hxxps://drive[.]google[.]com/file/d/1aH9OnULo1hMtFrueWYh4PsJ_0DoRO7n3/view?usp=drivesdk

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
10-09-2024 09:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://drive.google.com/file/d/1aH9OnULo1hMtFrueWYh4PsJ_0DoRO7n3/view?usp=drivesdk

Score

6^/10

discovery

Malware Config

Signatures

Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs

Web Service

T1102

flow	ioc
5	drive.google.com
9	drive.google.com
10	drive.google.com

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Suspicious behavior: EnumeratesProcesses 9 IoCs

pid	Process
3116	msedge.exe
3116	msedge.exe
4448	msedge.exe
4448	msedge.exe
4448	msedge.exe
4564	msedge.exe
4564	msedge.exe
4564	msedge.exe
4564	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 5 IoCs

pid	Process
4448	msedge.exe
4448	msedge.exe
4448	msedge.exe
4448	msedge.exe
4448	msedge.exe

Suspicious use of FindShellTrayWindow 25 IoCs

pid	Process
4448	msedge.exe
4448	msedge.exe
4448	msedge.exe
4448	msedge.exe
4448	msedge.exe
4448	msedge.exe
4448	msedge.exe
4448	msedge.exe
4448	msedge.exe
4448	msedge.exe
4448	msedge.exe
4448	msedge.exe
4448	msedge.exe
4448	msedge.exe
4448	msedge.exe
4448	msedge.exe
4448	msedge.exe
4448	msedge.exe
4448	msedge.exe
4448	msedge.exe
4448	msedge.exe
4448	msedge.exe
4448	msedge.exe
4448	msedge.exe
4448	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
4448	msedge.exe
4448	msedge.exe
4448	msedge.exe
4448	msedge.exe
4448	msedge.exe
4448	msedge.exe
4448	msedge.exe
4448	msedge.exe
4448	msedge.exe
4448	msedge.exe
4448	msedge.exe
4448	msedge.exe
4448	msedge.exe
4448	msedge.exe
4448	msedge.exe
4448	msedge.exe
4448	msedge.exe
4448	msedge.exe
4448	msedge.exe
4448	msedge.exe
4448	msedge.exe
4448	msedge.exe
4448	msedge.exe
4448	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4448 wrote to memory of 2248	4448	msedge.exe	83
PID 4448 wrote to memory of 2248	4448	msedge.exe	83
PID 4448 wrote to memory of 3164	4448	msedge.exe	84
PID 4448 wrote to memory of 3164	4448	msedge.exe	84
PID 4448 wrote to memory of 3164	4448	msedge.exe	84
PID 4448 wrote to memory of 3164	4448	msedge.exe	84
PID 4448 wrote to memory of 3164	4448	msedge.exe	84
PID 4448 wrote to memory of 3164	4448	msedge.exe	84
PID 4448 wrote to memory of 3164	4448	msedge.exe	84
PID 4448 wrote to memory of 3164	4448	msedge.exe	84
PID 4448 wrote to memory of 3164	4448	msedge.exe	84
PID 4448 wrote to memory of 3164	4448	msedge.exe	84
PID 4448 wrote to memory of 3164	4448	msedge.exe	84
PID 4448 wrote to memory of 3164	4448	msedge.exe	84
PID 4448 wrote to memory of 3164	4448	msedge.exe	84
PID 4448 wrote to memory of 3164	4448	msedge.exe	84
PID 4448 wrote to memory of 3164	4448	msedge.exe	84
PID 4448 wrote to memory of 3164	4448	msedge.exe	84
PID 4448 wrote to memory of 3164	4448	msedge.exe	84
PID 4448 wrote to memory of 3164	4448	msedge.exe	84
PID 4448 wrote to memory of 3164	4448	msedge.exe	84
PID 4448 wrote to memory of 3164	4448	msedge.exe	84
PID 4448 wrote to memory of 3164	4448	msedge.exe	84
PID 4448 wrote to memory of 3164	4448	msedge.exe	84
PID 4448 wrote to memory of 3164	4448	msedge.exe	84
PID 4448 wrote to memory of 3164	4448	msedge.exe	84
PID 4448 wrote to memory of 3164	4448	msedge.exe	84
PID 4448 wrote to memory of 3164	4448	msedge.exe	84
PID 4448 wrote to memory of 3164	4448	msedge.exe	84
PID 4448 wrote to memory of 3164	4448	msedge.exe	84
PID 4448 wrote to memory of 3164	4448	msedge.exe	84
PID 4448 wrote to memory of 3164	4448	msedge.exe	84
PID 4448 wrote to memory of 3164	4448	msedge.exe	84
PID 4448 wrote to memory of 3164	4448	msedge.exe	84
PID 4448 wrote to memory of 3164	4448	msedge.exe	84
PID 4448 wrote to memory of 3164	4448	msedge.exe	84
PID 4448 wrote to memory of 3164	4448	msedge.exe	84
PID 4448 wrote to memory of 3164	4448	msedge.exe	84
PID 4448 wrote to memory of 3164	4448	msedge.exe	84
PID 4448 wrote to memory of 3164	4448	msedge.exe	84
PID 4448 wrote to memory of 3164	4448	msedge.exe	84
PID 4448 wrote to memory of 3164	4448	msedge.exe	84
PID 4448 wrote to memory of 3116	4448	msedge.exe	85
PID 4448 wrote to memory of 3116	4448	msedge.exe	85
PID 4448 wrote to memory of 4400	4448	msedge.exe	86
PID 4448 wrote to memory of 4400	4448	msedge.exe	86
PID 4448 wrote to memory of 4400	4448	msedge.exe	86
PID 4448 wrote to memory of 4400	4448	msedge.exe	86
PID 4448 wrote to memory of 4400	4448	msedge.exe	86
PID 4448 wrote to memory of 4400	4448	msedge.exe	86
PID 4448 wrote to memory of 4400	4448	msedge.exe	86
PID 4448 wrote to memory of 4400	4448	msedge.exe	86
PID 4448 wrote to memory of 4400	4448	msedge.exe	86
PID 4448 wrote to memory of 4400	4448	msedge.exe	86
PID 4448 wrote to memory of 4400	4448	msedge.exe	86
PID 4448 wrote to memory of 4400	4448	msedge.exe	86
PID 4448 wrote to memory of 4400	4448	msedge.exe	86
PID 4448 wrote to memory of 4400	4448	msedge.exe	86
PID 4448 wrote to memory of 4400	4448	msedge.exe	86
PID 4448 wrote to memory of 4400	4448	msedge.exe	86
PID 4448 wrote to memory of 4400	4448	msedge.exe	86
PID 4448 wrote to memory of 4400	4448	msedge.exe	86
PID 4448 wrote to memory of 4400	4448	msedge.exe	86
PID 4448 wrote to memory of 4400	4448	msedge.exe	86

