory of 3640	3680	msedge.exe	82
PID 3680 wrote to memory of 3640	3680	msedge.exe	82
PID 3680 wrote to memory of 3640	3680	msedge.exe	82
PID 3680 wrote to memory of 3640	3680	msedge.exe	82
PID 3680 wrote to memory of 3640	3680	msedge.exe	82
PID 3680 wrote to memory of 3640	3680	msedge.exe	82
PID 3680 wrote to memory of 3640	3680	msedge.exe	82
PID 3680 wrote to memory of 3640	3680	msedge.exe	82
PID 3680 wrote to memory of 3640	3680	msedge.exe	82
PID 3680 wrote to memory of 3640	3680	msedge.exe	82
PID 3680 wrote to memory of 3640	3680	msedge.exe	82
PID 3680 wrote to memory of 3640	3680	msedge.exe	82
PID 3680 wrote to memory of 3640	3680	msedge.exe	82
PID 3680 wrote to memory of 3640	3680	msedge.exe	82
PID 3680 wrote to memory of 3640	3680	msedge.exe	82
PID 3680 wrote to memory of 3640	3680	msedge.exe	82
PID 3680 wrote to memory of 3640	3680	msedge.exe	82
PID 3680 wrote to memory of 3640	3680	msedge.exe	82
PID 3680 wrote to memory of 3640	3680	msedge.exe	82
PID 3680 wrote to memory of 3640	3680	msedge.exe	82
PID 3680 wrote to memory of 3640	3680	msedge.exe	82
PID 3680 wrote to memory of 3640	3680	msedge.exe	82
PID 3680 wrote to memory of 3640	3680	msedge.exe	82
PID 3680 wrote to memory of 3640	3680	msedge.exe	82
PID 3680 wrote to memory of 3640	3680	msedge.exe	82
PID 3680 wrote to memory of 3640	3680	msedge.exe	82
PID 3680 wrote to memory of 3640	3680	msedge.exe	82
PID 3680 wrote to memory of 3640	3680	msedge.exe	82
PID 3680 wrote to memory of 3364	3680	msedge.exe	83
PID 3680 wrote to memory of 3364	3680	msedge.exe	83
PID 3680 wrote to memory of 3736	3680	msedge.exe	84
PID 3680 wrote to memory of 3736	3680	msedge.exe	84
PID 3680 wrote to memory of 3736	3680	msedge.exe	84
PID 3680 wrote to memory of 3736	3680	msedge.exe	84
PID 3680 wrote to memory of 3736	3680	msedge.exe	84
PID 3680 wrote to memory of 3736	3680	msedge.exe	84
PID 3680 wrote to memory of 3736	3680	msedge.exe	84
PID 3680 wrote to memory of 3736	3680	msedge.exe	84
PID 3680 wrote to memory of 3736	3680	msedge.exe	84
PID 3680 wrote to memory of 3736	3680	msedge.exe	84
PID 3680 wrote to memory of 3736	3680	msedge.exe	84
PID 3680 wrote to memory of 3736	3680	msedge.exe	84
PID 3680 wrote to memory of 3736	3680	msedge.exe	84
PID 3680 wrote to memory of 3736	3680	msedge.exe	84
PID 3680 wrote to memory of 3736	3680	msedge.exe	84
PID 3680 wrote to memory of 3736	3680	msedge.exe	84
PID 3680 wrote to memory of 3736	3680	msedge.exe	84
PID 3680 wrote to memory of 3736	3680	msedge.exe	84
PID 3680 wrote to memory of 3736	3680	msedge.exe	84
PID 3680 wrote to memory of 3736	3680	msedge.exe	84

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://drive.google.com/file/d/1_KH-GaCiRg6cZNGyYBob3vgReWSAB5rO/view?usp=drive_link
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3680
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ff917773cb8,0x7ff917773cc8,0x7ff917773cd8
  2⤵
  PID:1684
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1900,15226950632321079673,3445038597732957260,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1908 /prefetch:2
  2⤵
  PID:3640
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1900,15226950632321079673,3445038597732957260,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2328 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3364
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1900,15226950632321079673,3445038597732957260,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2744 /prefetch:8
  2⤵
  PID:3736
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,15226950632321079673,3445038597732957260,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3280 /prefetch:1
  2⤵
  PID:2624
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,15226950632321079673,3445038597732957260,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3288 /prefetch:1
  2⤵
  PID:1144
- C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1900,15226950632321079673,3445038597732957260,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4140 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1496
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,15226950632321079673,3445038597732957260,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5384 /prefetch:1
  2⤵
  PID:4196
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,15226950632321079673,3445038597732957260,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5372 /prefetch:1
  2⤵
  PID:468
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1900,15226950632321079673,3445038597732957260,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5404 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1840
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,15226950632321079673,3445038597732957260,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3536 /prefetch:1
  2⤵
  PID:4652
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,15226950632321079673,3445038597732957260,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3412 /prefetch:1
  2⤵
  PID:4600

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1804

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2384

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
d30a5618854b9da7bcfc03aeb0a594c4

SHA1
7f37105d7e5b1ecb270726915956c2271116eab7

SHA256
3494c446aa3cb038f1d920b26910b7fe1f4286db78cb3f203ad02cb93889c1a8

SHA512
efd488fcd1729017a596ddd2950bff07d5a11140cba56ff8e0c62ef62827b35c22857bc4f5f5ea11ccc2e1394c0b3ee8651df62a25e66710f320e7a2cf4d1a77