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://drive.google.com/file/d/1aH9OnULo1hMtFrueWYh4PsJ_0DoRO7n3/view?usp=drivesdk
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4448
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffda94d46f8,0x7ffda94d4708,0x7ffda94d4718
  2⤵
  PID:2248
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1980,10237042793492725514,11381888686247675428,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1984 /prefetch:2
  2⤵
  PID:3164
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1980,10237042793492725514,11381888686247675428,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2348 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3116
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1980,10237042793492725514,11381888686247675428,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2892 /prefetch:8
  2⤵
  PID:4400
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1980,10237042793492725514,11381888686247675428,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3360 /prefetch:1
  2⤵
  PID:3168
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1980,10237042793492725514,11381888686247675428,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3388 /prefetch:1
  2⤵
  PID:2168
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1980,10237042793492725514,11381888686247675428,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6080 /prefetch:1
  2⤵
  PID:4944
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1980,10237042793492725514,11381888686247675428,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6112 /prefetch:1
  2⤵
  PID:984
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1980,10237042793492725514,11381888686247675428,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5576 /prefetch:1
  2⤵
  PID:1512
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1980,10237042793492725514,11381888686247675428,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1964 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4564

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2388

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:368

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
53bc70ecb115bdbabe67620c416fe9b3

SHA1
af66ec51a13a59639eaf54d62ff3b4f092bb2fc1

SHA256
b36cad5c1f7bc7d07c7eaa2f3cad2959ddb5447d4d3adcb46eb6a99808e22771

SHA512
cad44933b94e17908c0eb8ac5feeb53d03a7720d97e7ccc8724a1ed3021a5bece09e1f9f3cec56ce0739176ebbbeb20729e650f8bca04e5060c986b75d8e4921

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
e765f3d75e6b0e4a7119c8b14d47d8da

SHA1
cc9f7c7826c2e1a129e7d98884926076c3714fc0

SHA256
986443556d3878258b710d9d9efbf4f25f0d764c3f83dc54217f2b12a6eccd89

SHA512
a1872a849f27da78ebe9adb9beb260cb49ed5f4ca2d403f23379112bdfcd2482446a6708188100496e45db1517cdb43aba8bb93a75e605713c3f97cd716b1079

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\84a3c75c-63ed-48ba-bbc5-9c7727c83a9d.tmp