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
03a56f81ee69dd9727832df26709a1c9

SHA1
ab6754cc9ebd922ef3c37b7e84ff20e250cfde3b

SHA256
65d97e83b315d9140f3922b278d08352809f955e2a714fedfaea6283a5300e53

SHA512
e9915f11e74c1bcf7f80d1bcdc8175df820af30f223a17c0fe11b6808e5a400550dcbe59b64346b7741c7c77735abefaf2c988753e11d086000522a05a0f7781

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
336B

MD5
d838a859ca7a068b80dad7d1c2c6bf59

SHA1
629b7a15f9db587c8a19002e02f0f369c42b1202

SHA256
b5864aaa1b20b0e739a468edbc25f84c243b26a286967a04b18110d958ecca01

SHA512
b03efed92aadfc225e3f0cbdc32ff15ee325d2fcc7b7619e21c8e8e9a6f3df96556511c2a9018e60fca9ccdf8a1d9e8407bac0696258037565e371d9ece5f4a3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
1KB

MD5
d93c7f748dd7b018f32c9d07107d3107

SHA1
aa217a3b9d626dfa80731b05ec48babc633386d6

SHA256
c5a5387a80d64ea827175bd3de1e394797f276b7271c8641d8f9ca71f06fb0ff

SHA512
04a2720fa8d76256709fac277820edbfea3b4e97f2e7bb7b25396eb8c30a90dafdff35ad0ff58b529c91f7c92ce78bb6957a467f861d64c426153a94da612bbe

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
4d95361f9b1c21e17a7c8848ba44991a

SHA1
e3344932ec59dd1158f73be87b013f25f2555f19

SHA256
173533ba62ac4bbb19990d9ca174147764d860f2e5dae1a602a752085e5357b9

SHA512
8cff4c874f8b9c6d4caae32740d8707dbfa1047bc900edef8d49d2bff5294fb99dd33e97c1dceb39606cb88d446e1e94cb7aac69a99c181837cb30eafb5ba39a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
d0958089ad880aae893c6e4ffd2bac09

SHA1
d023c01cb92f4a2e7c29692adf412dd1d99c6d75

SHA256
0de673f5b80cbb73a02a2ce7021885dd9908de1b6a7bcf6dbbdcf9e422074175

SHA512
29cf07d7bbae33f5da3666bee17eaeaf1abe5a90d0d979b6982facdd43dae53b19703d74f67283ff7a68f2a3805bf307d660eb3acd14b348b5fa94cc1ff8aec9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
201B

MD5
17def780c33e6c56cf719e5a8bdb4d38

SHA1
585355da81ee19490f2b60d3f5585961c5838efc

SHA256
18ee0dea71c4d5542f5cc2296e5cd7a2e0e25580f9e35e8be56a8413627fcfc3

SHA512
6ee3a450c337bdd76a7ba304def35e05e64a921c79ff57eb7f4c365d53aa8564ff7a61f385b48aedc489b13457bf47db7d7fcdf5ad8ef65b494798557513be27

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe57e0fa.TMP

Filesize
201B

MD5
7b5370395b8939d894fe4e7298cf0b64

SHA1
780b6d6cc3c05a367562cdfcb6682e62b8e51e40

SHA256
51890c4261181050f26a72372cbbfc341498e91cac487ece7abce6dab567e03c

SHA512
020b0ec98854de98ff0866e80e45f740798e036a3ecb9f1d59413fea69e44cb09682d8ad69061526619a0bc12c3f7aa7c442d88dca4c8c3c6f7f05823e4a4226

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\f61a3c71-0a2d-4009-8c7a-44ba79e946ca.tmp

Filesize
5KB

MD5
28eebddc1993a5a6cf3a52e748022985

SHA1
967710eaf7e1b23a57245009ad7104f62f7ea4c8

SHA256
10166083285f83ae6e7d1faef7e16fd0343c5ea94cb765ee1237a9c419fd4109

SHA512
bc0a27655a0ef8059b7771601af4c47dece9a888b6af252e5668fb7b3152371f287533543bff249efe4e48a24b719db76f5dba8f3ae317f33c49c437fd1234ca

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
d20689a2e120df8b06d18a4a941a1612

SHA1
df680c8d2a2f00aec4f15c99ee933db2973ead21

SHA256
148d1082f78716a67b51dc174f589328fa550c9d3453627afad8fa00c7ad3736

SHA512
07f2ea73770847e9d8e5193a207d1347f2877f672d986c1a713e27bdc0781af770cdd3d1e93e933a6ed5d1cf16563a002b60b465b45016fdcb2370c8665926ec

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
4d31cdb03eab9dcb06fe16c856c42136

SHA1
710af56f20eadccb0ece331e2db0288f4a07fd46

SHA256
4f315d804040a477a954b86d05d095351141044aa2f725edc39bcb0c65f794e5

SHA512
934395ff0c097e3f1e0ed9ef15482432a5c94577e50bb8f9fc7664286021c46ba1b0b5443546e7648f386f212436a87544ea089f81bd2aa478dbd5afc2279b2a

Download Submit