Filesize
3KB

MD5
135a5d742a01a4f79654db8acdc66e1b

SHA1
df273b360759841ab89338e903b32e6e9f2d66d1

SHA256
aeb2fe8594525eefb75d28253cbb7b0d6b5f6bb035a7cdd3a95f66c13121c62b

SHA512
008b21dac23a1641c9752636fe93ca180eaae57a177c01fc168b42018bc45de419e626081cab52a7469bc484dd8870bb32b470adec5f018005271f160d77b866

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
408B

MD5
f78fcf51c399504228e9dd1109428dee

SHA1
edb388622b52ee5c821349233697406b5ed476eb

SHA256
f43202871c7c421f75c535ab766379a601a5442f62f0aab29572cda49bc7c26a

SHA512
e709cb2fc093158c517817c64cc062c55a19a9d8045267f4a81098a8523d5fdf8516873d3b17d56b7a48532b8c253f0f5986492087389320327b144b739f2659

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
3KB

MD5
5caa27a0893345056a6948ae68e0cdf1

SHA1
8307769fec26fe2f0ffeaa4f7904dfed280e7917

SHA256
86d9481f3a4b99e974c53f3ba7ecfbb3e01164e0723dbb11db2d49cfd31421f4

SHA512
c51e4b856b55deaf6d988f5173da5ac5a676c767ad35b4dce15a50b3d3468b17958959100de2efaffb2960a9c86b276fc9a0ced5204d371b3d46cf5e5197f16e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
b422f5301eb97912b88c239b6c972ee1

SHA1
4755ea408759293ad72bfdaecf0e03a699a6555e

SHA256
87a1bb53923c06da0fcc7d995f527295bb0fb2b14ab74777743ded5c25a78aa2

SHA512
9621d7e68b690df4d806d47b2eca49fb861306e233350fbec21a6d25584ed0892ea3bd04171b21eedb37bcfdccdee481673386e9ba233aaaac2b3254ffee1bec

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
cedf08604bd7bb10ee990671b6d57997

SHA1
f61502e7a1b4280c80f8506b6ba5fcce7c877074

SHA256
11c908c6bc110b4a05959eb3222df6e1c527129aa21c67aa49c32106430c6d49

SHA512
f5f0f78742b88336264327186bbd422a1d5d14b7a91124a449eeea8aa23cea28fd9537abc49451836e7ccec488bcf6ddc67aaa1cc6cdfd3711ba9e50d67598e9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
7e7fa7277b1fc22a17ee8a81d15b1c4a

SHA1
2efe42ad206cccb320c409e3e2d941ffcec079f8

SHA256
819b99e16a265a5fe389f474f50f684f5cf17351b1019192b3424c8964eaa3b9

SHA512
1ed600a57a07acac0509447b6046daec5fc04cdf2b6907034f263f9293593389103201aeb90af2fbd8d2f35bc7a0fd19ef0737d20f396a6182649021eb209658

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
96d4a0ddd37dde48bc65772b39596525

SHA1
df7b12da15f2e78d859a320ee7c985ee821989d4

SHA256
8fce63e9e1f906b4e5cd2a7be6316d6f18a21ab009d437bc19b7a6c7bc7151f4

SHA512
91920be4e5185adbf7681c67ccd5c8a29ada9e710eabd85a98e7b9c95caa81222fea8d3429d0c32b3c64afefe3b2e13a58a71f4451111c8f2cc442769bd4a401

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
4e5ba970c8abc50347548344177f2335

SHA1
7ab22f5edf07b9711fd68db92f2a8d4596a2e845

SHA256
a36def74c813184e41b61697920baac5e2b218dd6e606472e7f458d721e9035a

SHA512
995e16b807beec90df95881c1863b128a4d7662ea4284643bedc3ce6d24a01b86ef3fc01f1e2f5eefd3e4f76bd6e54ae7de454d5445ec1bc4f92c19d98246ea8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe5802d9.TMP

Filesize
204B

MD5
6f919f30f909c6f9823ff9694483acc0

SHA1
8c74cfa501f71fe8c0d0d97683d335ebe3af66af

SHA256
3c667e23dcd9ec638761405262ee0cfed0aa1a8c0b41eac7263d08c932ab0d17

SHA512
a16d0c1ab54b13c41728fd66c7e141d32d5416d3a53c45fd05e452f4e21974ff709a3399d5b78bcc476547c5b2fc29ea424e3827861efce96aea74c7c4cfdbd4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
6bb4fef18f3f26ce94ca1e8a91db3476

SHA1
18a0b9d43ad89ab7f84cd8e4a31fd3287710089c

SHA256
a7574f12c7ca81952d7134dc17dc1eff052c2c5d9537b46e054e33d582d18f87

SHA512
c2d3e4c07ae41072232fcff81b47bd6d3e2d641cdb5c09db1f8e7230a6b5043065ac77c1a5a112481ef9919bc0212787f7893735c915cbd1bad778be57e495ad

Download Submit